Security Guide > SAML Authentication for Informatica Web Applications > Enable SAML Authentication in a Domain
  

Enable SAML Authentication in a Domain

Configure the identity provider, the Informatica domain, and the gateway nodes within the domain to use SAML authentication.
To configure SAML authentication for supported Informatica web applications that run in a domain, perform the following tasks:
  1. 1. Create an LDAP configuration to connect to the LDAP identity store that contains Informatica web application user accounts. You also create an LDAP security domain, and then import the user accounts into the security domain.
  2. 2. Export the Identity Provider Assertion Signing Certificate from the identity provider.
  3. 3. Import the Identity Provider Assertion Signing certificate into a truststore file on each gateway node in the domain. You can import the certificate into the Informatica default truststore file, or into a custom truststore file.
  4. 4. Add one or more relying party trusts in the identity provider, and map LDAP attributes to the corresponding types used in security tokens issued by the identity provider.
  5. 5. Add the URL for each Informatica web application to the identity provider.
  6. 6. Enable SAML authentication in the domain.
  7. 7. Enable SAML authentication on every gateway node in the domain.

Create an LDAP Configuration for the Identity Provider or LDAP Store

Use the Administrator tool to create an LDAP configuration for the identity provider or LDAP store that contains the web application user accounts that use SAML authentication.
When you create an LDAP configuration, you create a security domain for the user accounts, and then import the accounts into the security domain. After you import the accounts into the security domain, assign the appropriate Informatica domain roles, privileges and permissions to the accounts in the security domain.
For more information about creating an LDAP configuration, see Creating an LDAP Configuration.

Export the Assertion Signing Certificate

Export the Assertion Signing certificate from the identity provider.
The certificate is a standard X.509 certificate used to sign the assertions within the SAML tokens that the identity provider issues to Informatica web applications. You can generate a self-signed Secure Sockets Layer (SSL) certificate, or you can get a certificate from a certificate authority, and then import it into the identity provider.

Import the Certificate into the Truststore Used for SAML Authentication

Import the assertion signing certificate into the truststore file used for SAML authentication on every gateway node within the Informatica domain.
You can import the certificate into the default Informatica truststore file, or into a custom truststore file.
The file name of the default Informatica truststore file is infa_truststore.jks. The file is installed in the following location on each node:
<Informatica installation directory>\services\shared\security\infa_truststore.jks
Note: Do not replace the default infa_truststore.jks file with a custom truststore file.
If you import the certificate into a custom truststore file, you must save the truststore file in a different directory than the directory containing the default Informatica truststore file. The truststore file name must be infa_truststore.jks.
You can use the Java keytool key and certificate management utility to create an SSL certificate or a certificate signing request (CSR) as well as keystores and truststores in JKS format. The keytool is available in the following directory on domain nodes:
<Informatica installation directory>\java\bin
If the domain nodes run on AIX, you can use the keytool provided with the IBM JDK to create an SSL certificate or a Certificate Signing Request (CSR) as well as keystores and truststores.
    1. Copy the certificate files to a local folder on a gateway node within the Informatica domain.
    2. From the command line, go to the location of the keytool utility on the node.
    3. Run the keytool utility to import the certificate.
    4. Restart the node.

Configure the Identity Provider

Configure the identity provider to issue SAML tokens to Informatica web applications.
Perform the following tasks to configure the identity provider:
You provide the name of the relying party trust when you enable SAML authentication in a domain. Depending on your security requirements, you might create multiple relying party trusts in the identity provider to enable domains used by different organizations within the enterprise to use SAML authentication.
Informatica recognizes "Informatica" as the default relying party trust name. If you create a single relying party trust with "Informatica" as the relying party trust name, you do not need to provide the relying party trust name when you enable SAML authentication in a domain.
Note: All strings are case sensitive in the identity provider, including URLs.

