Companyname |
---|
Companyname |
---|
Table of Contents | ||||
---|---|---|---|---|
|
SAML 2.0 Terminology
- Identity Provider (IdP) – Software that provides Authentication Service and uses SAML 2.0 protocol to assert valid users.
- Service Provider (SP) – Software that trusts an Identity Provider and consumes the services provided by the Identity Provider.
- SAML Metadata XML – An XML document containing SAML2.0 configuration data.
- SAML Assertion XML – An XML document that provides information about a user authenticated by an IdP.
Set
...
Up SAML 2.0 SSO
The following highlights the steps needed to integrate any SAML 2.0 IdP with an
Companyname |
---|
Companyname |
---|
Note:
only supports SP-initiated, not IdP-initated, SAML login. Companyname
Prerequisites
Info | ||
---|---|---|
| ||
To complete the setup, you need:
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
Anchor | ||||
---|---|---|---|---|
|
Companyname |
---|
Follow these steps in
Companyname |
---|
- Log in to your
knowledgebase as an admin userCompanyname
...
- .
- Click the Setup gear in the top-right corner and click Access.
- Click Configure SAML 2.0 Single Sign-on to open the SAML Configuration wizard.
...
- On the General tab:
- Select the Enable SAML SSO checkbox.
...
- Optionally, select the
...
- "Create SAML IdP Authenticated user in
" checkbox. ThisCompanyname
- "Create SAML IdP Authenticated user in
...
- provisions users
...
- in
Companyname
- in
...
- from those in the SAML system when the
...
- user first logs in via SAML. If you select this
...
- option
...
- , go to the
...
- Mapping section to complete the setup.
Note This means any user with permission in your IdP to access Agiloft is able to log in to your system. To secure your system, make sure to review the set of users that have access in your IdP, which usually allows manual configuration or the use of security groups.
- Optionally, select "
- Mapping section to complete the setup.
...
- Update User fields on subsequent logins by an existing user
...
Companyname |
---|
...
Companyname |
---|
...
Companyname |
---|
...
Companyname |
---|
...
Companyname |
---|
...
SAML V2 Assertion Consumer Service (ACS) Endpoint: The value in this field should be in the form:
Code Block |
---|
http(s)://{server}/gui2/spsamlsso?project={KBName} |
Write down these two values—they will be used to configure your Identity Provider (IdP).
...
Java Key Store (JKS) details. The Private Keys for HTTPS communication with
Companyname |
---|
Companyname |
---|
Companyname |
---|
Java Keystore (.jks) file path on the
Server. Configurations vary by server. The default path forCompanyname
servers isCompanyname /opt/server/Agiloft/etc/certs/agiloft.keystore
Java KeyStore Password.
Alias used to add certificate to Java KeyStore.
Name identifier in SAML Assertion sent by IdP: In SAML 2.0 protocol, the NameID XML tag is used to send the details of the authenticated user in the SAML Assertion XML sent by an IdP to the service provider. From the drop-down, specify which format your IdP uses: User Name, Email, or Federation ID.
Then, select the field name in the People table that will be matched against the NameID value. If the NameID value in the XML assertion matches the value of the chosen field, then the user will be allowed to log in to
Companyname |
---|
Below is an example of a NameID TAG in SAML Assertion XML, which provides the email address of the authenticated user:
...
- ." If you select this option, go to the Mapping section to complete the setup.
The Service Provider Detailstab contains information to connect toAnchor serviceprovidertab serviceprovidertab
as the Service Provider. Enter thefollowing information:Companyname
(SP) Entity Id: A unique identifier string for theCompanyname
KB to be used in the IdP configuration.Companyname - The system automatically populates this field with a value of
{server}/{KBName}
, e.g.example.agiloft.com/mykb
. Replace any spaces in the Entity Id with the plus (+) symbol. - If your IdP requires it,add https:// to the front of this string
- Use the same identifier when configuring the Identify Provider.
- The system automatically populates this field with a value of
SAML V2 Assertion Consumer Service (ACS) Endpoint: The value in this field should be in the form:
Code Block http(s)://{server}/gui2/spsamlsso?project={KBName}
Write down these two values—they will be used to configure your Identity Provider (IdP). Make sure to use the domain name for your server, such as
example.agiloft.com
, rather than the specific server hostname, such asps108.agiloft.com
.Java Key Store (JKS) details. The Private Keys for HTTPS communication with
are stored in the Java Key Store (JKS) file on theCompanyname
Server. The same Key pair will be used to digitally sign the SAML XML exchanged between theCompanyname
server and IdP. If your KB is hosted byCompanyname
and this information is missing, please contact support. If your organization self-hosts, see Generate a Keystore File for details of what's required here.Companyname Name identifier in SAML Assertion sent by IdP: In SAML 2.0 protocol, the NameID XML tag is used to send the details of the authenticated user in the SAML Assertion XML sent by an IdP to the service provider. From the drop-down, specify which format your IdP uses: User Name, Email, or Federation ID.
