Install NMAS SAML method: (eDirectory only) Extends the schema on the eDirectory server and installs an NMAS method. This method converts the Identity Server credentials to a form understood by eDirectory.
- Install Nmas Saml Method
- Install Nmas Saml Method Pdf
- Install Nmas Saml Methodist Church
- Install Nmas Saml Methodist
- Install Nmas Saml Methods
In this tutorial, you learn how to integrate SAML SSO for Confluence by resolution GmbH with Azure Active Directory (Azure AD).Integrating SAML SSO for Confluence by resolution GmbH with Azure AD provides you with the following benefits:
SAML Response (IdP -> SP) This example contains several SAML Responses. A SAML Response is sent by the Identity Provider to the Service Provider and if the user succeeded in the authentication process, it contains the Assertion with the NameID / attributes of the user. Install NMAS SAML method: (eDirectory only) Extends the schema on the eDirectory server and installs an NMAS method. This method converts the Identity Server credentials to a form understood by eDirectory.
- You can control in Azure AD who has access to SAML SSO for Confluence by resolution GmbH.
- You can enable your users to be automatically signed-in to SAML SSO for Confluence by resolution GmbH (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory.If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
To configure Azure AD integration with SAML SSO for Confluence by resolution GmbH, you need the following items:
- An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
- SAML SSO for Confluence by resolution GmbH single sign-on enabled subscription
Scenario description
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
- SAML SSO for Confluence by resolution GmbH supports SP and IDP initiated SSO
Adding SAML SSO for Confluence by resolution GmbH from the gallery
To configure the integration of SAML SSO for Confluence by resolution GmbH into Azure AD, you need to add SAML SSO for Confluence by resolution GmbH from the gallery to your list of managed SaaS apps.
To add SAML SSO for Confluence by resolution GmbH from the gallery, perform the following steps:
- In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
- Navigate to Enterprise Applications and then select the All Applications option.
- To add new application, click New application button on the top of dialog.
- In the search box, type SAML SSO for Confluence by resolution GmbH, select SAML SSO for Confluence by resolution GmbH from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
Install Nmas Saml Method
In this section, you configure and test Azure AD single sign-on with SAML SSO for Confluence by resolution GmbH based on a test user called Britta Simon.For single sign-on to work, a link relationship between an Azure AD user and the related user in SAML SSO for Confluence by resolution GmbH needs to be established.
To configure and test Azure AD single sign-on with SAML SSO for Confluence by resolution GmbH, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Configure SAML SSO for Confluence by resolution GmbH Single Sign-On - to configure the Single Sign-On settings on application side.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Create SAML SSO for Confluence by resolution GmbH test user - to have a counterpart of Britta Simon in SAML SSO for Confluence by resolution GmbH that is linked to the Azure AD representation of user.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal.
To configure Azure AD single sign-on with SAML SSO for Confluence by resolution GmbH, perform the following steps:
- In the Azure portal, on the SAML SSO for Confluence by resolution GmbH application integration page, select Single sign-on.
- On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.
- On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.
- On the Basic SAML Configuration section perform the following steps, if you wish to configure the application in IDP Initiated mode:a. In the Identifier text box, type a URL using the following pattern:
https://<server-base-url>/plugins/servlet/samlsso
b. In the Reply URL text box, type a URL using the following pattern:https://<server-base-url>/plugins/servlet/samlsso
c. Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:In the Sign-on URL text box, type a URL using the following pattern:https://<server-base-url>/plugins/servlet/samlsso
NoteThese values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact SAML SSO for Confluence by resolution GmbH Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal. - On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Federation Metadata XML from the given options as per your requirement and save it on your computer.
Configure SAML SSO for Confluence by resolution GmbH Single Sign-On
- In a different web browser window, log in to your SAML SSO for Confluence by resolution GmbH admin portal as an administrator.
- Hover on cog and click the Add-ons.
- You are redirected to Administrator Access page. Enter the password and click Confirm button.
- Under ATLASSIAN MARKETPLACE tab, click Find new add-ons.
- Search SAML Single Sign On (SSO) for Confluence and click Install button to install the new SAML plugin.
- The plugin installation will start. Click Close.
- Click Manage.
- Click Configure to configure the new plugin.
- This new plugin can also be found under USERS & SECURITY tab.