Add Informatica Web Application URLs to the Identity Provider

Add the URL for each Informatica web application using SAML authentication to the identity provider.
You provide the URL for an Informatica web application to enable the identity provider to accept authentication requests sent by the application. Providing the URL also enables the identity provider to send the SAML token to the application after authenticating the user.

Enable SAML Authentication in the Domain

You can enable SAML authentication in an existing Informatica domain, or you can enable it when you create a domain.
When you enable a domain to use SAML authentication, all web applications that run in the domain use the default identity provider you specify when you enable SAML authentication in the domain. For example, if you configure AD FS as the identity provider, all web applications use AD FS as the identity provider, unless you configure a web application to use a different identity provider.
Select one of the following options:
Enable SAML authentication when you run Informatica installer.
You can enable SAML authentication and specify the identity provider URL when you configure the domain as part of the installation process.
Enable SAML authentication in an existing domain.
Use the infasetup updateDomainSamlConfig command to enable SAML authentication in an existing Informatica domain. You can run the command on any gateway node within the domain.
Enable SAML authentication when you create a domain.
Use the infasetup defineDomain command to enable SAML authentication when you create a domain.
See the Informatica Command Reference for instructions on using the commands.

infasetup updateDomainSamlConfig Command Options

Set the SAML options in the infasetup updateDomainSamlConfig command to enable SAML authentication in a domain. Shut down the domain before you run the command.
Specify the identity provider URL as the value for the -iu option. The following example shows the command usage to configure a domain to use AD FS as the identity provider:
infasetup updateDomainSamlConfig -saml true -iu https://server.company.com/adfs/ls/ -spid Prod_Domain -cst 240
The following table describes the options and arguments:
Option
Argument
Description
-EnableSaml
-saml
true|false
Required. Set this value to true to enable SAML authentication for supported Informatica web applications within the Informatica domain.
Set this value to false to disable SAML authentication for supported Informatica web applications within the Informatica domain.
-idpUrl
-iu
identity_provider_url
Required if the -saml option is true. Specify the identity provider URL for the domain. You must specify the complete URL string.
-ServiceProviderId
-spid
service_provider_id
Optional. The relying party trust name or the service provider identifier for the domain as defined in Active Directory Federation Services (AD FS).
If you specified "Informatica" as the relying party trust name in AD FS, you do not need to specify a value.
-ClockSkewTolerance
-cst
clock_skew_tolerance_in_seconds
Optional. The allowed time difference between the AD FS host system clock and the master gateway node's system clock.
The lifetime of SAML tokens issued by AD FS by is set according to the AD FS host system clock. The lifetime of a SAML token issued by AD FS is valid if the start time or end time set in the token is within the specified number seconds of the master gateway node's system clock.
Values must be from 0 to 600 seconds. Default is 120 seconds.
See the Informatica Command Reference for instructions on using the infasetup updateDomainSamlConfig command.

