SAML Configuration
This guide describes the necessary steps to configure Product 360 for usage with SAML Single Sign On (e.g. Active Directory Federation Services (AD FS) or Shibboleth). SAML support has been introduced with Product 360 v8.0.02.
Overview
Roles
The SAML specification defines three roles:
the Principal (typically a user)
the Identity Provider (IdP) e.g. AD FS, OKTA or Shibboleth
and the Service Provider (SP) in our case Product 360
This section describes all steps necessary to setup Single Sign On via SAML in PIM 360.
In general, if you want to know more about what SAML SSO is, documentations can be found on the
official SAML documentation pages
provided by the
OASIS consortium
.
The chapter '5.1 Web Browser SSO Profile' in the Saml 2.0 documentation is of most interest, since P360 is using Web Browser based Saml POST bindings.
In such documentations the term "Service Provider" can be replaced by "Product 360" and the term "User agent" can be replaced by "Browser" in case of Web based SSO scenarios.
Single Sign On flow
Product 360 supports two ways for Single Sign On. Service Provider initiated and Identity Provider initiated Single Sign On.
Service Provider Initiated
In this scenario
The principal requests a service from the service provider (e.g. access to a web resource within Product 360).
To provide this resource to the principal the service provider redirects user authentication (AuthRequest) to the identity provider.
In case the user is not yet authenticated at the Identity Provider, the IdP requests credentials from the user, e.g. by presenting a login form with username and password.
The IdP sends an identity assertion (SAML Assertion like a security token) for the principal. On basis of this assertion, the service provider can make a decision to provide the resource to the principal or not.
The SP ensures that the user is directed to the initially requested resource.
Identity Provider Initiated
In this scenario, there is no initial authentication request from the SP. Instead, the IdP provides links to the SP to certain SP resources. IdP initiated Single Sign On is started when clicking on such a link.
The user clicks on an IdP provided link to access a resource in the SP.
In case the user is not yet authenticated at the Identity Provider, the IdP requests credentials from the user, e.g. by presenting a login form with username and password.
The SP directly receives an identity assertion for the principal . On basis of this assertion, the service provider can make a decision to provide the resource to the principal or not.
The SP ensures that the user is directed to the resource given in the assertion information.
Product 360 SAML support
HTTP communication security is ensured by SSL between the IdP and SP.
Messages can be signed and encrypted to ensure message-level security. This includes:
signing of AuthRequest message from SP to IdP
signing of SAML Assertions
encryption of SAML Assertions
While the IdP is signing the assertions, this allows Product 360 to verify against the IdP's public X509 certificate that this assertion's where issued by exactly this IdP.
Optionally supplying Product 360 with a public X509 certificate and private key allows Product 360, as the SP, to sign outgoing requests to the IdP, as well as decrypt assertions from the IdP.
To take advantage of these security features, the IdP must be configured to validate signatures and encrypt assertions using the same private key and public X509 certificate that Product 360 uses to sign outgoing requests to the IdP.
Product 360 signs outgoing messages to the IdP with the SHA1 hashing algorithm. Product 360 supports incoming messages from the IdP signed with the SHA1 or SHA256 hashing algorithms.
Product 360 can decrypt assertions from IdP, encrypted with AES-128, AES-256, or Triple DES encryption algorithms.
Passwords are never transmitted as part of a SAML authentication request or response. Requests only contains the username and (optional) any additional metadata (username, domain, etc.) that was configured by the IdP administrator. The optional information can be used for automatic user creation.
Preparation steps
Certificate keystores
For AD FS, it is necessary to have https enabled. Therefore you need a keystore file, which has to be provided for each node.
Product 360 currently operates only on JKS format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. This tool is included in the JDK.
Each entry in a keystore is identified by an alias string t o avoid issues related to the case sensitivity of aliases, it is not recommended to use aliases that differ only in case.
To setup SAML support in Product 360 we will need to start with creating the keystore's for the different X509 certificates which will be needed for transport and message level security. If there is no SSL connection used within your Product 360 yet, you will need to setup an initial keystore.
Create new certificate and keystore
To create a new JKS keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:
keytool -genkey -alias [your alias] -keyalg RSA -keystore c:\path\to\your\desired\.keystore -keysize 2048This command will create a new file under the specified (-keystore parameter) location. You will also need to reflect this new location in the Product 360 NetworkConfig.xml file in the <keystore> element.
