Example SSO IdP configuration

This topic provides an example of how to configure SAML v2 SSO with Activator as the Service Provider (SP) and Forgerock OpenAM as the Identity Provider (IdP).

Prerequisites

  • Activator installed
  • Forgerock OpenAM installed

Summary of the configuration tasks

Configure Activator

To configure Activator you must:

When you have completed the above tasks, you can view the metadata page at the URL:

https://< Activator _install_machine>:6643/ui/core/SamlSsoMetadata

You will use this URL to import the Activator connection information to OpenAM.

Configure OpenAM

Prerequisites

  • Install and set up OpenAM.
  • Configure Activator as an SSO Service Provider.

Create the Identity provider in OpenAM

  1. Log in to OpenAM using OpenAM administrator credentials.
  2. Open the OpenAM console.
  3. On the Common Tasks tab, click Create Hosted Identity Provider to open the configuration page.
  4. In the Metadata section /Signing key field, select a key from the drop-down list.
  5. For detailed information, see Manage certificates and keys.
  6. In the Circle of Trust section, add this IdP to the Circle of Trust.
  7. In the Attribute Mapping section map attributes. See Map attributes.

Click Configure to create the provider.

Register Activator as the Service Provider in OpenAM

  1. Login to OpenAM using OpenAM administrator credentials.
  2. Open the OpenAM console.
  3. On the Common Tasks tab, click Register Remote Service Provider to open the Create a SAML v2 Remote Service Provider page.
  4. For the Where does the Metadata File Reside? option, select URL.
  5. Click Upload and enter the Activator metadata URL:
  6. https://< Activator _install_machine_name>:6643/ui/core/SamlSsoMetadata
  7. Complete the attributes fields. See detailed attribute information, see Map attributes.
  8. Click Configure.

The following values, populated from the Activator metadata XML file, are displayed in the SP Service Attributes configuration fields:

Single Logout Service

Default: HTTP REDIRECT

Location: https://<sp_machine_name>/ui/core/SsoSamlLogoutRequest

Response location: https://<sp_machine_name>/ui/core/SsoSamlLogoutResponse

POST

Location: https://<sp_machine_name>/ui/core/SsoSamlLogoutRequest

Response location: https://<sp_machine_name>/ui/core/SsoSamlLogoutResponse

Assertion Consumer Service

HTTP-POST

https://<sp_machine_name>/ui/core/SsoSamlAssertionConsumer

Configure KeyCloak

Prerequisites

  • Install and setup Keycloak v2.4
  • Configure Activator as an SSO Service Provider

Add Realm

  1. From the top menu, select Add realm.
  2. Enter the realm name= name of realm (for example, axway).
  3. Click Save.

Add Client (Service Provider)

  1. From the top menu, open the Client.
  2. Click Create.
  3. Create a client with the following values:
    • Client Id = name of client ID (for example, actv)
    • Client protocol = saml
  1. Click Save. The Settings tab of the newly created client is displayed.
  2. Enter the following values under the Settings tab.
Note   For any settings not mentioned below, use the default.
  • Sign Assertions = ON
  • Signature Algorithm = RSA_SHA256
  • SAML Signature Key Name = CERT_SUBJECT
  • Canonicalization Method = EXCLUSIVE
  • Name ID Format = username
  • Client Signature Required = OFF
  • Force POST Binding = OFF
  • Front Channel Logout = OFF
  • Valid Redirect URIs = https://<sp_machine_name>:6643/ui
  • Base URL = https://<sp_machine_name>/ui
  • Master SAML Processing URL = https://<sp_machine_name>:6643/ui/core/SsoSamlAssertionConsumer
  • Assertion Consumer Service POST Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlAssertionConsumer
  • Logout Service POST Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlLogoutRequest
  • Logout Service Redirect Binding URL = https://<sp_machine_name>:6643/ui/core/SsoSamlLogoutResponse

6.Click Save.

Add Mappers

Add builtin mappings

  1. From the Mappers tab, select Add Builtin .
  2. Select the following mappers:
    • X500 email
    • X500 givenName
    • X500 surname
  3. Click Add selected.