- On SAML SingleSignOn Plugin Configuration page, click Add new IdP button to configure the settings of Identity Provider.
- On Choose your SAML Identity Provider page, perform the following steps:a. Set Azure AD as the IdP type.b. Add Name of the Identity Provider (e.g Azure AD).c. Add Description of the Identity Provider (e.g Azure AD).d. Click Next.
- On Identity provider configuration page, click Next button.
- On Import SAML IdP Metadata page, perform the following steps:a. Click Load File button and pick Metadata XML file you downloaded in Step 5.b. Click Import button.c. Wait briefly until import succeeds.d. Click Next button.
- On User ID attribute and transformation page, click Next button.
- On User creation and update page, click Save & Next to save settings.
- On Test your settings page, click Skip test & configure manually to skip the user test for now. This will be performed in the next section and requires some settings in Azure portal.
- In the appearing dialog reading Skipping the test means..., click OK.
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
- In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.
- Select New user at the top of the screen.
- In the User properties, perform the following steps.a. In the Name field enter BrittaSimon.c. Select Show password check box, and then write down the value that's displayed in the Password box.d. Click Create.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to SAML SSO for Confluence by resolution GmbH.
- In the Azure portal, select Enterprise Applications, select All applications, then select SAML SSO for Confluence by resolution GmbH.
- In the applications list, type and select SAML SSO for Confluence by resolution GmbH.
- In the menu on the left, select Users and groups.
- Click the Add user button, then select Users and groups in the Add Assignment dialog.
- In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the screen.
- If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the user from the list, then click the Select button at the bottom of the screen.
- In the Add Assignment dialog click the Assign button.
Create SAML SSO for Confluence by resolution GmbH test user
To enable Azure AD users to log in to SAML SSO for Confluence by resolution GmbH, they must be provisioned into SAML SSO for Confluence by resolution GmbH.
In SAML SSO for Confluence by resolution GmbH, provisioning is a manual task.
In SAML SSO for Confluence by resolution GmbH, provisioning is a manual task.
To provision a user account, perform the following steps:
- Log in to your SAML SSO for Confluence by resolution GmbH company site as an administrator.
- Hover on cog and click the User management.
- Under Users section, click Add users tab. On the “Add a User” dialog page, perform the following steps:a. In the Username textbox, type the email of user like Britta Simon.b. In the Full Name textbox, type the full name of user like Britta Simon.c. In the Email textbox, type the email address of user like [email protected].d. In the Password textbox, type the password for Britta Simon.e. Click Confirm Password reenter the password.f. Click Add button.
Test single sign-on
In this section, you test your Azure AD single sign-on configuration using the Access Panel.
When you click the SAML SSO for Confluence by resolution GmbH tile in the Access Panel, you should be automatically signed in to the SAML SSO for Confluence by resolution GmbH for which you set up SSO. For more information about the Access Panel, see Introduction to the Access Panel.
Additional resources
Cross-domain single sign-on using SAML 2.0 with WebSphere Liberty
Content series:
This content is part # of # in the series: Cross-domain single sign-on using SAML 2.0 with WebSphere Liberty
https://www.ibm.com/developerworks/library/?series_title_by=**auto**
This content is part of the series:Cross-domain single sign-on using SAML 2.0 with WebSphere Liberty
Stay tuned for additional content in this series.
Editor's note: This tutorial was updated on 20 March 2017. The update made was to correct the code in step 4 of 2b. Apply the security configuration to the IdentityServer profile.
You want to expose your cloud services as Java™ Enterprise Edition (Java EE) applications in a hybrid cloud environment. But, how can you ensure the security of these applications by using your existing security infrastructure in a private network?
Part 1 of this series focuses on the standard authentication mechanism between an identity provider (IdP) and a service provider (SP). It is based on the assertion of the user identity information by using Security Assertion Markup Language (SAML) 2.0. It also explains identity propagation between web service calls. Before you continue with this part, you must be familiar with SAML concepts and Java EE development on Eclipse.
Single sign-on using SAML
Security Assertion Markup Language (SAML) is an XML document that you must write according to the OASIS standard specification, which is also called a SAML token. The SAML token contains information that an application uses to authenticate a user and to perform role-based authorization, according to standard Java Authentication and Authorization Service (JAAS) specifications. By using a SAML token, an application doesn't have to prompt users to provide their credentials. In an application architecture, the identity provider (IdP) plays the role of generating SAML tokens.