After executing this command, you will first be prompted for the keystore password. You will also need to specify the custom password in the NetworkConfig.xml file, as described later.
Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.
Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). The key password as well as the specified alias (-alias parameter) you need to specify in the appropriate use case (HTTPS, SAML signing, SAML encryption) and there configuration files.
If everything was successful, you now have a keystore file with a Certificate that can be used by your Product 360 server.
Import existing certificate into keystore
If you already have a Certificate you can import it into your local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate
Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
For Verisign.com commercial certificates go to: http://www.verisign.com/support/install/intermediate.html
For Verisign.com trial certificates go to: http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de go to: http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
Import the Chain Certificate into your keystore
keytool -import -alias root -keystore c:\path\to\your\desired\.keystore -trustcacerts -file c:\path\to\your\trustcacertFileNameFinally you can import the CA certificate
keytool -import -alias https -keystore c:\path\to\your\desired\.keystore -file c:\path\to\your\certificateFileNameExport existing certificates public keys for metadata usage
For the SAML metadata's you will need the public keys in a readable format, to get them execute the following commands from command line:
keytool -export -file c:\mycertificate.cert -alias samlEncryptionCert -keystore c:\path\to\your\desired\.keystorekeytool -printcert -rfc -file c:\mycertificate.cert > c:\mycertificate.txtEnabling HTTPS
In the NetworkConfig.xml add a keystore tag for each node you want to enable https/SAML:
<keyStore> <file>c:/users/myUser/.keystore</file> <password>secret</password></keyStore>To enable https, change the web tag as follows:
<web useHttps="true"> <http port="1512" /> <https port="8443" keyPassword="secret" alias="https" /></web>By specifying an alias, you refer to a certificate stored in the keystore beforehand. The keyPassword is the password you set while importing or creating the certificate.
Configuring SAML for Product 360
Adding SAML relevant configuration files (SamlConfig.xml and IdP metadata)
The current SAML implementation requires the IdP to deliver the username (without domain or email extension) in the Name_ID attribute.
After having https enabled and a keystore configured, the SamlConfig.xml as well as metadata for the IdP have to be configured.
SAMLConfig.xml
In the configuration folder, there is a template for the SamlConfig.xml. Adapt it to fit to your needs, add the alias and password of your key and enable SAML:
If you want to use different keys for signing and encryption, you have to create multiple keys in the keystore. The following assumes the use of the same data for both actions.
<samlConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="SamlConfig.xsd"> <active>false</active> <logoutUrl>https://idpserver/login.html</logoutUrl> <defaultUserGroup>defaultGroup</defaultUserGroup> <idpMetadata> <metadataLocation forceAuthRequestsSigned="false" disregardSslCertificate="false">saml/idp-metadata.xml</metadataLocation> </idpMetadata> <spMetadata> <assertionConsumerServiceLocation>https://pim.informatica.com:8443/pim/webaccess</assertionConsumerServiceLocation> <signingKey password="secret" alias="localhost"/> <encryptionKey password="secret" alias="localhost"/> <entityId>spEntityID</entityId> <wantAssertionsSigned>true</wantAssertionsSigned> </spMetadata></samlConfig>Active
Defines whether SAML shall be used to initiate automated SAML Single Sign On if the user is not logged in yet.
|
Type |
Required |
Default |
|
Boolean |
yes |
false |
LogoutUrl
Defines the URL to which the user will be redirected after logout. Most typically this is an URL where a user may login to the application IdP initiated.
In case the element does not exist or the value is empty, the user is redirected to the default Product 360 login page.
|
Type |
Required |
Default |
|
String or URL |
no |
Product 360 login page |
DefaultUserGroup
When a user has been authenticated via SAML and there is no matching user with the same name in Product 360
it will be created on the fly and assigned to a default user group which can be provided here.
