Administer > Configure CSA > Single Sign-On > Configure SAML

Configure SAML

CSA as a service provider can be configured to support SAML (Security Assertion Markup Language) by configuring the Identity Provider endpoint.

SAML is configured in the Cloud Service Management Console.

SAML is used for Federated Identity Management to implement scalable, secure, Single Sign-On across organizations.

Note For supported SAML versions, see the Cloud Service Automation System and Software Support Matrix.

Note In a SAML federated logout, CSA will clear the federated Identity Provider (IDP) sessions of the user.

SAML Configuration on a CSA Fresh Install

Follow the below steps for SAML configuration on a CSA 4.7 Install:

Note If you wish to configure SAML without HP SSO, do the following in this order:

  1. Follow the instructions to manually disable HP SSO, see "Disable HP Single Sign-On (HPSSO)" in Integrate with HP Single Sign-On.
  2. Continue to follow the steps below, but you should skip steps 5 and 6. These steps are only relevant when HP SSO is used in CSA (HP SSO is enabled by default).
  1. Navigate to PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/web.xml

    PERSISTENT_VOLUME_PATH is the directory in which CSA is installed.

    By default PERSISTENT_VOLUME_PATH is:

    Linux: /usr/local/hpe/csa/

  2. Open web.xml file and uncomment the line:

    /WEB-INF/spring/applicationContext-saml.xml

  3. Perform the following step (step 3) only in a HA Cluster environment on two or more CSA nodes:

    Open the file PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext-saml.xml

    and uncomment the line

    <property name="entityBaseURL" value="http://localhost/idm-service"/>

    and replace with

    <property name="entityBaseURL" value="https://<fqdn>:<port>/idm-service"/>

  4. Navigate to PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext-security.xml
  5. (Skip this step if HP SSO has been disabled manually.) Uncomment the segment between the lines:

    <!-- START SAML Web SSO with HP SSO --> and <!-- END SAML Web SSO with HP SSO -->:

    <!-- START SAML Web SSO with HP SSO -->
    <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
    <security:csrf disabled="true" />
    <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
    <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
    <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
    <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
    <security:http-basic />
    </security:http>
    <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
    <security:csrf disabled="true" />
    <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
    <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
    <security:custom-filter ref="samlSsoFilter" before="CAS_FILTER" />
    <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
    <security:http-basic />
    </security:http>
    <!-- END SAML Web SSO with HP SSO -->
  6. (Skip this step if HP SSO has been disabled manually.) Comment out the segment below the line:

    <!-- START HP SSO ONLY Configuration -->:

    <!-- START HP SSO ONLY Configuration -->
    <security:http auto-config="false" pattern="/idm/v0/login" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:custom-filter before="FORM_LOGIN_FILTER" ref="noPromptFilter"/>
    <security:http-basic/>
    </security:http>
    <security:http auto-config="false" pattern="/idm/v0/logout" use-expressions="true">
    <security:csrf disabled="true"/>
    <security:custom-filter position="FIRST" ref="requestTokenCompositeFilter"/>
    <security:custom-filter before="PRE_AUTH_FILTER" ref="hpssoProvidedFilter"/>
    <security:custom-filter after="PRE_AUTH_FILTER" ref="hpssoIntegrationFilter"/>
    <security:http-basic/>
    </security:http>
  7. Restart the CSA service. See Restart CSA for instructions.

ADFS Group Claim Configuration

Pre-requisites:

Download CSA metadata and import to the ADFS machine.

Note Identity Management component metadata can be downloaded from the following URL: https://<CSA-FQDN>:8444/idm-service/saml/metadata

This section contains two alternate ways to create a rule in Microsoft Server Manager to send group membership as a claim in Active Directory Federation Services (ADFS).

Note If you change your Group Name in the Active Directory make sure you do not modify your SAMAccount name in the back end for the Group.

Note If SAMAccount name is changed, the log in will be denied as the ADFS will return SAMAccountname for the Group configured.

Rule creation method #1:

  1. Open ADFS Management in the Server Manager.

  2. In the console tree, navigate to ADFS >Trust Relationships.

  3. Click Relying Party Trusts and select the trust where you will create the rule.

  4. Right-click the trust and choose Edit Claim Rules.

  5. In the Edit Claim Rules dialog, click Add Rule. The Add Transform Claim Rule Wizard is displayed.
  6. In the Select Rule Template dialog, in the Claim rule template section, choose Send Claims Using a Custom Rule.

