Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
- Install and configure the standalone IdM service
- Prerequisite
- Task 1: Deploy IdM on a web application server
- Task 2: Configure SSL in the IdM web application server
- Task 3: Create an IdM client trust store
- Task 4: Configure SAML SSO
- Task 5: Configure a tenant and specify the ADFS metadata URL
- Task 6: Create an empty database for IdM
- Task 7: Configure database connection in the IdM service
- Task 8: Download the IdM metadata
- Task 9: Configure the IdM service for LW-SSO compatibility
- Task 10: Specify an IdM token signing key
- Task 11: Specify an IdM user account for Service Manager
- Task 12: Replace JRE policy files for the IdM server
- Task 13: Create a trust relationship with ADFS
- Task 14: Import the IdP public key into the IdM SAML keystore
- Task 15: Adjust the max authentication age setting in the IdM service
- Task 16: Encrypt IdM passwords and keys
Task 4: Configure SAML SSO
To do this, follow these steps:
Step 1. Configure SP-Initiated SSO: Redirect/POST Binding
Follow these steps to update the IdM service configuration base for SP-initiated web SSO:
-
In the <idm-service>/WEB-INF/web.xml file, uncomment the following line:
/WEB-INF/spring/applicationContext-saml.xml
Note The applicationContext-saml.xml file includes Spring beans for SAML.
-
In the <idm-service>/WEB-INF/spring/applicationContext-security.xml file, enable SAML Web SSO with HP SSO.
By default, the SAML Web SSO with HP SSO section is commented out. Remove the comment tags highlighted below to enable the feature.
<!-- START SAML Web SSO with HP SSO --> <!-- ... ... ... --> <!-- END SAML Web SSO with HP SSO -->Note SAML Web SSO without HP SSO authenticates the user and provides user access to protected resources in one application; SAML Web SSO with HP SSO writes the HP SSO cookie after the user is authenticated, and therefore provides single sign-on to other applications. HP SSO provides single sign-on capability across legacy HPE software products. To be compatible with LW-SSO, you must enable SAML Web SSO with HP SSO. This means when SAML is enabled in SM and LW-SSO is enabled in another application, users can access SM without login, and vise versa.
-
Update the <idm-service>/WEB-INF/spring/applicationContext-security.xml file.
- Open the file with a text editor.
- Search for "START HP SSO Configuration". This section is commented out by default.
-
Uncomment this section, except the normal HPSSO login and logout filters, as shown below.
<!-- START HP SSO Configuration --> <!-- <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false"> <security:csrf disabled="true" /> <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" /> <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" /> <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" /> <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" /> <security:http-basic /> </security:http> <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false"> <security:csrf disabled="true" /> <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" /> <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" /> <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" /> <security:http-basic /> </security:http> --> ... ... ... </bean> <!-- END HP SSO Configuration -->
-
Configure HP SSO.
- Open the <idm-service>/WEB-INF/web.xml file with a text editor.
- Search for "START HP SSO Configuration". This section is commented out by default.
- Uncomment this section by removing the comment tags.
-
Specify the location of the HP SSO configuration file as "/WEB-INF/hpssoConfig.xml".
<!-- START HP SSO Configuration --> <listener> <listener-class>com.hp.ccue.identity.hpssoImpl.HpSsoContextListener</listener-class> </listener> <context-param> <param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name> <param-value>/WEB-INF/hpssoConfig.xml</param-value> </context-param> <!-- END HP SSO Configuration --> -
In the <idm-service>\WEB-INF\spring\applicationContext-v0.xml file, make sure that the tokenWriter property setting in the HP SSO Configuration section is not commented out, as shown below.
<!--Authentication API --> <bean id="authenticationApiController" class="com.hp.ccue.identity.web.api.AuthenticationController"> <property name="tokenService" ref="tokenService"/> <property name="identityService" ref="identityService"/> <property name="sessionStateService" ref="sessionStateService"/> <!-- START HP SSO Configuration --> <property name="tokenWriter" ref="hpssoTokenWriter" /> <!-- END HP SSO Configuration --> </bean> -
Edit the <idm-service>\WEB-INF\hpssoConfig.xml file as described below.
-
Specify the domain name of the IdM server (for example, the Tomcat server). The domain name must match the DNS domain name of the system on which the IDM service is deployed, because the HP SSO cookies are domain-specific.
Note All components that participate in SAML except the SM Server (the IdM service, SM web tier, SRC, and Mobility Client) must be in the same domain, because HP SSO cookies are domain-specific.
- Change secureHTTPCookie (default: false) to true if SSL is enabled between the user's browser and the web application server of the SM web tier, SRC, or Mobility Client.
See the following for an example.
<creation tokenGlobalTimeout="480" tokenIdleTimeout="30" secureHTTPCookie="true"> <!-- lwsso is required --> <lwsso> <!-- domain is required HPSSO 1.0 version supports a single domain only. All servers using HPSSO should have the same domain and it should be denoted in this tag --> <creationDomains> <!-- for development environments only! --> <domain>mycompany.net</domain> </creationDomains> </lwsso> </creation> -
Step 2. Configure SP-Initiated SSO: POST/Artifact Bindings
For POST/Artifact Bindings, in addition to the configuration in the previous step, you need to make sure that the applicationContext-saml.xml file contains the following property setting (default).
Note This file is located in the following folder: <idm-service>/WEB-INF/spring.
<property name="bindingsSSO"> <list> <value>post</value> <value>artifact</value> <value>paos</value> </list> </property>Step 3. Disable ECP
ADFS does not support ECP; however, the IdM metadata includes the AssertionConsumerService for ECP. Therefore, this step is required.
To disable ECP, follow these steps:
- Open the <idm-service>WEB-INF\spring\applicationContext-saml.xml file with a text editor.
-
Search for the following line, and comment it out.
<value>paos</value>
-
Search for the following line, and comment it out.
<property name="ecpEnabled" value="true"/>