The following snippet is an example of a SAML token.
In this XML example, the most interesting part is the Assertion part. It contains the token issuer, the document signature, the subject, the conditions, and the attribute statement.
- The document Signature holds the SignatureValue (the encryption that is applied to a hash of the entire Assertion element). It also holds the algorithms that are used to produce the hash and the public certificate of the issuer (X509Certificate). The SignatureValue and the hashing algorithms are enough to check that the assertion is trusted. Why is the issuer and its public certificate information there? The reason is that an application that receives the SAML token knows the issuer and the public certificate of the issuer. Also, it can quickly discard an invalid token by comparing these strings. Remember that the check on the signature is expensive because it has to deal with hashing and encryption.
- The Subject element holds the user name in the NameId element.
- The Conditions section holds information about the audience to whom this assertion is intended for. The Subject and Conditions elements also hold information that a receiver uses to perform further security checks on the document.
- The AttributeStatement holds information about the groups to which the user belongs.
When a SAML receiver trusts the token, the user is authenticated. The receiver application uses the user name and groups that are extracted from the SAML token to programmatically create a security context for the user. After the security context is available, the receiver application can start the authorization API (JAAS) to verify whether the user has the required permissions to access protected resources, such as servlets and EJBs.
You can see that it is possible to assert the identity of a user without knowing the user's credentials by using SAML. This approach makes SAML a possible solution to implement SSO across different domains in the network. So, how can a SAML receiver trust a SAML token?
The model that is used to establish the trust is called asymmetric cryptography . This model is based on a pair of keys—a private key and a corresponding public key—that are generated at the same time and linked together by mathematical formulas. A private key is used for encryption, and the corresponding public key is used for decryption. The main concept behind the asymmetric cryptography model is that a piece of data that is encrypted by using a private key can be decrypted only by using the corresponding public key.
In our scenario, the identity provider is the owner of the private key and must not share it with anyone.
The SAML receivers that need to trust the identity provider are configured to hold the identity provider's public key, either in a configuration file or in a truststore. When the identity provider issues a SAML token, the identity provider generates a signature value in a two-step procedure. First, it applies a hashing algorithm to the content of the Assertion element. Second, it encrypts the hash by using the private key. Then, the identity provider adds the signature value to the SignatureValue element of the SAML token and sends the token to the requester.
The SAML receiver application reads the SAML token and performs two operations:
- It generates the hash of the Assertion element (receiver hash).
- It decrypts the signature value by using the public key (provider hash).
If the hashes are equal, the receiver can trust the SAML token. Also, it ensures that the content of the signature is not tampered with.
For more information about how SAML authentication works, see SAML assertions across WebSphere Application Server security domains.
SP-initiated SSO: Redirect or POST bindings
When you implement an SSO for a traditional web application, first, consider the actors that work together to make SSO possible according to the OASIS specifications:
- User agent (UA): The web browser.
- Identity provider (IdP): The application that creates the SAML assertion. This application can challenge the UA to obtain the user credentials, validate these credentials against a user registry, and if they are valid, generate a SAML assertion.
- Service provider (SP): The receiver of the SAML assertion. The SP trusts the IdP because it knows the IdP metadata. The IdP metadata is the IdP public certificate, the IdP issuer name, and the IdP URLs. They are usually configured in a file that is called the idp-metadata.xml file. The SP uses this metadata to perform the assertion of the SAML token in order to authenticate the UA, and to check whether it is authorized to access the required resources, such as pages and servlets.
The following figure shows our sample application, with the SP-initiated SSO actors in the larger box on the left side. The SP is a feature in WebSphere Liberty. The IdP is a web application that we install on a Liberty instance called IdentityServer.
Although free IdP implementations are on the web, they lack a sample configuration. We implement one from scratch and deliver it as a Liberty feature to keep the configuration as simple as possible. We also reference the Open SAML libraries that are available for Liberty so that we don't have to download more open source libraries to generate the assertion. This scenario is not a fully compliant IdP implementation. If you need to move to production, you might want to adopt a product that provides an IdP implementation and support.