infasetup DefineDomain Command Options

Use the infasetup defineDomain command to enable SAML authentication when you create a domain.
The following example shows the options to configure a domain to use AD FS as the identity provider in the final six options at the command prompt:
infasetup defineDomain -cs "jdbc:informatica:oracle://host:1521;sid=DB2" -dt oracle -dn TestDomain -ad test_admin -pd test_admin -ld $HOME/ISP/1011/source/logs -nn TestNode1 -na host1.company.com -saml true -iu https://server.company.com/adfs/ls/ -spid Prod_Domain -cst 240 -asca adfscert -std \custom\security\ -stp password -mi 10000 -ma 10200 -rf $HOME/ISP/BIN/nodeoptions.xml
The following table describes the SAML options and arguments:
Option
Argument
Description
-EnableSaml
-saml
true|false
Required. Set this value to true to enable SAML authentication for supported Informatica web applications within the Informatica domain.
Set this value to false to disable SAML authentication for supported Informatica web applications within the Informatica domain.
-idpUrl
-iu
identity_provider_url
Required if the -saml option is true. Specify the identity provider URL for the domain. You must specify the complete URL string.
-ServiceProviderId
-spid
service_provider_id
Optional. The relying party trust name or the service provider identifier for the domain as defined in Active Directory Federation Services (AD FS).
If you specified "Informatica" as the relying party trust name in AD FS, you do not need to specify a value.
-ClockSkewTolerance
-cst
clock_skew_tolerance_in_seconds
Optional. The allowed time difference between the AD FS host system clock and the master gateway node's system clock.
The lifetime of SAML tokens issued by AD FS by is set according to the AD FS host system clock. The lifetime of a SAML token issued by AD FS is valid if the start time or end time set in the token is within the specified number seconds of the master gateway node's system clock.
Values must be from 0 to 600 seconds. Default is 120 seconds.
-AssertionSigningCertificateAlias
-asca
idp_assertion_signing_certificate_aliaseAlias
Required if the -saml option is true. The alias name specified when importing the identity provider assertion signing certificate into the truststore file used for SAML authentication.
-SamlTrustStoreDir
-std
saml_truststore_directory
Optional. The directory containing the custom truststore file required to use SAML authentication on gateway nodes within the domain. Specify the directory only, not the full path to the file.
SAML authentication uses the default Informatica truststore if no truststore is specified.
-SamlTrustStorePassword
-stp
saml_truststore_password
Required if you use a custom truststore. The password for the custom truststore file.
See the Informatica Command Reference for instructions on using the infasetup defineDomain command.

Enable SAML Authentication on the Gateway Nodes

You must configure SAML authentication on every gateway node in the Informatica domain.
Select one of the following options to configure SAML authentication on a gateway node:
Enable SAML authentication when you define a gateway node on a machine.
Use the infasetup DefineGatewayNode command to enable SAML authentication on the gateway node.
Enable SAML authentication when you configure a gateway node to join a domain that uses SAML authentication.
Use the infasetup UpdateGatewayNode command to enable SAML authentication on the gateway node.
Enable SAML authentication when you convert a worker node to a gateway node.
Use the isp SwitchToGatewayNode command to enable SAML authentication on the node.
See the Informatica Command Reference for instructions on using the commands.

Gateway Node Command Options

Use the infasetup DefineGatewayNode command to enable SAML authentication when you create a gateway node. Use infasetup UpdateGatewayNode or infacmd isp SwitchToGatewayNode to enable SAML authentication on an existing node.
The SAML options are identical for all of these commands. The following example shows the SAML options as the final four options on the infasetup DefineGatewayNode command line:
infasetup defineGatewayNode -cs "jdbc:informatica:oracle://host:1521;sid=xxxx" -du test_user -dp test_user -dt oracle -dn TestDomain -nn TestNode1 -na host2.company.com:1234 -ld $HOME/ISP/1011/source/logs -rf $HOME/ISP/BIN/nodeoptions.xml -mi 10000 -ma 10200 -ad test_admin -pd test_admin -saml true -asca adfscert -std \custom\security\ -stp password
The following table describes the options and arguments:
Option
Argument
Description
-EnableSaml
-saml
true|false
Required. Enables SAML authentication in the Informatica domain.
Set this value to true to enable SAML authentication in the domain.
Set this value to false to disable SAML authentication in the domain.
-AssertionSigningCertificateAlias
-asca
idp_assertion_signing_certificate_aliaseAlias
Required if SAML authentication is enabled for the domain. The alias name specified when importing the identity provider assertion signing certificate into the truststore file used for SAML authentication.
-SamlTrustStoreDir
-std
saml_truststore_directory
Optional. The directory containing the custom truststore file required to use SAML authentication on gateway nodes within the domain. Specify the directory only, not the full path to the file.
The default Informatica truststore is used if no truststore is specified.
-SamlTrustStorePassword
-stp
saml_truststore_password
Required if you use a custom truststore. The password for the custom truststore file.
See the Informatica Command Reference for instructions on using the infasetup DefineGatewayNode, the infasetup UpdateGatewayNode, and the infacmd isp SwitchToGatewayNode commands.