Administer > System security > SAML Single Sign-On > SAML SSO setup > Configure SAML SSO using the standalone IdM > Configure SAML authentication by using the IdM admin console

Configure SAML authentication by using the IdM admin console

Note This section describes how to use the IdM admin console to set up SAML authentication. If you do not want to use the IdM admin console, complete the tasks in Install and configure the standalone IdM service.

Deploy the IdM service and the IdM admin console

To deploy and set up idm-service and idm-admin-console, follow these steps:

  1. Deploy the idm-service and idm-admin-console WAR files on a web application server.

    For how to deploy a service on Tomcat, see Task 1: Deploy IdM on a web application server. However, in addition to idm-service, you also need to deploy idm-admin-console.

  2. Configure SSL in the web application server.

    For detailed the steps, see Task 2: Configure SSL in the IdM web application server.

  3. Specify an IdM token signing key by editing the <idm-service>\WEB-INF\spring\applicationContext.properties file in a text editor. For example:

     idm.encryptedSigningKey=rqa9mkdmfkvdvienfj4usldo9205mvid
  4. Add the preconfigured data in a .json file in <idm-service>\WEB-INF\classes\seeded.

    This file defines the provider organization, related database users, and integration user for login and API call.

    • You can use a template file by deleting the ".template" suffix and only retaining .json. Then, open the file and replace the content with the example data.
    • It is recommended that you rename the file to "organization_add__1.0.0.1__updata.json".

    The following is an example for the .json file:

    [{
        "operation": "ADD_OR_UPDATE",
        "type": "organization",
        "attributes": {
            "name": "Provider",
            "displayName": "Provider",
            "type": "PROVIDER"
        }
    },
    {
        "operation": "ADD_OR_UPDATE",
        "type": "organization",
        "attributes": {
            "name": "IDM-SM",
            "displayName": "IDM-SM",
            "type": "CONSUMER"
        }
    },
    {
        "operation": "ADD",
        "type": "databaseUser",
        "names": {
            "organizationName": "Provider"
        },
        "attributes": {
            "name": "admin2",
            "password": "Aa123!@#"
        },
        "associations": [{
            "type": "permission",
            "name": "SUPER_IDM_ADMIN"
        }]
    },
    {
        "operation": "ADD_OR_UPDATE",
        "type": "databaseUser",
        "names": {
            "organizationName": "Provider"
        },
        "attributes": {
            "name": "idmTransportUser",
            "password": "idmTransportUser",
            "email": "idmTransportUser@admin.com",
            "type": "INTEGRATION_USER"
        }
    },
    {
        "operation": "ADD_OR_UPDATE",
        "type": "databaseUser",
        "names": {
            "organizationName": "IDM-SM"
        },
        "attributes": {
            "name": "idmTransportUser",
            "password": "idmTransportUser",
            "email": "superadmin@admin.com",
            "type": "INTEGRATION_USER"
        }
    }]
    
  5. Edit the <idm-admin-console>\WEB-INF\classes\IdmConfig.properties file. The signingkey is same as the one for idm-service.

    Example:

    tenant=Provider
    integrationAcctUserName=idmTransportUser
    integrationAcctPassword=idmTransportUser
    idm.serverUrl=https://idmservice.hpeswlab.net:8443/idm-service
    signingKey=rqa9mkdmfkvdvienfj4usldo9205mvid
    

    Make sure that you use the IdM encryption tool to encrypt the integration account and copy the encrypted value back to the IdM configuration file. For how to use the tool, see Task 12: Encrypt IdM passwords and keys.

    Example:

    tenant=Provider
    integrationAcctUserName=ENC(GPMnzDGlnQD1Y1au0t2rf0PenP5NtQPDOSnYB6QNxW4=)
    integrationAcctPassword=ENC(GPMnzDGlnQD1Y1au0t2rf0PenP5NtQPDOSnYB6QNxW4=)
    idm.serverUrl=https:// idmservice.hpeswlab.net:8443/idm-service-1.20.1
    signingKey=ENC(m4xsCdxJur/idqsZQQW5XaJtFP42mEm7FZMzKXPajL5aqyDtmVyHUOwHrEmlvZah)
    
  6. Restart your web application server.
  7. Verify the deployment.

    • Check if tables are successfully created in database.
    • Access the URL to check if idm-service is deployed successfully: https://localhost:8888/idm-service/api/version-info
    • Access the URL to check if the IdM admin console is deployed successfully: https://locahost:8443/idm-admin

      If you can see the login page, the deployment is successful and you can use the preconfigured admin account(for example, admin2) in the seeded json file to log in.

Configure the IdP server

To configure the IdP server, follow these steps:

  1. Generate a keystore for IdM and place it to the webapps\idm-service\WEB-INF\classes\security folder.

    For detailed steps, see Task 10: Configure the SAML keystore in IdM and Task 11: Import the IdP public key into the IdM SAML keystore.

  2. Configure the keystore path in IdM.

    1. Log on to the IdM admin console.
    2. Click SYSTEM SETTINGS.

    3. Configure the settings in the SAML section. For example:

      Keystore Default Key Name: idm
      Keystore Default Key Password: changeit
      Keystore Password: changeit
      Keystroe Path: classpath:security/samlKeystore.jks
      Keystore Type: jks
      
    4. Restart the IdM service.
  3. Download the SAML metadata file by accessing the idm-service URL like the following example.

    https://locahost:8443/idm-servcie/saml/metadata

  4. Add relying party trust to IdP.

    For detailed steps, see Task 16: Create a trust relationship with ADFS.

Configure SAML

To configure SAML by using the IdM admin console, follow these steps:

  1. Log on to the IdM admin console.

  2. Click the Organization tab.
  3. Click Add (+) to create an organization.
  4. Configure SAML authentication.

    1. Click the organization that you create.
    2. Click Authentication, and then click Add (+).
    3. Select SAML from the authentication type list, and then click CREATE to create a SAML configuration.

    4. From the SAML Server Settings page, use one of the following methods to configure the IDP metadata:

      • Specify the IDP metadata URL and load the related HTTPS client certificate.
      • Save the metadata to an xml file and then upload the metadata file (FederateionMetadata.xml) to idm-service.
  5. Configure the IdM customization metadata.

    1. Click Customization .
    2. Add "saml" to the value of the authentication flow with a comma as the delimiter.

Next steps

Next, you need to configure SAML authentication in Service Manager and verify that your SAML SSO setup is successful. For details, see Configure SAML SSO in Service Manager (using standalone IdM).