Activator 6.0.0 Administrator Guide Example SSO IdP configuration This topic provides an example of how to configure SAML v2 SSO with Activator as the Service Provider (SP) and Forgerock OpenAM as the Identity Provider (IdP). Prerequisites Activator installed Forgerock OpenAM installed Summary of the configuration tasks Configure Activator Configure OpenAM Configure KeyCloak Manage certificates and keys Map attributes Configure Activator To configure Activator you must: Configure the Activator UI connection to support HTTPS. See Configure HTTPS. Import the OpenAM IdP certificate. See Manage IdP certificates. Configure the SSO SAML fields. See Configure SSO SAML. Be sure to map the user attributes that are used to identify the user at sign on. See Map attributes. When you have completed the above tasks, you can view the metadata page at the URL: https://< Activator _install_machine>:6643/ui/core/SamlSsoMetadata You will use this URL to import the Activator connection information to OpenAM. Configure OpenAM Prerequisites Install and set up OpenAM. Configure Activator as an SSO Service Provider. Create the Identity provider in OpenAM Log in to OpenAM using OpenAM administrator credentials. Open the OpenAM console. On the Common Tasks tab, click Create Hosted Identity Provider to open the configuration page. In the Metadata section /Signing key field, select a key from the drop-down list. For detailed information, see Manage certificates and keys. In the Circle of Trust section, add this IdP to the Circle of Trust. In the Attribute Mapping section map attributes. See Map attributes. Click Configure to create the provider. Register Activator as the Service Provider in OpenAM Login to OpenAM using OpenAM administrator credentials. Open the OpenAM console. On the Common Tasks tab, click Register Remote Service Provider to open the Create a SAML v2 Remote Service Provider page. For the Where does the Metadata File Reside? option, select URL. Click Upload and enter the Activator metadata URL: https://< Activator _install_machine_name>:6643/ui/core/SamlSsoMetadata Complete the attributes fields. See detailed attribute information, see Map attributes. Click Configure. The following values, populated from the Activator metadata XML file, are displayed in the SP Service Attributes configuration fields: Single Logout Service Default: HTTP REDIRECT Location: https://<sp_machine_name>/ui/core/SsoSamlLogoutRequest Response location: https://<sp_machine_name>/ui/core/SsoSamlLogoutResponse POST Location: https://<sp_machine_name>/ui/core/SsoSamlLogoutRequest Response location: https://<sp_machine_name>/ui/core/SsoSamlLogoutResponse Assertion Consumer Service HTTP-POST https://<sp_machine_name>/ui/core/SsoSamlAssertionConsumer Configure KeyCloak Prerequisites Install and setup Keycloak v2.4 Configure Activator as an SSO Service Provider Add Realm From the top menu, select Add realm. Enter the realm name= name of realm (for example, axway). Click Save. Add Client (Service Provider) From the top menu, open the Client. Click Create. Create a client with the following values: Client Id = name of client ID (for example, actv)Client protocol = saml Click Save. The Settings tab of the newly created client is displayed. Enter the following values under the Settings tab. Note For any settings not mentioned below, use the default. Sign Assertions = ON Signature Algorithm = RSA_SHA256 SAML Signature Key Name = CERT_SUBJECT Canonicalization Method = EXCLUSIVE Name ID Format = username Client Signature Required = OFF Force POST Binding = OFF Front Channel Logout = OFF Valid Redirect URIs = https://<sp_machine_name>:6643/ui Base URL = https://<sp_machine_name>/ui Master SAML Processing URL = https://<sp_machine_name>:6643/ui/core/SsoSamlAssertionConsumer Assertion Consumer Service POST Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlAssertionConsumer Logout Service POST Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlLogoutRequest Logout Service Redirect Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlLogoutResponse 6.Click Save. Add Mappers Add builtin mappings From the Mappers tab, select Add Builtin . Select the following mappers:X500 emailX500 givenNameX500 surname Click Add selected. Add DEA mappings From the Mappers tab, select Create to add a new mapper. Enter the following values:Name = editable-deas-mapperUser Attribute = editable-deasFriendly Name = List of DEA numbers for editing ordersSAML Attribute Name = saml-editable-deas Click Save. Save the Identity Provider certificate From the top menu, go to the Realm Settings screen. Click the Keys tab. Locate the RSA certificate. Under the Certificate column, click on View. The encoded certificate is displayed. Copy the encoded text to the clipboard. Create a text file, ipcert.txt. Paste the encoded text from the clipboard. Save this to your local system. Manage certificates and keys Export the Activator public key Log on to Activator as an administrator and go to System Management > Configure UI connection. Select Add a certificate and generate or import a personal certificate to use for TLS. Go to the Personal certificates tab of Configure UI connection page and export the public key of the added certificate in a DER format (.cer extension). Import the Activator public key to OpenAM Certificates must be imported to the OpenAM keystore: <openAM_install_directory\OpenAM-11.0.0\OpenAM-11.0.0\keystore.jks To import the certificate: Use the keytool to import the certificate. Run keytool from the command line. The tool is located here: <Java_installation_directory>Java\jdk_<version>\jre\bin\ Example keytool command syntax: keytool -importcert -alias certAlias -file <certificte_name>.cer -keystore keystore.jks