A matching user group with this name must exist in Product 360.
|
Type |
Required |
Default |
|
String |
no |
- |
SpMetadata
Required element defining all Service Provider relevant settings.
|
Sub element/Attribute |
Type |
Required |
Default |
Description |
entityId |
String |
yes |
- |
An entity ID is a globally unique name for a SAML entity, either an Identity Provider (IdP) or a Service Provider (SP). The entityId defined will be used for communication between IdP and Sp. |
assertionConsumerServiceLocation |
URL |
yes |
- |
Describes the endpoint to which SAML responses are to be sent by the IdP. |
signingKey |
- |
yes |
- |
The signing key is used to establish a trusted handshake between SP and IdP (authentication). |
alias |
String |
yes |
- |
Alias for the key used for signing. |
password |
String |
yes |
- |
Password for accessing the key defined by the alias. |
encryptionKey |
String |
yes |
- |
The encryption key is used to decrypt data received by IdP (data was encrypted by the SPs corresponding public key). |
alias |
String |
yes |
- |
Alias for the key used for signing. |
password |
String |
yes |
- |
Password for accessing the key defined by the alias. |
wantAssertionsSigned |
Boolean |
yes |
true |
If you want the IdP to sign Assertions set this flag to true. As signing of assertions is the recommended option, the default value is true. |
IdpMetadata
Required element defining all Identity Provider relevant settings.
|
Sub element/Attribute |
Type |
Required |
Default |
Description |
metadataLocation |
URL or relative path in Product 360 configuration folder |
yes |
saml/idp-metadata.xml |
Provides information about the IdP.
|
disregardSslCertificate |
Boolean |
no |
false |
Indicating whether the servers SSL certificate should always be accepted regardless of whether it is valid. This flag is only relevant if the element value contains a https URL. |
forceAuthRequestsSigned |
Boolean |
no |
- |
You can force Product 360 to add a signature to the AuthReqeust by setting this flag to true. |
Service Provider Metadata
When your server is started successfully with SAML set to active, the SP metadata can be fetched directly at a URL provided by Product 360.
https://pim.informatica.com:8443/pim/saml/metadata
This URL can be referenced by your IdP for getting current information about the Product 360 configuration, certificates etc.
As an alternative you can generate your metadata file with the following online tool:
Identity Provider Metadata
The IdP metadata usually can be received over an URL provided by the IdP, which already contains all necessary information you need to know about your IdP. This includes certification information as well as endpoints etc.
Of course the IdP metadata can also be retrieved from a configuration folder. A template metadata file "idp-metadata.xml" is contained in the subfolder saml of the Product 360 configuration folder.
The following URL fragments show the metadata URL patterns for the two IdP implementations of Microsoft and Shibboleth:
Microsoft AD FS
https://idpserver/FederationMetadata/2007-06/FederationMetadata.xmlShibboleth
https://idpserver/idp/shibbolethOpenAM
http://openamserver/openam/saml2/jsp/exportmetadata.jsp?entityid=entityIDPlace your idp-metadata.xml into the subfolder saml of the Product 360 configuration folder or the defined location within your SamlConfig.xml.
In case your IdP does not provide any metadata you need to generate the idp-metadata.xml file from a template located in within the Product 360 configuration folder. The relevant information can alternatively be generated with the help of https://www.samltool.com/idp_metadata.php.
Within the metadata file you need to provide the URL to your IdPs SingleSignOnService location which accepts POST requests. (Example URL schema matches Shibboleth IdP)
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="idpEntityID"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idpserver/idp/profile/SAML2/POST/SSO" /> </md:IDPSSODescriptor></md:EntityDescriptor>Information Security
Signing of AuthRequest (SP -> IdP)
If your IdP requires signed AuthRequest you need to enable this within Product 360. This can be done by setting the WantAuthRequestsSigned parameter within the idp-metadata.xml in the configuration folder to true.
<md:IDPSSODescriptor WantAuthnRequestsSigned="true" ...>If you use the URL based metadata provider for referencing the IdP metadata, you can force your Product 360 to add a signature to the AuthReqeust by adding the forceAuthRequestsSigned flag to true.
While the SAML metadata specification does not require the WantAuthRequestSigned parameter within the IDPSSODescriptor some IdP Implementations might not set it explicitly, but nevertheless require a signature.
<?xml version="1.0" encoding="UTF-8"?><samlConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="SamlConfig.xsd"> ... <idpMetadata> <metadataLocation forceAuthRequestsSigned="true">https://idpserver/metadata/idp-metadata.xml</metadataLocation> </idpMetadata> ...</samlConfig>Additionally you need to provide an X509 certificate in your keystore and refer to it over the alias and password attribute in the <signingKey> element within the spMetadata section of your SamlConfig.xml
Signing of SAML Assertions (IdP -> SP)
The SAML metadata specification defines an parameter for requesting an IdP to sign the SAML Assertions this might not be enough for all IdPs and you might need to enable the signing of SAML assertions over another way, but to enable Product 360 to require signature validation on assertion level you need to set the WantAssertionsSigned parameter in SamlConfig.xml within you Product 360 configuration folder to true.
<samlConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="SamlConfig.xsd"> ... <spMetadata> ... <wantAssertionsSigned>true</wantAssertionsSigned> ... </spMetadata></samlConfig>The signature of the assertion will be veryfied by Product 360 against the public key of the X509 certificate within your idp-metadata.xml
<?xml version="1.0"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="idpEntityID"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDZzCCAk+gAwIBAgIEFuHJDDANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJE RTEQMA4GA1UECBMHR2VybWFueTENMAsGA1UEBxMEU3RndDERMA8GA1UEChMIV2lu ZG93czcxDTALBgNVBAsTBFBPSU0xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xNTEw MDIxMjA2NDFaFw0xNjA5MjYxMjA2NDFaMGQxCzAJBgNVBAYTAkRFMRAwDgYDVQQI ... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> ... </md:IDPSSODescriptor></md:EntityDescriptor>Encryption of SAML Assertions (IdP -> SP)
JCE issues with strong cryptographic algorithms
As already described in the general Server Installation section, it is not longer necessary to enable the strong cryptographic algorithms manually. Since Java 8.161 unlimited cryptographic algorithms are enabled by default.
Nevertheless if your IdP uses a strong cryptographic algorithm like AES-256 and you run into errors during encryption/decryption in Product 360, saying you're using an illegal key size you might need to enable the unlimited cryptographic algorithms manually.
This can be done by changing the configuration in file <PIM ROOT>\server\jre\lib\security\java.security. Enable the property 'crypto.policy=unlimited' to activate the unlimited cryptographic algorithms. If you adjust the setting manually you have to do this on each Hotfix update for all Product 360 components.
If your IdP supports assertion level encryption and the encryption is active, then you must provide your encryption public key X509 certificate within the metadata you provide to your IdP.
The IdP will use this public key to encrypt the SAML assertion and only the owner of the corresponding private key can encrypted the assertion. The best way of doing this is to get the metadata provided by Product 360 (see above).
This metadata already includes all certificates the IdP needs to know.
If Product 360 receives an encrypted assertion it will try to decrypted the assertion with the configured private key which is referenced by the <encryptionKey> in the SamlConfig.xml.
<?xml version="1.0" encoding="UTF-8"?><samlConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="SamlConfig.xsd"> ... <encryptionKey password="secret" alias="encryption"/> ...</samlConfig>Signing of Provider Metadata
It is possible to sign the metadata itself to verify its validity. For that a
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">element is used. It contains information typically needed for signatures like digest and signature value, used algorithm and a certificate.
See https://www.w3.org/TR/xmldsig-core2/ for further detailed information.
In order for Supplier Portal to verify the signature of IdP metatadata, the corresponding certificate has to be
provided by the IdP team
added to the cacerts file of the Java used by Supplier Portal.
keytool.exe -importcert -file"{cert}"-keystore"<JAVA_HOME>/jre/lib/security/cacerts"-alias"{alias}"-storepass {keystorePassword}
If during startup of the Supplier Portal server an error occurs while reading the metadata the cause can be outdated data inside the <ds:Signature> element or a wrong signature.
So ensure to get updated idp metadata and certificate from the IdP team.
In case the metadata is for an IdP and the IdP metadata is maintained as local metadata file on the Supplier Portal server, then the <ds:Signature> element provided by the IdP team can be completely commented out if not needed.
The local metadata file is unlikely to be tampered with and commenting out might comes in handy in case of signature deployment problems that could lead to errors mentioned before.
Usage of SAML with Product 360 multi-server and load balancer
For the usage of SAML in combination with a load balancer on a multi-server setup, there are some additional settings that have to be made on the load balancer and SAML configuration
Configuration of the load balancer
Additionally to the default load balancing scenario (see Web Configuration), the module mod_rewrite has to be enabled.
For the usage of SSL (https) in your load balancer (Apache), stick to the official Apache documentation. The example below defines a virtual host supporting SSL and the additional directives necessary for SAML support.