The IdP metadata is an XML file that describes the IdP and contains the following information:
- The issuer name (the id element of the idp-metadata.xml file)
- The public key that is used for signing and encryption (the two KeyDescriptor elements)
- The URLs that an SP that trusts this IdP should use in an SP-initiated SSO (SingleSignOnService element with HTTP-POST)
The following example shows the IdP metadata for our scenario.
The IdP authenticates the users with BASIC authentication. In Part 3 of this series, you see how to configure SPNEGO authentication.
How does the SP-initiated SSO work?
- A user navigates to a URL in the browser (UA), which in turn calls the application (the SP) that exposes the URL. If the resource is protected, the user must be authenticated so that the SP can perform the authorization checks on the required resource.
- If the user is not authenticated, the SP replies to the UA with a page that automatically posts an authentication request to the IdP by using the URL that is configured in the idp-metadata.xml file. The following XML file is an example of the authentication request that the SP sends to the IdP.
- When an unauthenticated user lands on the IdP application, the IdP challenges the user to provide his credentials. In our example, the basic authentication form is displayed on the user's browser.
- The user enters his credentials and, if they are valid, the IdP generates a SAML token.
- The IdP replies to the UA with a page that automatically posts the SAML token to the AssertionConsumerServiceURL of the SP. (See the previous XML example of authentication request.)
- The SP receives the SAML token that the UA posts, authenticates the user, and responds to the UA with a redirect to the initial URL that the user calls.
The following figure shows the communication sequence that happens in an SP-initiated SSO. Note the following points:
- The IdP and SP interaction is mediated by the browser. Therefore, these providers don't need to be connected to each other.
- The SP does not rely on any user registry, making it possible to keep the user registry in a private customer network.
SAML identity propagation
For this solution, you must bind the web services security policy on WebSphere Liberty to propagate the SAML token automatically from the client web application. You can set up web services security at the transport layer or message level. At the transport layer, you set up security based on a Secure Sockets Layer (SSL) or Transport Layer Security (TLS), which protects HTTP message content from point to point.
If you secure web services at the message level, you protect the SOAP contents that are in an HTTP message for a web service. You set up web services security by adding the policy definitions in the web service Web Services Description Language (WSDL) document and configure the policy on the outbound channel of the client and inbound channel for the server.
In our example, we protect web services at both the transport layer and the message level. We set up security at the transport layer by using SOAP over HTTPS. To set up security at the message level, we configure the Web Services Security SAML Token Profile 1.1 so that the client can add the SAML assertion in the SOAP Header and the server can perform the assertion.
Overview of the local SSO end-to-end solution
In the remainder of this part, we configure three simple Java EE applications, as illustrated in the following figure, to show how the solution works:
- Frontend.ear: This sample web application is deployed on a Liberty Application Server instance (FrontendServer) and configured as an SP.
- CloudServices.ear and LocalServices.ear: Both applications are sample web services applications. They are deployed on two different Liberty instances (CloudServer and LocalServicesSvr) and are configured to demonstrate identity propagation by using SAML.
The following figure illustrates the solution configuration on our local machine.
Set up the SP-initiated SSO solution
This solution is based on the WebSphere Application Server Liberty profile and SAML 2.0. To develop and deploy the solution, you need an Eclipse IDE for Java Enterprise Edition. Before you get started, install a Java SDK, and then install Eclipse and WebSphere Liberty on your development machine.
- Download and install a Java SDK of version 1.7 or later.
- Download the release package of Eclipse IDE for Java Developers. (We used the Mars package.)
- Extract the package to your local file system.
- Start it to create a new workspace that we use later to import the projects and configure the servers.
- From the IBM WebSphere Liberty Repository, download Liberty with Java EE 7. (The latest stable version at the time of writing is 16.0.0.4.) Then, extract it to the local file system.
- Open a browser, go to the WASDev Developer Center, and drag the Install icon to the editor area of the workspace that you opened in the step 3 to install the Liberty tools in your version of Eclipse.
When you install the Liberty tools, in the Confirm Selected Features window, select the check boxes for all tools, including the WebSphere Application Server Migration Toolkit.