Then, select the field name in the People table to match against the NameID value. If the NameID value in the XML assertion matches the value of the chosen field, then the user is allowed to log in to
.Companyname
Below is an example of a NameID TAG in SAML Assertion XML, which provides the email address of the authenticated user:Code Block <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:email">salesuser1@mydomain.com</saml:NameID>
If your IdP sends a Federation Id for authenticated users, be sure to create a corresponding field in the People table and populate it with the correct value for the users accessing
via SAML.Companyname Name Identifier location in SAML Assertion: Choose the XML tag -
NameID
orAttribute -
used by the IdP to send user information.NameID
is the most commonly used XML tag.
If your IdP sends user details in the Attribute TAG, enter the value of theName
orFriendlyName
attribute. In the example below,USERID_ATTRIB_NAME
is the value of theName
attribute:Code Block <saml:Attribute FriendlyName="fooAttrib" Name="USERID_ATTRIB_NAME" NameFormat="urn:oasis:names:tc:SAML:
...
2.
...
0:
...
attrname-format:
...
If your IdP sends a Federation Id for authenticated users, be sure to create a corresponding field in the People table and populate it with the correct value for the users accessing
Companyname |
---|
...
Name Identifier location in SAML Assertion: Choose the XML tag - NameID
or Attribute -
used by the IdP to send user information. NameID
is the most commonly used XML tag.
If your IdP sends user details in the Attribute TAG, enter the value of the Name
or FriendlyName
attribute. In the example below, USERID_ATTRIB_NAME
is the value of the Name
attribute:
Code Block |
---|
<saml:Attribute FriendlyName="fooAttrib"
Name="USERID_ATTRIB_NAME"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">
salesuser1@mydomain.com
</saml:AttributeValue> </saml:Attribute>
|
...
SAML Authentication Profile:
This option determines how
will interact with the IdP when a user tries to accessCompanyname
.Companyname Select Passive Web Single Sign On with IdP to allow users who are already authenticated by the IdP to access
directly. If the user is not already authenticated,Companyname
will display an error message.Companyname Select Forced Authentication to require a user name and password every time, even if the user has a valid login session with the IdP.
The Default behavior lets users who are already authenticated by the IdP to access
. If the user is not authenticated, the IdP will prompt a login screen for the user.Companyname
...
unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> salesuser1@mydomain.com </saml:AttributeValue> </saml:Attribute>
SAML Authentication Profile:
This option determines how
interacts with the IdP when a user tries to accessCompanyname
.Companyname Select Passive Web Single Sign On with IdP to allow users who are already authenticated by the IdP to access
directly. If the user is not already authenticated,Companyname
shows an error message.Companyname Select Forced Authentication to require a user name and password every time, even if the user has a valid login session with the IdP.
The Default behavior lets users who are already authenticated by the IdP to access
. If the user is not authenticated, the IdP prompts a login screen for the user.Companyname
- Click Next.
- On the Identity Provider Details tab:
If you have a SAML Metadata XML file, paste the contents in the box under SAML Metadata XML contents obtained from your IdP. Leave remaining fields blank and click Next.
When the SAML configuration is saved,
automatically populates the remaining fields based on the XML contents.Companyname - Alternately, populate each field with the information previously obtained from the IdP. If you provide SAML Metadata XML in the first field and enter values in one or more of the remaining fields, the values entered in the individual fields override those obtained from the XML file.
IdP Entity ID / Issuer: Enter the name or URL identifying the IdP.
IdP Login URL: Enter the URL where
should forward login requests.Companyname IdP Logout URL: Enter the URL where
should forward logout assertions.Companyname Note These logout assertions can be used for Single Logout (SLO), which is to say they can not only log a user out of their current
session, but out of all sessions for the browser that initiated the logout, requiring that the user then log into SSO again before beginning a new session withCompanyname
or another SP. It may be necessary to leave this field blank in order to enable theseCompanyname
...
If you have a SAML Metadata XML file, paste the contents in the box under SAML Metadata XML contents obtained from your IdP. Leave remaining fields blank and click Next.
When the SAML configuration is saved,
Companyname |
---|
...
IdP Entity ID / Issuer: Enter the name or URL identifying the IdP.
...
IdP Login URL: Enter the URL where
Companyname |
---|
...
Companyname |
---|
...
logout assertions.
IdP Provided X.509 Certificate Contents: If your IdP provides the X.509 certificate in a file, open the file with a text editor and paste the contents of the certificate file in the input box.
...
- Click Finish to save and close the SAML configuration wizard.
