Configure SAML SSO in a distributed Service Portal deployment

samlKesytore.jks

You need to do the following:

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Create the initial samlKeystore.jks on the load balancer node.

Distribute the same samlKesytore.jks file to all the Service Manager Service Portal nodes.

SAML contextProvider

Note This is an extra configuration required for all Service Manager Service Portal nodes in a distributed deployment.

On all Service Manager Service Portal nodes, open the SAML contextProvider configuration in <Service Manager Service Portal Installation Directory>/idm-service/idm-service.war/WEB-INF/spring/applicationContext-saml.xml file.

Comment out the following line:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">

Replace the contextProvider bean section with the following lines:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
    <property name="scheme" value="https"/>
    <property name="serverName" value="<load balancer node FQDN>"/>
    <property name="serverPort" value="443"/>
    <property name="includeServerPortInRequestURL" value="false"/>
    <property name="contextPath" value="/idm-service"/>
<!-- Sets underlying dataStore-->
     <property name="storageFactory" ref="storageFactory"/>
</bean>

Important The serverName value needs to be the host name of the load balancer node of the cluster environment.

After the required changes are made, the file content resembles the following example.

metadataGeneratorFilter

Note This is an extra configuration required for all Service Manager Service Portal nodes in a distributed deployment.

On all Service Manager Service Portal nodes, open the SAML contextProvider configuration in the <Service Manager Service Portal Installation Directory>/idm-service/idm-service.war/WEB-INF/spring/applicationContext-saml.xml file.

Change the metadataGeneratorFilter Bean configuration by setting an entityBaseURL value that points to the loadbalancer node.

To do this, add the following line to the metadataGeneratorFilter bean:

<property name="entityBaseURL" value="https://<load balancer node FQDN>/idm-service"/>

The following figure shows an example in which the entityBaseURL configuration is added.

Important The entityBaseURL value needs to contain the host name of the load balancer node of the cluster environment.

Nginx on the load balancer

Change the load balancer (LB) nginx configuration on the LB node by adding some proxy buffer parameters, which fix a 502 bad gateway issue caused by large HTTP headers when posting signed SAML responses to the load balancer after ADFS authenticated the user successfully.

To do this, follow these steps:

On the load balancer node, open the /etc/nginx/conf.d/propel.conf file.

Add the lines highlighted below:

...
server
{
….
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
ssl_certificate /opt/hp/propel/security/propel_host.crt;
ssl_certificate_key /opt/hp/propel/security/propel_host.key.rsa;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;";
}

See the following figure.