Add the Activator SP entity to the OpenAM circle of trust Login to OpenAM using OpenAM administrator credentials. Open the OpenAM console. Select the Federation tab. Under Circle of Trust Configuration add the newly created Activator SP entity to the Circle of Trust. Select the signing key in OpenAM Login to OpenAM using OpenAM administrator credentials. Open the OpenAM console. On the Common Tasks tab, click Create Hosted Identity Provider . In the Metadata section, select the Activator signing key from the list of available keys in the Signing Key drop-down list. Click configure. Import the OpenAM public certificate to Activator Locate the the IdP public certificate found in the openAM keystore here: <openAM_install_directory\OpenAM-11.0.0\OpenAM-11.0.0\keystore.jks The name of the IdP public certificate is "PrivateKeyEntry". To view contents of the keystore, run the keytool list command from the command line: keytool -list -keystore keystore.jks Export the public certificate: keytool -exportcert -alias PrivateKeyEntry -file sp_ activator _cert -keystore keystore.jks This command exports PrivavteKeyEntry to the file cert_file. Place a copy of the exported certificate in a directory on the Activator machine. Log on to Activator as an administrator and go to System Management > Configure UI connection. Select the Identity Provider Certificates tab. Click Add an identity provider certificate. Confirm that Import a certificate from a file is selected and click Next. Browse to the location of the OpenAM PrivateKeyEntry certificate on your local file system, select it, and click Next. View the certificate details and click Finish. Map attributes There are three user attributes that can be configured in Activator to be used to validate users: User ID User name User email Each of these can be retrieved from either the <saml2:Subject> element or from a specific assertion <saml2:Attribute>. To configure authentication by user attributes you must define them in both openAM an in Activator. The attribute information must be identical in each application. Create user attributes in Open AM Log in to OpenAM using OpenAM administrator credentials. Open the OpenAM console. Go to the Host Identity Provider configuration page. In the Attribute Mapping section enterAttribute name as it should appear in the assertionLocal attribute name (friendly name) Click Add. Create user attributes in Activator Log in to Activator using Activator administrator credentials. Go to System Management > Configure UI connection, and from the General tab, click SAML Configuration to open the SSO SAML configuration details page. Select the User attributes tab. For each of the three attributes, select the option Assertion from attribute, and enter precisely the same Assertion attribute name and Assertion attribute friendly name that you defined in OpenAM. Click Save. Related Links
Example SSO IdP configuration This topic provides an example of how to configure SAML v2 SSO with Activator as the Service Provider (SP) and Forgerock OpenAM as the Identity Provider (IdP). Prerequisites Activator installed Forgerock OpenAM installed Summary of the configuration tasks Configure Activator Configure OpenAM Configure KeyCloak Manage certificates and keys Map attributes Configure Activator To configure Activator you must: Configure the Activator UI connection to support HTTPS. See Configure HTTPS. Import the OpenAM IdP certificate. See Manage IdP certificates. Configure the SSO SAML fields. See Configure SSO SAML. Be sure to map the user attributes that are used to identify the user at sign on. See Map attributes. When you have completed the above tasks, you can view the metadata page at the URL: https://< Activator _install_machine>:6643/ui/core/SamlSsoMetadata You will use this URL to import the Activator connection information to OpenAM. Configure OpenAM Prerequisites Install and set up OpenAM. Configure Activator as an SSO Service Provider. Create the Identity provider in OpenAM Log in to OpenAM using OpenAM administrator credentials. Open the OpenAM console. On the Common Tasks tab, click Create Hosted Identity Provider to open the configuration page. In the Metadata section /Signing key field, select a key from the drop-down list. For detailed information, see Manage certificates and keys. In the Circle of Trust section, add this IdP to the Circle of Trust. In the Attribute Mapping section map attributes. See Map attributes. Click Configure to create the provider. Register Activator as the Service Provider in OpenAM Login to OpenAM using OpenAM administrator credentials. Open the OpenAM console. On the Common Tasks tab, click Register Remote Service Provider to open the Create a SAML v2 Remote Service Provider page. For the Where does the Metadata File Reside? option, select URL. Click Upload and enter the Activator metadata URL: https://< Activator _install_machine_name>:6643/ui/core/SamlSsoMetadata Complete the attributes fields. See detailed attribute information, see Map attributes. Click Configure. The following values, populated from the Activator metadata XML file, are displayed in the SP Service Attributes configuration fields: Single Logout Service Default: HTTP REDIRECT Location: https://<sp_machine_name>/ui/core/SsoSamlLogoutRequest Response location: https://<sp_machine_name>/ui/core/SsoSamlLogoutResponse POST Location: https://<sp_machine_name>/ui/core/SsoSamlLogoutRequest Response location: https://<sp_machine_name>/ui/core/SsoSamlLogoutResponse Assertion Consumer Service HTTP-POST https://<sp_machine_name>/ui/core/SsoSamlAssertionConsumer Configure KeyCloak Prerequisites Install and setup Keycloak v2.4 Configure Activator as an SSO Service Provider Add Realm From