Administer > System security > SAML Single Sign-On > SAML SSO setup > Configure SAML SSO using the Service Portal IdM > Configure SMAL Single Sign-On in distributed Service Portal

Configure SAML SSO in a distributed Service Portal deployment

A distributed deployment uses a cluster of Service Portal instances. The SAML SSO configuration steps for a cluster environment are basically the same as described in Configure SAML SSO in a single Service Portal instance , except for the following configurations.

samlKesytore.jks

You need to do the following:

  1. Create the initial samlKeystore.jks on the load balancer node.
  2. Distribute the same samlKesytore.jks file to all the Service Portal nodes.

SAML contextProvider

Note This is an extra configuration required for all Service Portal nodes in a distributed deployment.

  1. On all Service Portal nodes, open the SAML contextProvider configuration in <Service Portal Installation Directory>/idm-service/idm-service.war/WEB-INF/spring/applicationContext-saml.xml file.
  2. Comment out the following line:

    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  3. Replace the contextProvider bean section with the following lines:

    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
        <property name="scheme" value="https"/>
        <property name="serverName" value="<load balancer node FQDN>"/>
        <property name="serverPort" value="443"/>
        <property name="includeServerPortInRequestURL" value="false"/>
        <property name="contextPath" value="/idm-service"/>
    <!-- Sets underlying dataStore-->
         <property name="storageFactory" ref="storageFactory"/>
    </bean>

    Important The serverName value needs to be the host name of the load balancer node of the cluster environment.

After the required changes are made, the file content resembles the following example.

metadataGeneratorFilter

Note This is an extra configuration required for all Service Portal nodes in a distributed deployment.

  1. On all Service Portal nodes, open the SAML contextProvider configuration in the <Service Portal Installation Directory>/idm-service/idm-service.war/WEB-INF/spring/applicationContext-saml.xml file.
  2. Change the metadataGeneratorFilter Bean configuration by setting an entityBaseURL value that points to the loadbalancer node.

    To do this, add the following line to the metadataGeneratorFilter bean:

    <property name="entityBaseURL" value="https://<load balancer node FQDN>/idm-service"/>

    The following figure shows an example in which the entityBaseURL configuration is added.

    Important The entityBaseURL value needs to contain the host name of the load balancer node of the cluster environment.

Nginx on the load balancer

Change the load balancer (LB) nginx configuration on the LB node by adding some proxy buffer parameters, which fix a 502 bad gateway issue caused by large HTTP headers when posting signed SAML responses to the load balancer after ADFS authenticated the user successfully.

To do this, follow these steps:

  1. On the load balancer node, open the /etc/nginx/conf.d/propel.conf file.
  2. Add the lines highlighted below:

    ...
    server
    {
    ….
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    ssl_certificate /opt/hp/propel/security/propel_host.crt;
    ssl_certificate_key /opt/hp/propel/security/propel_host.key.rsa;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;";
    }

    See the following figure.

Certificates

Import the certificate of the LB node and CA (root and intermediate) to the ADFS server machine as trusted root certificates.