In this tutorial, we use the following paths:
- WebSphere Liberty home path:
C:programswlp-16.0.0.3
for<WLP_HOME>
- WebSphere Liberty bin path:
C:programswlp-16.0.0.3bin
for<WLP_BIN>
- WebSphere Liberty server installation path:
C:programswlp-16.0.0.3usrservers
for<WLP_SERVERS>
Configure the WebSphere Liberty runtime
After you install the Liberty tools, configure a Liberty server runtime:
- Select Window -> Preferences.
- In the Preferences window, select Server -> Runtime Environments. Then, in the Server Runtime Environments pane, click Add.
- In the New Server Runtime Environment window, select WebSphere Application Server Liberty, and click Next.
- In the Liberty Runtime Environment window, leave the name as WebSphere Application Server Liberty. For Path, click Browse and select the path on your file system where you extracted Liberty Server. Click OK, and then click Finish.
Your workspace should look similar to the following example.
Import the sample projects
The sample projects are available on GitHub. You can download the complete set from this compressed file, and extract it to your local file system.
- From the workspace, select File -> Import.
- In the Import wizard, select General -> Existing projects into workspace, and click Next.
- In the Import Projects window, click Browse, and select the path in your local file system where you extracted the projects. Click OK. Select the Copy projects into workspace check box, and then click Finish.
Your workspace should now look similar to the following example.
Tip: If you chose a name other than WebSphere Application Server Liberty, the Workspace Migration wizard prompts you to choose the correct runtime as shown in the following window. Leave all the projects selected. Then, on the next page, choose your Liberty runtime. If you used the correct name of WebSphere Application Server Liberty, this wizard does not display.
Create the WebSphere Liberty profiles
Create the four Liberty profiles that you need to run the applications that you imported into your workspace:
- IdentityServer: The Liberty instance that is configured as the IdP.
- FrontendServer: The Liberty instance that is configured as an SP. On this instance, we deploy the Frontend.ear application, which contains the web application that we use as a test case for the SP-initiated SSO. In Part 2, we deploy this server configuration and application on IBM Cloud.
- CloudServer: The Liberty instance that is configured with the Web Services Security SAML Token Profile 1.1. On this instance, we deploy the CloudServices.ear application. This application contains a couple of web services operations that authenticate the request, leveraging SAML Identity Propagation over SSL. In Part 2, we deploy this server configuration and application on IBM Cloud.
- LocalServer: The Liberty instance that is configured with the Web Services Security SAML Token Profile 1.1. On this instance, we deploy the LocalServices.ear application. This server instance runs on the local machine to demonstrate how you can access web services that are exposed in a private network from IBM Cloud through the Secure Gateway service. The configuration is similar to the CloudServer configuration.
To create the profiles:
- Create a Liberty profile:
- Select File -> New -> Other.
- In the Select a wizard window, in the search field, type
Server
, and click Next. - In the Define a New Server window, under Select the server type, select WebSphere Application Server Liberty. For Server name, enter
IdentityServer
. Then, click Next. - In the New Liberty Server window, for Server name, enter
IdentityServer
, and click Finish. If you have existing server instances in your Liberty installation, click New to create a new server instance.
- For each of the remaining three Liberty profiles, repeat steps a – d, using the names FrontendServer, CloudServer, and LocalServer. After you finish the configuration, your workspace should look similar to the example in the left pane of the following figure.
- In the right pane of this figure, notice the errors as indicated by the x in the circle in the left margin. These errors occur because the javaee-7.0 feature is enabled, and you must provide a keystore element to solve it. For each of the server configurations, add the following corresponding keystore element (or uncomment the existing keystore element):
- IdentityServer:
- FrontendServer:
- CloudServer:
- LocalServer:
- Optional: Encrypt the password by using different algorithms, which you can do on the Design tab of the server.xml editor. In this example, for simplicity, we use
passw0rd
for the default keystore of each server.The following keystores are generated with the logs and other folders in the<WLP_SERVERS>
server directory when you start each server for the first time:- identitykey.jks in
<WLP_SERVERS>IdentityServerresourcessecurity
- frontendkey.jks in
<WLP_SERVERS>FrontendServerresourcessecurity
- cloudkey.jks in
<WLP_SERVERS>CloudServerresourcessecurity
- localkey.jks in
<WLP_SERVERS>LocalServerresourcessecurity
- identitykey.jks in
- Add the other configuration elements to the server.xml file. Because we will have four server instances up and running on the same machine, we cannot use the same port numbers.