Listen 443<VirtualHost *:443> ServerName loadBalancer SSLEngine on SSLCertificateFile "D:/certs/cert.pem" SSLCertificateKeyFile "D:/certs/pk.pem" SSLProxyEngine On SSLProxyVerify none #optional for disabling certificate validation SSLProxyCheckPeerCN off #optional SSLProxyCheckPeerName off #optional ProxyPreserveHost On Header add Set-Cookie "ROUTEID_HPMW=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED <Proxy balancer://hpmwcluster> BalancerMember https://server1:8443 route=1 BalancerMember https://server2:8443 route=2 ProxySet stickysession=ROUTEID_HPMW </Proxy> ProxyPass /pim balancer://hpmwcluster/pim ProxyPassReverse /pim balancer://hpmwcluster/pim RewriteEngine on RewriteCond %{REMOTE_HOST} =server1 [OR] RewriteCond %{REMOTE_HOST} =server2 RewriteRule "^/pim/(.+)" "https://loadBalancer/pim/$1" # optional [R,L]</VirtualHost>The most important additional directives to be configured are listed below:
|
Directive |
Explanation |
SSLProxyEngine On |
Support SSL proxy |
ProxyPreserveHost On |
Preserve host name on proxy requests (required for successful validation of SAML requests/responses) |
RewriteEngine on |
Rewrite URLs so User always sees the load balancer URL |
RewriteCond %{REMOTE_HOST} =server1 [OR] |
Rewrite rules and conditions, a condition for each member of the Product 360 cluster is required |
IdP configuration
EntityId
The EntityId uniquely identifies Service Providers for the Identity Provider. Ensure that the EntityId in SamlConfig.xml and the EntityId defined in the Identity Provider for that Service Provider (in this case P360) are the same.
Saml Response Location
On IdP side, it is necessary to have the load balancer set as assertion consumer service of your IdP:
If you fetch the SP metadata by the URL provided by Product 360, as recommended, adjust the assertionConsumerServiceLocation in the SamlConfig.xml to point to your load balancer URL on which you want to reach the Product 360 application e.g. https://loadBalancer/pim/webaccess.
An Identity Provider configuration may contain its own definition of an assertionConsumerServiceLocation for each Service Provider. So ensure that the assertionConsumerServerLocation in that configuration and the SamlConfig.xml are the same.
Mandatory response data
Ensure that the login name used for P360 login is sent in the response. It is contained in the NameID element of the Subject element. See excerpt of example Saml response.
For a full explanation and examples of Saml responses please refer to Web Browser SSO Profile chapters in the official specification documentation.
<samlp:Response ... > <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> ... <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"> P360LoginName </saml:NameID>...<samlp:Response/>Automatic User creation on successful authentication
When the user authentication is successful, but the authenticated user does not exist yet, a new user will be created with the credential information provided by the SAML response.
The user will be created as external user with the unique user name from the assertion subject element "NameID". The created user will be assigned to the user group defined in the xml element defaultUserGroup of the SamlConfig.xml.
The user creation also takes information from the Assertions in the SAML Authentication Response. For uniquely identifying an attribute by its name the conventions in the Identity Selector Interoperability Profile V1.5 specifications are used. The following attributes will be taken from the one assertion containing the information about the NameID of the user:
|
Value of element attribute "name" in SAML Attribute |
Mapped to User data |
Mandatory |
Comment |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Given name |
No |
An Attribute may contain a list of values. |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Name |
No |
An Attribute may contain a list of values. |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
|
No |
An Attribute may contain a list of values. |
In case there is also a LDAP configuration in place the user will be synchronized with the data stored in the LDAP. This includes group memberships and requires that the user can be found via the same user name in LDAP. Please see the LDAP Configuration for details.
Internal Users
In a SSO scenario it still might be desirable to bypass the automatic authentication flow, e.g. for service users or for troubleshooting issues. A mixed setup with external users authenticated via SAML and internal users is possible. Please run the following steps to authenticate with the credentials of an internal user (User authentication mode must be set to "internal"):
In the Rich Client, hold the CTRL and SHIFT key during startup to prevent initiation of the SSO flow. A prompt asking for username and password will appear instead.
For web, enter the url /pim/login to get access to the login page.
Logging
To identify problems in your SAML configuration you are able to activate an more detailed logging of the security components. To do so add the following log4j categories to the central log4j.xml within your Product 360's configuration folder.
<category name="com.heiler.ppm.saml"> <priority value="TRACE"/></category> <category name="com.heiler.ppm.web.saml"> <priority value="TRACE"/></category>