Add DEA mappings

  1. From the Mappers tab, select Create to add a new mapper.
  2. Enter the following values:
    • Name = editable-deas-mapper
    • User Attribute = editable-deas
    • Friendly Name = List of DEA numbers for editing orders
    • SAML Attribute Name = saml-editable-deas
  3. Click Save.

Save the Identity Provider certificate

  1. From the top menu, go to the Realm Settings screen.
  2. Click the Keys tab.
  3. Locate the RSA certificate.
  4. Under the Certificate column, click on View. The encoded certificate is displayed.
  5. Copy the encoded text to the clipboard.
  6. Create a text file, ipcert.txt.
  7. Paste the encoded text from the clipboard.
  8. Save this to your local system.

Manage certificates and keys

Export the Activator public key

  1. Log on to Activator as an administrator and go to System Management > Configure UI connection.
  2. Select Add a certificate and generate or import a personal certificate to use for TLS.
  3. Go to the Personal certificates tab of Configure UI connection page and export the public key of the added certificate in a DER format (.cer extension).

Import the Activator public key to OpenAM

Certificates must be imported to the OpenAM keystore:

<openAM_install_directory\OpenAM-11.0.0\OpenAM-11.0.0\keystore.jks

To import the certificate:

Use the keytool to import the certificate. Run keytool from the command line. The tool is located here:

<Java_installation_directory>Java\jdk_<version>\jre\bin\

Example keytool command syntax:

keytool -importcert -alias certAlias -file <certificte_name>.cer -keystore keystore.jks

Add the Activator SP entity to the OpenAM circle of trust

  1. Login to OpenAM using OpenAM administrator credentials.
  2. Open the OpenAM console.
  3. Select the Federation tab.
  4. Under Circle of Trust Configuration add the newly created Activator SP entity to the Circle of Trust.

Select the signing key in OpenAM

  1. Login to OpenAM using OpenAM administrator credentials.
  2. Open the OpenAM console.
  3. On the Common Tasks tab, click Create Hosted Identity Provider .
  4. In the Metadata section, select the Activator signing key from the list of available keys in the Signing Key drop-down list.
  5. Click configure.

Import the OpenAM public certificate to Activator

  1. Locate the the IdP public certificate found in the openAM keystore here:
  2. <openAM_install_directory\OpenAM-11.0.0\OpenAM-11.0.0\keystore.jks
  3. The name of the IdP public certificate is "PrivateKeyEntry".
  4. To view contents of the keystore, run the keytool list command from the command line:
  5. keytool -list -keystore keystore.jks
  6. Export the public certificate:
  7. keytool -exportcert -alias PrivateKeyEntry -file sp_ activator _cert -keystore keystore.jks
  8. This command exports PrivavteKeyEntry to the file cert_file.
  9. Place a copy of the exported certificate in a directory on the Activator machine.
  10. Log on to Activator as an administrator and go to System Management > Configure UI connection.
  11. Select the Identity Provider Certificates tab.
  12. Click Add an identity provider certificate.
  13. Confirm that Import a certificate from a file is selected and click Next.
  14. Browse to the location of the OpenAM PrivateKeyEntry certificate on your local file system, select it, and click Next.
  15. View the certificate details and click Finish.

Map attributes

There are three user attributes that can be configured in Activator to be used to validate users:

  • User ID
  • User name
  • User email

Each of these can be retrieved from either the <saml2:Subject> element or from a specific assertion <saml2:Attribute>.

To configure authentication by user attributes you must define them in both openAM an in Activator. The attribute information must be identical in each application.

Create user attributes in Open AM

  1. Log in to OpenAM using OpenAM administrator credentials.
  2. Open the OpenAM console.
  3. Go to the Host Identity Provider configuration page.
  4. In the Attribute Mapping section enter
    • Attribute name as it should appear in the assertion
    • Local attribute name (friendly name)
  5. Click Add.

Create user attributes in Activator

  1. Log in to Activator using Activator administrator credentials.
  2. Go to System Management > Configure UI connection, and from the General tab, click SAML Configuration to open the SSO SAML configuration details page.
  3. Select the User attributes tab.
  4. For each of the three attributes, select the option Assertion from attribute, and enter precisely the same Assertion attribute name and Assertion attribute friendly name that you defined in OpenAM.
  5. Click Save.

Related Links