- Change the httpEndpoint element for the IdentityServer as follows:
- Change the httpEndpoint element for the FrontendServer as follows:
- Change the httpEndpoint element for the CloudServer as follows:
- Change the httpEndpoint element for the LocalServer as follows:
- Install the following features:
- Open a command prompt, and enter
cd <WLP_BIN>
. - Run the following command for wsSecuritySaml-1.1 to download and install all the required features to enable the SP-initiated SSO and identity propagation:
installUtility install wsSecuritySaml-1.1
- Open a command prompt, and enter
You should see the following message after the download and installation are completed successfully:
All assets were successfully installed.
Start product validation...
Product validation completed successfully.
Deploy the sample applications
![Saml Saml](https://www.netiq.com/communities/media/img/11588-4_0.jpg)
Deploy the projects that you imported before onto your servers:
- Select the Servers view, right-click the FrontendServer, and select Add and Remove.
- In the Add and Remove window, click Frontend in the Available box on the left side, and click Add to move it to the Configured box on the right side. Then, click Finish.
- Repeat the previous two steps for CloudServer to install the CloudServices application, and for LocalServer to install the LocalServices application.
When you are finished, your server view should look like the following example.
Configure the identity provider (IdentityServer)
The IdP is an application that can generate a SAML assertion for an authenticated user. In the following steps, you configure and test the IdP.
Install the IdentityProvider custom feature on IdentityServer
The sample identity provider application, it.ibm.liberty.sample.identityProvider-1.0_1.0.0.esa, is provided as a Liberty feature, which you can find in the downloadable files for this tutorial.
To install the feature, open a command prompt, and enter:
cd <WLP_BIN>
. Then, enter the following command, where <absolute-or-relative-path>
is the path in the local file system where the feature file is:After the installation completes successfully, restart your Eclipse workspace to reload the list of available server features.
Apply the security configuration to the IdentityServer profile
Configure the IdP feature so that you can run it:
- Create a key in a new keystore. To begin, open a command prompt, and run the following commands: Note the following explanation for some of the parameters:
keytool
is a command that is available in the JDK installation. When used with the -genkey option, this command generates a private key, referenced with the idpkey alias, in the new samlkey.jks keystore.-storepass
is the password to access to the samlkey.jks keystore.-keypass
is the password that you need to access the idpkey entry. IdP needs this information to sign the SAML assertions that it will generate.-dname
avoids prompting on names and organizations.
- Now that you have a new keystore, configure the IdentityServer server.xml file.
- Open the file.
- On the Source tab, add the following element:
- Enable the identityProvider-1.0 that you installed earlier.
- Add identityProvider-1.0 to the already opened server.xml into the existing
<featureManager>
element: - Add the
<identityProvider>
configuration element:
Note the following explanation:- Our custom
identityProvider
feature foresees only a few sets of configuration parameters to allow the IdP application to generate an assertion and to let the SP, which will be configured in the next paragraph, to download the idp-metadata.xml configuration to set up the SP-Initiated SSO. A real IdP software is much more complicated to configure, but to run our example that's enough. - The
idpkey
is the key entry in the keystore that we generated previously. Thesaml
keystore reference is theid
attribute of the samlkey.jks keyStore element. - The SP checks the issuer of the SAML assertion to verify that it is a recognized issuer. It also checks the hostname:port that is used by the SP to forward, in a POST form that is mediated by the browser, the request to generate a SAML to the IdP.
- The host name must be the name that you use for the machine where you run the IdentityServer, which is the local machine in this configuration.
- The port must be an HTTPS port. In the IdentityServer in this configuration, we set the port to
443
. - Although the host name seems redundant here, it must be provided to the SP so that it knows where the IdP is. It can be also in a different and unreachable network. Because a machine can have different names and IdPs, in our scenario, we have a way to decide which one to use for the idp-metadata.xml generator. For the IdP, you must use a URL that is reachable by the browser that you use to run the test. In this case, we use the local machine browser.