  7. Enter a name for the rule.

  8. In the Custom Rule box, enter the following rule syntax:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]=> issue(store = "Active Directory", types = ("Group"), query = ";tokenGroups;{0}", param = c.Value

  9. Click Finish to apply the changes.

Rule creation method #2:

Alternatively, you can add the rule using the following steps:

  1. Open ADFS Management in the Server Manager.

  2. In the console tree, navigate to ADFS >Trust Relationships.

  3. Click Relying Party Trusts and select the trust where you will create the rule.

  4. Right-click the trust party and choose Edit Claim Rules.

  5. Click Add Rule. The Add Transform Claim Rule Wizard is displayed.

  6. In the Select Rule Template dialog, in the Claim rule template section, select Send LDAP Attributes as Claims.

  7. Enter a name for the rule.

  8. Enter active directory in the attribute stores field.

  9. For the LDAP attribute, select Token-Groups – Unqualified Names.

  10. Create two rules.
    First rule, map samAccountName in LDAP Attribute (from the drop-down) to NameID in the Outgoing Claim Type.
    For second rule, for the outgoing claim type, specify any name but the same Outgoing Claim Type name should be used in the CSA SAML Configuration user interface under Attribute property.

  11. Click Finish.

Exporting the ADFS Certificate and Importing the Certificate in Identity Management component

  1. Go to certificates in the ADFS wizard. Select the option to Set Service Communications Certificate.

  2. Select the certificate with 5 years validity (5 years is the default validity period; this comes up when you are configuring Certificate Services).

  3. Select copy to file. Certificate import wizard will open. Leave the default settings and save it in PERSISTENT_VOLUME_PATH\jboss-as\standalone\deployments\idm-service.war\WEB-INF\classes\security.

  4. Save the backup of samlKeystore.jks from PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEBINF/classes/security
  5. Import the certificate of Identity Provider (IDP) to PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/security

    PERSISTENT_VOLUME_PATH is the directory in which CSA is installed.

    By default PERSISTENT_VOLUME_PATH is:

    Linux: /usr/local/hpe/csa/

  6. Run the following command from the above directory path:

    keytool -import -alias adfs_alias -file your_certificate_name.cer -keystore samlKeystore.jks

  7. Provide the Destination store Identity Management component password.

    Note nalle123 is the default password.

    Note Change the default password of samlKeystore.jks. After changing the password, update idm.saml.keystore.password in applicationContext.properties

Adding SAML Configuration for the Organization

  1. In the Cloud Service Management Console, navigate to Organizations > Selected Organization > SAML.
  2. In the SAML tab of the organization, provide the Identity Provider metadata URL in the SAML URL field. The Identity Provider metadata URL can be a web URL OR a relative directory path.

    • For example:

      Web URL for ADFS will be as shown in the format: https://<hostname>/FederationMetadata/2007-06/FederationMetadata.xml

      where <hostname> refers to the Identity Provider hostname.

    • For relative directory path, first create a metadata folder and then download metadata XML using the Identity Provider metadata URL and place the file to PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/classes/metadata

      PERSISTENT_VOLUME_PATH is the directory in which CSA is installed.

      By default PERSISTENT_VOLUME_PATH is:

      Linux: /usr/local/hpe/csa/

      Restart the CSA service and set the SAML URL as: /metadata/FederationMetadata.xml,

      where FederationMetadata corresponds to the name of the metadata file.

  3. The attribute name must be set to the name of Identity Provider attribute resolver.

    For Example: For ADFS, the attribute will be Outgoing Claim type of a Rule in the Relying Party Trust. For instance, Group.

  4. Configure LDAP for your organization (select Organizations ->Selected Organization ->LDAP).
  5. In the access control add the group.

    NOTE: Updating groups in access control is mandatory when groups are added before configuring SAML for an organization, irrespective whether it is fresh/upgrade setup.

    Note If CSA is configured for FIPS, see "Configure CSA to Use SAML" section in Cloud Service Automation FIPS 140-2 Compliance Configuration Guide for more information.

  6. Download JCE Unlimited Strength Jurisdiction Policy Files from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

  7. Copy the local_policy.jar and US_export_policy.jar to jre/lib/security location.

    For Example: If CSA is using OpenJre, then the path must be PERSISTENT_VOLUME_PATH/openjre/lib/security/

    Linux: /usr/local/hpe/csa/openjre/lib/security/.

SAML Configuration on a CSA Upgrade

NOTE: If SAML is configured in CSA 4.7 and you have upgraded to CSA 4.8, you need to configure SAML again.

To configure SAML when CSA is upgraded, complete the following steps:

  1. Navigate to PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/web.xml

    PERSISTENT_VOLUME_PATH is the directory in which CSA is installed.

    For example, PERSISTENT_VOLUME_PATH on on Linux is /usr/local/hpe/csa/

  2. Open web.xml file and add new entry /WEB-INF/spring/applicationContext-saml.xml below the line

    /WEB-INF/spring/applicationContext-common.xml

  3. Perform the following step (step 3) only in a HA Cluster environment on two or more CSA nodes:

    Open the file PERSISTENT_VOLUME_PATH/jboss-as/standalone/deployments/idm-service.war/WEB-INF/spring/applicationContext-saml.xml

    and add the line <property name="entityBaseURL" value="https://<fqdn>:<port>/idm-service"/> next to

    <!-- Filter automatically generates default SP metadata -->
    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
    <bean class="org.springframework.security.saml.metadata.MetadataGenerator">