How to Enable Login to Universal CMDB with SAML Authentication

To enable SAML Authentication on UCMDB Server, do the following:

  1. Import the IdP certificate to UCMDB Server truststore.

    1. Copy the IdP certificate to the following directory on UCMDB:

      <UCMDB_Server>\conf\security

      For example, C:\UCMDB\UCMDBServer\conf\security.

    2. Run the following command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -import -v -keystore C:\UCMDB\UCMDBServer\conf\security\server.truststore -file <certificate> -alias <certificate alias>
    3. Enter the UCMDB Server Truststore password.

    4. When asked Trust this certificate?, press y and then Enter.

    5. Make sure the output Certificate was added to the truststore.

  2. Set SAML authentication as described in the table below via the JMX Console in the UCMDB:service=SAML Authentication Configuration Services category.

    Make sure you set all mandatory fields required for a valid SAML authentication.

    JMX Method (* mandatory if SMAL enabled) Description
    * setSamlAuthentication Enables or disables SAML authentication. Setting Is enabled to True enables SAML authentication. Null for true if not specified.
    * setIDPEndpointForSAMLAuthen-
    tication

    Sets the IDP Endpoint used in SAML Authentication, mandatory field if SAML Authentication is enabled. To this endpoint the SAML Authentication Request will be sent.

    Example: https://something.domain.local/adfs/ls

    setIdpCertificateAlias

    Sets the IdP certificate alias that will be searched in server truststore. This certificate will be used to validate the response received from IdP. If no certificate alias was configured, by default the certificate with samlCertif alias will be searched.

    If another alias is set instead of the default one (samlCertif), then this alias must be set using this JMX method.

    * setSAMLClaimTypeContaining-
    UserName

    Sets the SAML UserName claimType containing user's login name, mandatory field if SAML Authentication is enabled.

    Example: http://schemas.xmlsoap.org/claims/CommonName

    setSAMLClaimTypeContaining-
    UserCustomer

    Sets the SAML Customer claimType containing customer selected username for login, optional field if SAML Authentication is enabled (if not set, the default customer will be used).

    setSAMLAuthSyncGroups

    Setting Sync groups to True enables IdP authenticated users to be automatically added to the UCMDB Groups that exist in both UCMDB and the user's groups list received in the SAML Group Claim response.

    The User's groups claimType parameter in this JMX method also allows you to configure the claimType that contains users' groups in SAML response.

    At least a default group should be configured to make sure the users will be able to access the UCMDB UI.

    * setSamlUserDefaultGroup

    Sets the UCMDB Default Group, in which the user should be automatically added in case the Sync groups option is set to False or no user group has been received from IdP.

    Important The users authenticated through SAML will be automatically added to the default group configured in JMX. If the UCMDB Default Group does not exist in UCMDB or is not configured, then the users will not be able to log in to UCMDB UI.

    * setAuthRequestIssuer The SAML Request Issuer (service provider – UCMDB Server as it is configured in ADFS)
    * setSamlResponseIssuer

    The issuer from which the SAML response is expected.

    Example: http://something.domain.local/adfs/services/trust

    retrieveSAMLAuthenticationConfi-
    gurations
    Lists the current SAML authentication configurations. The values listed by this method are not taken from the settings (these are the settings already configured when the UCMDB Server has been last restarted).
    retrieveSAMLAuthenticationConfig-
    urationsFromSettings
    Lists the current SAML authentication configurations. The values listed by this method are taken from the settings (these are the settings configured after the UCMDB Server has been last restarted). These settings are the ones that should be used (since they are the latest ones configured), and if these are different from the retrieveSAMLAuthenticationConfigurations listing, then the UCMDB Server should be restarted (the values are reloaded only on reboot).
  3. Restart UCMDB Server.

Important (Multi-customer environment only) Since the Default Group is currently a global setting, in a multi-customer environment, the Default Group must be updated on each customer with the desired roles (the roles assignment are customer-dependent). Once this is done and the Customer claimType is set in JMX console, the IdP authenticated user will be able to log in to UI on the customer received in the SAML Response.

For more information about SAML authentication, see Enabling Login to Universal CMDB with SAML.