- On the Setup > Access screen, click Download X.509 Certificate. Save this file to use when configuring the IdP.
- On the Setup > Access screen, click Download SAML 2.0 Service Provider Metadata. Save this file to use when configuring the IdP. Note that this file also contains the X.509 Certificate, and most IdPs
...
- allow you to import this file to populate the fields in Configure the Identity Provider.
Generate a Keystore File
In cases where the Java Keystore file and corresponding private key are required for the SAML installation, which is typically needed when
Companyname |
---|
Companyname |
---|
To configure
Companyname |
---|
Companyname |
---|
Note that the OpenSSL tool is not present on Windows systems by default. You can download it here on the
Companyname |
---|
...
Companyname |
---|
...
Create a PKCS 12 file using your private key and CA signed certificate. The following OpenSSL command will work for this:
Code Block |
---|
openssl pkcs12 -export -in [path to CA certificate] -inkey [path to private key] -certfile [path to CA certificate ] -out mykeystore.p12 |
Create a JKS file using the Keytool command. Note that you may append the output file as either .jks or .keystore.
Code Block |
---|
<Agiloft_install_dir>/jre/bin/keytool -importkeystore -srckeystore mykeystore.p12 -srcstoretype pkcs12 -destkeystore mycompany.keystore -deststoretype JKS |
- To enable SAML 2.0 for your users when they click a hyperlink sent within an email, change the Hotlink Type global variable to SAML20. You can do this on either the Admin Console or Power-User interface.
- Hyperlinks must use the Service Provider initiated SAML Login. An example of this URL is
https://test.agiloft.com/gui2/samlssologin.jsp?project=demokb&State=Edit:case&record=350&record_access=view&exiturl=leaveLoggedIn&cancelurl=leaveLoggedIn
. - The SAML Identity Provider should be configured to include the attribute InResponseTo, and the corresponding value, in the SAML assertion response that gets sent to
.Companyname
- Hyperlinks must use the Service Provider initiated SAML Login. An example of this URL is
Note that SAML SSO Messages sent to
Companyname |
---|
Companyname |
---|
- RSA/ECB/PKCS1Padding
- RSA/ECB/OAEPWithSHA-1AndMGF1Padding
- RSA/ECB/OAEPWithSHA-256AndMGF1Padding
- RSA/ECB/OAEPWithSHA-512AndMGF1Padding
While these cipher transformations should suffice for most commonly used IdPs, if you find that your IdP uses a special cipher transform, you can configure
Companyname |
---|
Configure the Identity Provider
The next step is to provide the
Companyname |
---|
(SP) Entity Id, found in step 7.a. The default value is in the form:Companyname
Login Assertion Consumer Service URL, found in step 7.b. The default value is in the form:Companyname Code Block http(s)://{server}/gui2/spsamlsso?project={KBName}
Logout URL: This value is in the form:Companyname Code Block http(s)://{server}/gui2/samlv2Logout.jsp
Logout Service End Point URL: This value is in the form:Companyname Code Block http(s)://{server}/gui2/spsamlssologout?project={KBName}
- X.509 Certificate, downloaded previously.
Force SSO Login
Excerpt Include | ||||||
---|---|---|---|---|---|---|
|
Log In with SAML 2.0
Once the SAML 2.0 integration has been properly configured, users can log in to
Companyname |
---|
Point your browser to:
http(s)://{server}/gui2/samlssologin.jsp?project={kbName}
, where {server} is the IP Address or FQDN of the server hosting the
instance and kbName is replaced by the name of yourCompanyname
knowledgebase. Make sure to use the domain name for your server, such asCompanyname example.agiloft.com
, rather than the specific server hostname, such asps108.agiloft.com
. Most users either save this URL as a bookmark (or favorite), or add an HTML login block to an existing web page.This URL forwards the login assertion to the IdP and directs you to the login page for your IdP:
If you are already logged in and authenticated, you are forwarded directly to the
interface.Companyname
Anchor | ||||
---|---|---|---|---|
|
If you chose either of the additional options on the General tab ( Setup > Access > Configure SAML 2.0 Single Sign-on ) during setup, you need to map groups, teams, and fields for your users.
- If you selected the "Create SAML IdP Authenticated user in Agiloft" checkbox, these mappings are used to create Agiloft user records when a new user logs in for the first time.
- If you selected the "Update User fields on subsequent logins by an existing user" checkbox, these mappings are used to update existing Agiloft user records each time a user logs in, if the user's IdP information has changed.
To configure the necessary mappings:
- Select either or both of the optional checkboxes on the General tab ( Setup > Access > Configure SAML 2.0 Single Sign-on ).
- From the drop-down list, select the table where user records are stored in your system.
- Click Next.
