Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Words and Phrases
| Search for | Example | Results |
|---|---|---|
| A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
|
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Using Boolean Operators
| Search for | Operator | Example |
|---|---|---|
|
Two or more words in the same topic |
|
|
| Either word in a topic |
|
|
| Topics that do not contain a specific word or phrase |
|
|
| Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
| A combination of search types | ( ) parentheses |
|
- Install and configure the standalone IdM service
- Task 1: Deploy IdM on a web application server
- Task 2: Configure SSL in the IdM web application server
- Task 3: Create an IdM client trust store
- Task 4: Configure SAML SSO
- Task 5: Configure a tenant and specify the ADFS metadata URL
- Task 6: Configure the IdM service for LW-SSO compatibility
- Task 7: Specify an IdM token signing key
- Task 8: Specify an IdM user account for Service Manager
- Task 9: Replace JRE policy files for the IdM server
- Task 10: Configure the SAML keystore in IdM
- Task 11: Import the IdP public key into the IdM SAML keystore
- Task 12: Encrypt IdM passwords and keys
- Task 13: Create an empty database for IdM
- Task 14: Configure database connection in the IdM service
- Task 15: Download the IdM metadata
- Task 16: Create a trust relationship with ADFS
- Task 17: Adjust the max authentication age setting in the IdM service
- Configure SAML authentication by using the IdM admin console
Configure SAML authentication by using the IdM admin console
Note This section describes how to use the IdM admin console to set up SAML authentication. If you do not want to use the IdM admin console, complete the tasks in Install and configure the standalone IdM service.
Deploy the IdM service and the IdM admin console
To deploy and set up idm-service and idm-admin-console, follow these steps:
-
Deploy the idm-service and idm-admin-console WAR files on a web application server.
For how to deploy a service on Tomcat, see Task 1: Deploy IdM on a web application server. However, in addition to idm-service, you also need to deploy idm-admin-console.
-
Configure SSL in the web application server.
For detailed the steps, see Task 2: Configure SSL in the IdM web application server.
-
Specify an IdM token signing key by editing the <idm-service>\WEB-INF\spring\applicationContext.properties file in a text editor. For example:
idm.encryptedSigningKey=rqa9mkdmfkvdvienfj4usldo9205mvid
-
Add the preconfigured data in a .json file in <idm-service>\WEB-INF\classes\seeded.
This file defines the provider organization, related database users, and integration user for login and API call.
- You can use a template file by deleting the ".template" suffix and only retaining .json. Then, open the file and replace the content with the example data.
- It is recommended that you rename the file to "organization_add__1.0.0.1__updata.json".
The following is an example for the .json file:
[{ "operation": "ADD_OR_UPDATE", "type": "organization", "attributes": { "name": "Provider", "displayName": "Provider", "type": "PROVIDER" } }, { "operation": "ADD_OR_UPDATE", "type": "organization", "attributes": { "name": "IDM-SM", "displayName": "IDM-SM", "type": "CONSUMER" } }, { "operation": "ADD", "type": "databaseUser", "names": { "organizationName": "Provider" }, "attributes": { "name": "admin2", "password": "Aa123!@#" }, "associations": [{ "type": "permission", "name": "SUPER_IDM_ADMIN" }] }, { "operation": "ADD_OR_UPDATE", "type": "databaseUser", "names": { "organizationName": "Provider" }, "attributes": { "name": "idmTransportUser", "password": "idmTransportUser", "email": "idmTransportUser@admin.com", "type": "INTEGRATION_USER" } }, { "operation": "ADD_OR_UPDATE", "type": "databaseUser", "names": { "organizationName": "IDM-SM" }, "attributes": { "name": "idmTransportUser", "password": "idmTransportUser", "email": "superadmin@admin.com", "type": "INTEGRATION_USER" } }] -
Edit the <idm-admin-console>\WEB-INF\classes\IdmConfig.properties file. The signingkey is same as the one for idm-service.
Example:
tenant=Provider integrationAcctUserName=idmTransportUser integrationAcctPassword=idmTransportUser idm.serverUrl=https://idmservice.hpeswlab.net:8443/idm-service signingKey=rqa9mkdmfkvdvienfj4usldo9205mvid
Make sure that you use the IdM encryption tool to encrypt the integration account and copy the encrypted value back to the IdM configuration file. For how to use the tool, see Task 12: Encrypt IdM passwords and keys.
Example:
tenant=Provider integrationAcctUserName=ENC(GPMnzDGlnQD1Y1au0t2rf0PenP5NtQPDOSnYB6QNxW4=) integrationAcctPassword=ENC(GPMnzDGlnQD1Y1au0t2rf0PenP5NtQPDOSnYB6QNxW4=) idm.serverUrl=https:// idmservice.hpeswlab.net:8443/idm-service-1.20.1 signingKey=ENC(m4xsCdxJur/idqsZQQW5XaJtFP42mEm7FZMzKXPajL5aqyDtmVyHUOwHrEmlvZah)
- Restart your web application server.
-
Verify the deployment.
- Check if tables are successfully created in database.
- Access the URL to check if idm-service is deployed successfully:
https://localhost:8888/idm-service/api/version-info -
Access the URL to check if the IdM admin console is deployed successfully:
https://locahost:8443/idm-adminIf you can see the login page, the deployment is successful and you can use the preconfigured admin account(for example, admin2) in the seeded json file to log in.
Configure the IdP server
To configure the IdP server, follow these steps:
-
Generate a keystore for IdM and place it to the webapps\idm-service\WEB-INF\classes\security folder.
For detailed steps, see Task 10: Configure the SAML keystore in IdM and Task 11: Import the IdP public key into the IdM SAML keystore.
-
Configure the keystore path in IdM.
- Log on to the IdM admin console.
-
Click SYSTEM SETTINGS.
-
Configure the settings in the SAML section. For example:
Keystore Default Key Name: idm Keystore Default Key Password: changeit Keystore Password: changeit Keystroe Path: classpath:security/samlKeystore.jks Keystore Type: jks
- Restart the IdM service.
-
Download the SAML metadata file by accessing the idm-service URL like the following example.
https://locahost:8443/idm-servcie/saml/metadata
-
Add relying party trust to IdP.
For detailed steps, see Task 16: Create a trust relationship with ADFS.
Configure SAML
To configure SAML by using the IdM admin console, follow these steps:
-
Log on to the IdM admin console.
- Click the Organization tab.
- Click Add (+) to create an organization.
-
Configure SAML authentication.
- Click the organization that you create.
- Click Authentication, and then click Add (+).
-
Select SAML from the authentication type list, and then click CREATE to create a SAML configuration.
-
From the SAML Server Settings page, use one of the following methods to configure the IDP metadata:
- Specify the IDP metadata URL and load the related HTTPS client certificate.
- Save the metadata to an xml file and then upload the metadata file (FederateionMetadata.xml) to idm-service.
-
Configure the IdM customization metadata.
- Click Customization .
- Add "saml" to the value of the authentication flow with a comma as the delimiter.
Next steps
Next, you need to configure SAML authentication in Service Manager and verify that your SAML SSO setup is successful. For details, see Configure SAML SSO in Service Manager (using standalone IdM).
