Administer > System security > SAML Single Sign-On > SAML SSO setup > Configure SAML SSO using the Service Portal IdM > Configure SMAL SSO in a distributed Service Portal deployment

Configure SAML SSO in a distributed Service Portal deployment

A distributed deployment uses a cluster of Service Manager Service Portal instances. The SAML SSO configuration steps for a cluster environment are basically the same as described in Configure SAML SSO in a single Service Portal instance , except for the following configurations.

samlKesytore.jks

You need to do the following:

  1. Create the initial samlKeystore.jks on the load balancer node.
  2. Distribute the same samlKesytore.jks file to all the Service Manager Service Portal nodes.

SAML contextProvider

Note This is an extra configuration required for all Service Manager Service Portal nodes in a distributed deployment.

  1. On all Service Manager Service Portal nodes, open the SAML contextProvider configuration in <Service Manager Service Portal Installation Directory>/idm-service/idm-service.war/WEB-INF/spring/applicationContext-saml.xml file.
  2. Comment out the following line:

    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  3. Replace the contextProvider bean section with the following lines:

    <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
        <property name="scheme" value="https"/>
        <property name="serverName" value="<load balancer node FQDN>"/>
        <property name="serverPort" value="443"/>
        <property name="includeServerPortInRequestURL" value="false"/>
        <property name="contextPath" value="/idm-service"/>
    <!-- Sets underlying dataStore-->
         <property name="storageFactory" ref="storageFactory"/>
    </bean>

    Important The serverName value needs to be the host name of the load balancer node of the cluster environment.

After the required changes are made, the file content resembles the following example.

metadataGeneratorFilter

Note This is an extra configuration required for all Service Manager Service Portal nodes in a distributed deployment.

  1. On all Service Manager Service Portal nodes, open the SAML contextProvider configuration in the <Service Manager Service Portal Installation Directory>/idm-service/idm-service.war/WEB-INF/spring/applicationContext.properties file.
  2. Add following line:

    idm.saml.entityBaseURL = https://<FQND>/idm-service
    
    

    Important The entityBaseURL value needs to contain the host name of the load balancer node of the cluster environment.

Nginx on the load balancer

Change the load balancer (LB) nginx configuration on the LB node by adding some proxy buffer parameters, which fix a 502 bad gateway issue caused by large HTTP headers when posting signed SAML responses to the load balancer after ADFS authenticated the user successfully.

To do this, follow these steps:

  1. On the load balancer node, open the /etc/nginx/conf.d/propel.conf file.
  2. Add the lines highlighted below:

    ...
    server
    {
    ….
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
    ssl_certificate /opt/hp/propel/security/propel_host.crt;
    ssl_certificate_key /opt/hp/propel/security/propel_host.key.rsa;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;";
    }

    See the following figure.

Certificates

Import the certificate of the LB node and CA (root and intermediate) to the ADFS server machine as trusted root certificates.