- On the User Group Mapping tab, choose the method for group assignment:
- Select a permission group already configured in Agiloft to be assigned to everyone who uses SAML to log in. To use this method, select it and choose a group from the drop-down menu.
- Map the permission group from an attribute in the user's SAML profile. To use this method, select it and enter the SAML attribute to use.
Note With this option, Agiloft reads the specified attribute and looks for an exact match, so your Agiloft permission group names must already exist, and the names must match perfectly. If you use multiple groups, you can configure your IdP to send the group names as separate attribute values, or send them with a separator. If you use a separator, you must define that separator character in the saml_grp_team_separator global variable, in addition to configuring your IdP to send the group names with that character separating them.
- Choose whether to update user groups on subsequent logins, or retain the current group assignment.
- Click Next.
- On the User Team Mapping tab, choose the method for team assignment:
- Select a primary team and any secondary teams to be assigned to everyone who uses SAML to log in. To use this method, select it, choose a Primary Team from the drop-down menu, and hold Ctrl to click and select any number of secondary teams from the Teams list.
- Map the team assignments from an attribute in the user's SAML profile. To use this method, select it and enter the SAML attributes to use for the user's primary and secondary teams.
Note With this option, Agiloft reads the specified attribute and looks for an exact match, so your Agiloft team names must already exist, and the names must match perfectly. The attribute must send a single Primary Team, or else the first team provided is used. If you use multiple secondary teams, you can configure your IdP to send the team names as separate attribute values, or send them with a separator. If you use a separator, you must define that separator character in the saml_grp_team_separator global variable, in addition to configuring your IdP to send the team names with that character separating them.
- Choose whether to update user teams on subsequent logins, or retain the current team assignment.
- Click Next.
- The User Field Mapping tab passes attributes to Agiloft to create or update the user's information. The Login field is mapped automatically by your settings in the Server Provider Details tab, and should not be mapped in this tab. For all other fields listed, either map the SAML attribute in the Mapping SAML Attribute Names column to pass the value to Agiloft, or leave the field empty to send no information. Note that this list of fields is controlled by the default_contact_fields_samlconfig global variable.
- Click Next and proceed with the setup for the Server Provider Details tab.
Generate a Keystore File
In cases where the Java Keystore file and corresponding private key are required for the SAML installation, which is typically needed when
Companyname |
---|
Companyname |
---|
To configure
Companyname |
---|
Companyname |
---|
Note that the OpenSSL tool is not present on Windows systems by default. You can download it here on the
Companyname |
---|
- Copy the CA certificate and private key files onto the Linux server where
is installed.Companyname - Login to the server via SSH.
Create a PKCS 12 file using your private key and CA signed certificate. The following OpenSSL command can be used to do this:
Code Block openssl pkcs12 -export -in [path to CA certificate] -inkey [path to private key] -certfile [path to CA certificate ] -out mykeystore.p12
Create a JKS file using the Keytool command. Note that you may append the output file as either .jks or .keystore.
Code Block <Agiloft_install_dir>/jre/bin/keytool -importkeystore -srckeystore mykeystore.p12 -srcstoretype pkcs12 -destkeystore mycompany.keystore -deststoretype JKS
- When prompted, provide a new password for the destination keystore file: mycompany.keystore. Make a note of the password you use here.
- You may be prompted to provide an alias for the keystore. The default alias is 1.
- Provide the complete path for mycompany.keystore, its password and the alias in the Service Provider Details tab of the
SAML configuration wizard.Companyname
Hide If | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Related articles
|
...
Companyname |
---|
...
Configure the Identity Provider
The next step is to provider the
Companyname |
---|
(SP) Entity Id, found in step 7.a. The default value is in the form:Companyname Code Block {server}/{KBName}
Login Assertion Consumer Service URL, found in step 7.b. The default value is in the form:Companyname Code Block http(s)://{server}/gui2/spsamlsso?project={KBName}
Logout URL: This value is in the form:Companyname Code Block http(s)://{server}/gui2/samlv2Logout.jsp
Logout Service End Point URL: This value is in the form:Companyname Code Block http(s)://{server}/gui2/spsamlssologout?project={KBName}
- X.509 Certificate, downloaded previously.
Log In with SAML 2.0
Once the SAML 2.0 integration has been properly configured, users can log in to
Companyname |
---|
Point your browser to:
http(s)://{server}/gui2/samlssologin.jsp?project={kbName}
, where {server} is the IP Address or FQDN of the server hosting the
instance and kbName is replaced by the name of yourCompanyname
knowledgebase. Most customers either save this URL as a bookmark (or favorite), or add an HTML login block to an existing web page.Companyname This URL forwards the login assertion to the IdP. You will be directed to the login page for your IdP:
If you are already logged in and authenticated, you will be forwarded directly to the
interface.Companyname
...
Companyname |
---|
...
display | printable |
---|
...
|