How to Configure SAML Authentication with Applicare Server (7.3.8 Onwards)
Make the below changes in the Applicare server startup script defined in ${arcturus_home/scripts/setAdminEnv.sh} for Unix/Linux or ${arcturus_home/scripts/setAdminEnv.bat} for Windows.
Change the -Dspring.profiles.active=nosaml to -Dspring.profiles.active=saml option to JAVA_OPT as shown here:
-Dspring.profiles.active=saml
This is required for the Applicare server to start.
1. Configure Applicare to log in with SAML server
To switch on SSO on the Applicare server, add this option:
-Dspring.profiles.active=saml
This will automatically disable Applicare's built-in login/password authentication switch to using the specified external authentication server.
2. Configure Identity Provider XML
Each identity provider has a configuration XML that contains necessary options to enable using it as a sign-on server. Usually this XML is located in an open URL.
The Applicare server needs to know that XML. For this reason, one must add the below option to set the identity provider definition:
-Dsaml.file=/Applications/Applicare/idp.xml
You can also use a remote xml file. Than you will have to add this line :
-Dsaml.idp.url=http://idp.ssocircle.com/idp-meta.xml
Also you have to modify the file : arcturus_home/server/webapps/applicare/WEB-INF/config-saml.xml
drop this lines :
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg value="#{systemProperties['saml.file'] != null ? systemProperties['saml.file'] : '/WEB-INF/metadata/default_dummy_idp.xml'}"/>
<property name="parserPool" ref="parserPool"/>
</bean>
And replace them by these lines :
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<constructor-arg value="#{systemProperties['saml.idp.url'] != null ? systemProperties['saml.idp.url'] : 'http://saml_not_configured:8880/'}" />
<constructor-arg>
<value type="int">5000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
-Dsaml.idp.url is a required field. -Dsaml.file is optional.
Both IDP values would be processed if we set different IDP metadata with the help of -Dsaml.idp.url and -Dsaml.file options.
3. Configure entity ID
Each application has an entity ID. This will let the SSO server know which application is trying to use it for authentication. Therefore add this option:
-Dapplicare.saml.entityID=applicare_100
The -Dapplicare.saml.entityID value is a custom-defined identifier, so you can set it as you wish.
4. Set the entity base
After logging in with SP, the base URL must be defined in order to redirect correctly.
The base URLl is defined as the following startup parameter:
-Dapplicare.saml.entityBaseUrl=http://{ApplicareIP}:{ApplicarePort}/applicare
5. Upload metadata to external authentication product
After following steps 1, 2, and 3, we can run the Applicare server. However, authentication still cannot be done. We have to export generated metadata to SSO server. This will register the Applicare server as an authorized application to use remote the SSO server for authentication.
To do this, follow the steps below:
- Run the Applicare server
-
Download the metadata generated file using
http://{applicare_server_ip:port}/applicare/saml/metadata
- Upload the file to the Authentication server with respective login authentication, e.g. SSOCircle Authentication server
6. Configure user groups attribute name
Next, we have to define which attribute will be used as a group name. For example, we can create an attribute named user.group that will have the name of the authenticated user's group.
If the user group is "admin", s/he will have all authorizations. If the group is "readonly", s/he will have readonly access.
Edit arcturus_home/Applicare.prop by selecting which attribute will be used for authorization:
We can also define user's first name, last name, and email address field mapping as shown above.
saml.firstname.field is the first name field. By default it is mapped to FirstName.
saml.lastname.field is the last name field. By default it is mapped to LastName.
saml.email.field is the first email field. By default it is mapped to EmailAddress.
7. Set the SAML Login field
SAML user may login with either the FirstName, LastName or EmailAddress. Based on this set the saml.login.field in the Applicare properties file.
If the user is login with the FirstName then
saml.login.field=FirstName
If the user is login with the LastName then
saml.login.field=LastName
If the user is login with the EmailAddress then
saml.login.field=EmailAddress
8. If the below property is not available in the Applicare properties file add it.
applicare.saml.enableReadOnlyAccess=true
9. Set the default admin
If we start the Applicare server with SAML mode, no user is admin. The solution is to add an admin in Applicare.props
saml.admin.default=saml_id
This admin will be able to edit other SAML users.
This user will stay admin as long as it is defined in ApplicareController.props. This is to have the Applicare administrative configuration available if nobody is admin in SSO SP.
Note: A user cannot edit itself.
Please sign in to leave a comment.
Comments
0 comments