the top menu, select Add realm. Enter the realm name= name of realm (for example, axway). Click Save. Add Client (Service Provider) From the top menu, open the Client. Click Create. Create a client with the following values: Client Id = name of client ID (for example, actv)Client protocol = saml Click Save. The Settings tab of the newly created client is displayed. Enter the following values under the Settings tab. Note For any settings not mentioned below, use the default. Sign Assertions = ON Signature Algorithm = RSA_SHA256 SAML Signature Key Name = CERT_SUBJECT Canonicalization Method = EXCLUSIVE Name ID Format = username Client Signature Required = OFF Force POST Binding = OFF Front Channel Logout = OFF Valid Redirect URIs = https://<sp_machine_name>:6643/ui Base URL = https://<sp_machine_name>/ui Master SAML Processing URL = https://<sp_machine_name>:6643/ui/core/SsoSamlAssertionConsumer Assertion Consumer Service POST Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlAssertionConsumer Logout Service POST Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlLogoutRequest Logout Service Redirect Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlLogoutResponse 6.Click Save. Add Mappers Add builtin mappings From the Mappers tab, select Add Builtin . Select the following mappers:X500 emailX500 givenNameX500 surname Click Add selected. Add DEA mappings From the Mappers tab, select Create to add a new mapper. Enter the following values:Name = editable-deas-mapperUser Attribute = editable-deasFriendly Name = List of DEA numbers for editing ordersSAML Attribute Name = saml-editable-deas Click Save. Save the Identity Provider certificate From the top menu, go to the Realm Settings screen. Click the Keys tab. Locate the RSA certificate. Under the Certificate column, click on View. The encoded certificate is displayed. Copy the encoded text to the clipboard. Create a text file, ipcert.txt. Paste the encoded text from the clipboard. Save this to your local system. Manage certificates and keys Export the Activator public key Log on to Activator as an administrator and go to System Management > Configure UI connection. Select Add a certificate and generate or import a personal certificate to use for TLS. Go to the Personal certificates tab of Configure UI connection page and export the public key of the added certificate in a DER format (.cer extension). Import the Activator public key to OpenAM Certificates must be imported to the OpenAM keystore: <openAM_install_directory\OpenAM-11.0.0\OpenAM-11.0.0\keystore.jks To import the certificate: Use the keytool to import the certificate. Run keytool from the command line. The tool is located here: <Java_installation_directory>Java\jdk_<version>\jre\bin\ Example keytool command syntax: keytool -importcert -alias certAlias -file <certificte_name>.cer -keystore keystore.jks Add the Activator SP entity to the OpenAM circle of trust Login to OpenAM using OpenAM administrator credentials. Open the OpenAM console. Select the Federation tab. Under Circle of Trust Configuration add the newly created Activator SP entity to the Circle of Trust. Select the signing key in OpenAM Login to OpenAM using OpenAM administrator credentials. Open the OpenAM console. On the Common Tasks tab, click Create Hosted Identity Provider . In the Metadata section, select the Activator signing key from the list of available keys in the Signing Key drop-down list. Click configure. Import the OpenAM public certificate to Activator Locate the the IdP public certificate found in the openAM keystore here: <openAM_install_directory\OpenAM-11.0.0\OpenAM-11.0.0\keystore.jks The name of the IdP public certificate is "PrivateKeyEntry". To view contents of the keystore, run the keytool list command from the command line: keytool -list -keystore keystore.jks Export the public certificate: keytool -exportcert -alias PrivateKeyEntry -file sp_ activator _cert -keystore keystore.jks This command exports PrivavteKeyEntry to the file cert_file. Place a copy of the exported certificate in a directory on the Activator machine. Log on to Activator as an administrator and go to System Management > Configure UI connection. Select the Identity Provider Certificates tab. Click Add an identity provider certificate. Confirm that Import a certificate from a file is selected and click Next. Browse to the location of the OpenAM PrivateKeyEntry certificate on your local file system, select it, and click Next. View the certificate details and click Finish. Map attributes There are three user attributes that can be configured in Activator to be used to validate users: User ID User name User email Each of these can be retrieved from either the <saml2:Subject> element or from a specific assertion <saml2:Attribute>. To configure authentication by user attributes you must define them in both openAM an in Activator. The attribute information must be identical in each application. Create user attributes in Open AM Log in to OpenAM using OpenAM administrator credentials. Open the OpenAM console. Go to the Host Identity Provider configuration page. In the Attribute Mapping section enterAttribute name as it should appear in the assertionLocal attribute name (friendly name) Click Add. Create user attributes in Activator Log in to Activator using Activator administrator credentials. Go to System Management > Configure UI connection, and from the General tab, click SAML Configuration to open the SSO SAML configuration details page. Select the User attributes tab. For each of the three attributes, select the option Assertion from attribute, and enter precisely the same Assertion attribute name and Assertion attribute friendly name that you defined in OpenAM. Click Save.