- Add identityProvider-1.0 to the already opened server.xml into the existing
- Set up a user registry. We use a basic registry for now. Replace the basicRegistry with the following configuration to the still opened server.xml editor:
- Configure the role-based authorization for the IdP web application. In the server.xml editor, add:
With this configuration, all the basicRegistry users are authorized to perform the role of IdentityRequestor (which protects the SAMLRequest servlet) and Snooper (which protects the snoop servlet).
Test the identity provider application by using a web browser
The IdP is ready to generate the SAML assertions for the authenticated users:
- Ensure that the IdentityServer is up by running the following tests:
- Generate a SAML assertion:
http://localhost/idp/SAMLResponse
- Access this utility page to download the public certificate and the idp-metadata.xml:
http://localhost/idp/SAMLResource
- Print some request information:
http://localhost/idp/snoop
- Generate a SAML assertion:
- In the BASIC authentication window, enter one of the user name and password combinations from the basicRegistry that you configured previously.
The users belong to different groups to allow restrictions on resource access, according to standard JAAS role-based authorization.
You can find the entire server.xml configuration, together with the keystores, in the servers folder of the downloadable materials on GitHub.
Configure the service provider (FrontendServer)
Now that you have installed the samlWeb-2.0 feature, you configure it to enable the SP-initiated SSO.
Apply the service provider configuration to the FrontendServer profile
- Open the
http://localhost/idp/SAMLResource
URL, and click IdpMetadata.xml to download the idp-metadata.xml file. Save the file in the<WLP_SERVERS>FrontendServerresourcessecurity
directory. - Open the FrontendServer server.xml file, and add the samlWeb-2.0 feature and the wsSecuritySaml-1.1 feature to the existing
<featureManager>
element: - Add the samlWebSso20 to the server.xml entity:
For a full explanation of the configuration parameters, see Configuring SAML Web Browser SSO in Liberty in the IBM Knowledge Center.
Note the following points:
- The allowCustomCacheKey and disableLtpaCookie configurations indicate that the local server should cache the SAML assertion and that we don't want to use the LTPA cookie. With this configuration, if a FrontendServer is clustered and the user lands on a different server, this server should forward it to the IdP to generate a SAML assertion for the user. If not, no SAML assertions are available to propagate the identity to the backend web services.
- idpMetadata points to the file that you just downloaded from the IdP.
Test the SP-initiated SSO
To test the SP-initiated SSO, start the FrontendServer, and test the SP-initiated SSO at the
http://localhost:9080/FrontendWeb/
URL.To see the SP-initiated SSO sequence, you can use the developer tools for your browser to track the network requests. For example, if you are using Mozilla Firefox, press F12, or select the Options menu and choose Developer to enable the toolbar. The following example shows the SP-initiated SSO sequence for our scenario.
Import the SSL certificate for the CloudServer
Import the public SSL certificate into the frontendkey.jks keystore to allow the Frontend application to call CloudServices by using HTTPS. We export the public certificate from the CloudServer and then import it into the FrontendServer keystore.
- Open a command prompt, and enter:
cd <WLP_SERVERS>CloudServerresourcessecurity
- Run the following command to view the CloudServer SSL certificate that is created automatically the first time you started the server:
keytool -list -keystore cloudkey.jks -storepass passw0rd
The output is similar to the following example, wheredefault
is the name of the KeyEntry that contains the key pair: - Export the public key that is associated with the default key. From the command prompt, which is already open, in the same directory, run: The last command has output similar to the following example:The keystore now has two keys: default and cloudssl. You just added the cloudssl key. The default key entry was added when you created the keystore when you first started the FrontendServer instance. The password for this key is
passw0rd
, because when you configured the server.xml entity, you provided a password for the whole keystore only.The default key entry is the certificate that the application server used to provide TLS (like HTTPS). Because we added a new key, we must configure the FrontendServer server.xml entity to add a new keystore reference with the alias and the password that we provided when we imported the CloudServer.cer file.Error message: Although you can add both entries with their passwords to the default keyStore, the Liberty profile issues the following error message:[ERROR ] CWPKI0813E: Error while trying to initialize the keymanager for the keystore [C:/programs/wlp-16.0.0.3/usr/servers/FrontendServer/resources/security/frontendkey.jks].The private key password is not correct or the keystore has multiple private keys with different passwords.This keystore can not be used for SSL. Exception message is: [Cannot recover key].
