Application server SAML configuration
Useful links
- Gateway SAML configuration - support for Dynamic App
Client support
- LIDS Explorer (/saml/login)
Prerequisities
- Identity provider and service provider registered on both sides.
- Key manager with identity provider public key.
Identity provider metadata
- This is simple xml file that you need to get from customer.
- It contains xml configuration of identity provider, which both sides need for communication.
Service provider metadata
- This is simple xml file that you need create and send to customer
- See example below. Change just attribute Location in element AssertionConsumerService. Note that SSO in LAS uri must be in capitals.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="lids.asseco-ce.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/lids-as/saml/SSO" index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
Metadata registration
- Both xml metadata files must be registered on both sides. Send service provider metadata file to customer, so he can register it on identity provider side.
- Service provider (LAS) registration use environment properties, see correct definition of properties in environment properties section.
Key Manager
- Generate new keystore using keytool.
- Import identity provider public certificate into this keystore (public certificate is usually part of identity provider metadata).
Environment properties
| Property | Type | Required for SAML authentication | Description | Example value |
|---|---|---|---|---|
| lids.saml.enabled | boolean | true (default false) | Enable SAML authentication (default false). | true |
| lids.saml.identity_provider_metadata | string | true | Path to identity provider metadata. | file:///C:/SAML/idp-metadata.xml |
| lids.saml.service_provider_metadata | string | true | Path to service provider metadata. | file:///C:/SAML/sp-metadata.xml |
| lids.saml.key_manager.store_file | string | true | Path to SAML keystore file. | file:///C:/SAML/keystore.jks |
| lids.saml.key_manager.default_key | string | true | Username to SAML keystore. | username |
| lids.saml.key_manager.store_password | string | true | Password to SAML keystore. | password |
| lids.saml.alias.enabled | boolean | false | