Task 4: Configure SAML SSO

To do this, follow these steps:

Step 1. Configure SP-Initiated SSO: Redirect/POST Binding

Follow these steps to update the IdM service configuration base for SP-initiated web SSO:

  1. In the <idm-service>/WEB-INF/web.xml file, uncomment the following line: 

    /WEB-INF/spring/applicationContext-saml.xml
    

    Note The applicationContext-saml.xml file includes Spring beans for SAML.

  2. In the <idm-service>/WEB-INF/spring/applicationContext-security.xml file, enable SAML Web SSO with HP SSO.

    By default, the SAML Web SSO with HP SSO section is commented out. Remove the comment tags highlighted below to enable the feature.

    <!-- START SAML Web SSO with HP SSO -->
        <!--
           ...
    	...
    	...
        -->
    <!-- END SAML Web SSO with HP SSO -->

    Note SAML Web SSO without HP SSO authenticates the user and provides user access to protected resources in one application; SAML Web SSO with HP SSO writes the HP SSO cookie after the user is authenticated, and therefore provides single sign-on to other applications. HP SSO provides single sign-on capability across legacy HPE software products. To be compatible with LW-SSO, you must enable SAML Web SSO with HP SSO. This means when SAML is enabled in SM and LW-SSO is enabled in another application, users can access SM without login, and vise versa.

  3. Update the <idm-service>/WEB-INF/spring/applicationContext-security.xml file.

    1. Open the file with a text editor.
    2. Search for "START HP SSO Configuration". This section is commented out by default.
    3. Uncomment this section, except the normal HPSSO login and logout filters, as shown below.

      <!-- START HP SSO Configuration -->
          <!--
          <security:http pattern="/idm/v0/login" use-expressions="true" auto-config="false">
              <security:csrf disabled="true" />
              <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
              <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
              <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
              <security:custom-filter ref="noPromptFilter" before="FORM_LOGIN_FILTER" />
              <security:http-basic />
          </security:http>
      
          <security:http pattern="/idm/v0/logout" use-expressions="true" auto-config="false">
              <security:csrf disabled="true" />
              <security:custom-filter ref="requestTokenCompositeFilter" position="FIRST" />
              <security:custom-filter ref="hpssoProvidedFilter" before="PRE_AUTH_FILTER" />
              <security:custom-filter ref="hpssoIntegrationFilter" after="PRE_AUTH_FILTER" />
              <security:http-basic />
          </security:http>
      	-->
      	...
      	...
      	...
      	</bean>
      <!-- END HP SSO Configuration -->
  4. Configure HP SSO.

    1. Open the <idm-service>/WEB-INF/web.xml file with a text editor.
    2. Search for "START HP SSO Configuration". This section is commented out by default.
    3. Uncomment this section by removing the comment tags.
    4. Specify the location of the HP SSO configuration file as "/WEB-INF/hpssoConfig.xml".

      <!-- START HP SSO Configuration -->
          <listener>
              <listener-class>com.hp.ccue.identity.hpssoImpl.HpSsoContextListener</listener-class>
          </listener>
      
          <context-param>
              <param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
              <param-value>/WEB-INF/hpssoConfig.xml</param-value>
          </context-param>
      <!-- END HP SSO Configuration -->
    5. In the <idm-service>\WEB-INF\spring\applicationContext-v0.xml file, make sure that the tokenWriter property setting in the HP SSO Configuration section is not commented out, as shown below.

      <!--Authentication API -->
          <bean id="authenticationApiController" class="com.hp.ccue.identity.web.api.AuthenticationController">
              <property name="tokenService" ref="tokenService"/>
              <property name="identityService" ref="identityService"/>
              <property name="sessionStateService" ref="sessionStateService"/>
              <!-- START HP SSO Configuration -->
                      <property name="tokenWriter" ref="hpssoTokenWriter" />
              <!-- END HP SSO Configuration -->
          </bean>
    6. Edit the <idm-service>\WEB-INF\hpssoConfig.xml file as described below.

      • Specify the domain name of the IdM server (for example, the Tomcat server). The domain name must match the DNS domain name of the system on which the IDM service is deployed, because the HP SSO cookies are domain-specific.

        Note All components that participate in SAML except the SM Server (the IdM service, SM web tier, SRC, and Mobility Client) must be in the same domain, because HP SSO cookies are domain-specific.

      • Change secureHTTPCookie (default: false) to true if SSL is enabled between the user's browser and the web application server of the SM web tier, SRC, or Mobility Client.

      See the following for an example.

      <creation tokenGlobalTimeout="480" tokenIdleTimeout="30" secureHTTPCookie="true">
              <!-- lwsso is required -->
              <lwsso>
                  <!-- domain is required
                      HPSSO 1.0 version supports a single domain only.
                      All servers using HPSSO should have the same domain and it should be denoted in this tag
                  -->
                  <creationDomains>
                      <!-- for development environments only! -->
                      <domain>mycompany.net</domain>
                  </creationDomains>
              </lwsso>
       </creation>

    Step 2. Configure SP-Initiated SSO: POST/Artifact Bindings

    For POST/Artifact Bindings, in addition to the configuration in the previous step, you need to make sure that the applicationContext-saml.xml file contains the following property setting (default).

    Note This file is located in the following folder: <idm-service>/WEB-INF/spring.

    <property name="bindingsSSO">
            <list>
                <value>post</value>
                <value>artifact</value>
                <value>paos</value>
            </list>
    </property>

    Step 3. Disable ECP

    ADFS does not support ECP; however, the IdM metadata includes the AssertionConsumerService for ECP. Therefore, this step is required.

    To disable ECP, follow these steps:

    1. Open the <idm-service>WEB-INF\spring\applicationContext-saml.xml file with a text editor.
    2. Search for the following line, and comment it out.

      <value>paos</value>
    3. Search for the following line, and comment it out.

      <property name="ecpEnabled" value="true"/>