Task 4: Configure SAML SSO

To do this, follow these steps:

Step 1. Configure SP-Initiated SSO: Redirect/POST Binding

Follow these steps to update the IdM service configuration base for SP-initiated web SSO:

  1. In the <idm-service>/WEB-INF/web.xml file, make sure that the following line is uncommented: 

    /WEB-INF/spring/applicationContext-saml.xml
    

    Note The applicationContext-saml.xml file includes Spring beans for SAML.

  2. Configure HP SSO.

    1. Open the <idm-service>/WEB-INF/web.xml file with a text editor.
    2. Search for "START HP SSO Configuration". This section is commented out by default.
    3. Specify the location of the HP SSO configuration file as "/WEB-INF/hpssoConfig.xml".

      <!-- START HP SSO Configuration -->
          <listener>
              <listener-class>com.hp.ccue.identity.hpssoImpl.HpSsoContextListener</listener-class>
          </listener>
      
          <context-param>
              <param-name>com.hp.sw.bto.ast.security.lwsso.conf.fileLocation</param-name>
              <param-value>/WEB-INF/hpssoConfig.xml</param-value>
          </context-param>
      <!-- END HP SSO Configuration -->
    4. In the <idm-service>\WEB-INF\spring\applicationContext-v0.xml file, make sure that the tokenWriter property setting in the HP SSO Configuration section is not commented out, as shown below.

      <!--Authentication API -->
          <bean id="authenticationApiController" class="com.hp.ccue.identity.web.api.AuthenticationController">
              <property name="tokenService" ref="tokenService"/>
              <property name="identityService" ref="identityService"/>
              <property name="sessionStateService" ref="sessionStateService"/>
              <!-- START HP SSO Configuration -->
                      <property name="tokenWriter" ref="hpssoTokenWriter" />
              <!-- END HP SSO Configuration -->
          </bean>
    5. Edit the <idm-service>\WEB-INF\hpssoConfig.xml file as described below.

      • Specify the domain name of the IdM server (for example, the Tomcat server). The domain name must match the DNS domain name of the system on which the IDM service is deployed, because the HP SSO cookies are domain-specific.

        Note All components that participate in SAML except the SM Server (the IdM service, SM web tier, SRC, and Mobility Client) must be in the same domain, because HP SSO cookies are domain-specific.

      • Change secureHTTPCookie (default: false) to true if SSL is enabled between the user's browser and the web application server of the SM web tier, SRC, or Mobility Client.

      See the following for an example.

      <creation tokenGlobalTimeout="480" tokenIdleTimeout="30" secureHTTPCookie="true">
              <!-- lwsso is required -->
              <lwsso>
                  <!-- domain is required
                      HPSSO 1.0 version supports a single domain only.
                      All servers using HPSSO should have the same domain and it should be denoted in this tag
                  -->
                  <creationDomains>
                      <!-- for development environments only! -->
                      <domain>mycompany.net</domain>
                  </creationDomains>
              </lwsso>
       </creation>

    Step 2. Disable ECP

    ADFS does not support ECP; however, the IdM metadata includes the AssertionConsumerService for ECP. Therefore, this step is required.

    To disable ECP, follow these steps:

    1. Open the <idm-service>WEB-INF\spring\applicationContext-saml.xml file with a text editor.
    2. Search for the following line, and comment it out.

      <property name="ecpEnabled" value="true"/>