- Open the FrontendServer server.xml file, switch to the Source tab, and add a new keystore to configure the alias for the new key: The configuration is done.
- Start the IdentityServer, FrontendServer, and CloudServer. If you open the application and click the Cloud Service link or Restricted Service in the left menu, you receive the following error message:
None of the policy alternativescan be satisfied.
This message comes from the CloudServer. (You can check its logs.) This message means that an SSL handshake was performed successfully and the certificate configuration was fine. However, because you haven't configured the CloudServer with the proper policy to manage the incoming SAML assertion, the CloudServer does not know how to manage it. Having the security enabled, because the EJB methods are protected by roles, it claims that it can't satisfy the security policy that it received.
Install Nmas Saml Method Pdf
As for IdentityServer, the full configuration of the FrontendServer is available in the resource material that you downloaded.
Install Nmas Saml Methodist Church
Configure the web services providers (CloudServer and LocalServer)
Install Nmas Saml Methodist
Set up the security policy for both the CloudServer and LocalServer. Let's start from the certificates. Both servers need to assert a SAML document.
- Download the IdP public key. To begin, open the
http://localhost/idp/SAMLResource
URL, and click X509 Certificate to download the samlsso.sample.net.cer certificate. Save the file in the<WLP_SERVERS>IdentityServerresourcessecuritysamlsso.sample.net.cer
directory. - Import all the remaining certificates. Both servers need the samlsso.sample.net.cer certificate. CloudServer also needs the public key of the LocalServer to call the web service that is exposed by the LocalServices application. Open a command prompt, and change directories to the
<WLP_SERVERS>LocalServerresourcessecurity
path. Run the following commands:The last command shows the three certificates for the CloudServer. You can run the same command for the LocalServer, but it will show only the first two keys.You have now completed the import for both servers. - Configure the features, keystores, and policies for both servers:
- Open the LocalServer and CloudServer server.xml file, and add the wsSecuritySaml-1.1 to the existing <featureManager> element:
- Add the new keystore that references the newly created key to the CloudServer:
- Add the wsSecurityProvider policy configuration to the CloudServer: You are now done with the CloudServer.
- Restart the CloudServer, open the application, and click the Cloud Service link. You should now see the correct reply from that method. Tip: Depending on the user's group, you might or might not have access to that service. If you log in to the IdP as
bobby
oralice
, you will be authorized and see a reply like the following example: - Complete the configuration for the LocalServer:
- Add the new keyStore:
- Add the wsSecurityProvider policy configuration: You are now done with the LocalServer.
- Restart the LocalServer, open the application, and click the Restricted Service link. You should now see the correct reply from that method. Tip: Depending on the user's group, you might or might not have access to that service. If you log in to the IdP as
alice
, you will be authorized and can see a message from the web service on the LocalServer that is called by the CloudServer, which is called by a Frontend servlet, like the following example:service response: Response from LocalMessageService.getLocalMessage at 1479426200968
Otherwise, you see the following message:java.rmi.AccessException: ; nested exceptionis: com.ibm.websphere.csi.CSIAccessException:
CWWKS9400A: Authorization failed for user bobby while invoking getLocalMessage on LocalServices.
The user is not granted access to any of the required roles: [LocalServiceAccessRole].
Just like the FrontendServer configuration, the CloudServer and LocalServer configurations are available in the resource material in the servers folder.
Conclusion
You now have a fully functional, end-to-end SP-initiated SSO, based on WebSphere Application Server Liberty profiles and SAML 2.0, on your local machine. You also propagated the SAML identity between the WebService applications. You can look at the code examples on GitHub for this tutorial to see how it works.
In Part 2, you deploy the FrontendServer and CloudServer in IBM Cloud. You also configure the Secure Gateway to allow the CloudServices application to access the web services that are exposed by the LocalServices application that still runs on a private network that is not accessible from the public Internet that is your local machine. Then, in Part 3, you extend the SSO scenario to integrate the Microsoft Windows authentication, by using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and the Active Directory Domain Services.
Acknowledgements
The authors thank Massimo Leoni, Carlo Randone, and Richard Kozel for reviewing this article and providing helpful comments, and Pavel Travnik for testing the code.
Downloadable resources
Related topics
Comments
Install Nmas Saml Methods
Sign in or register to add and subscribe to comments.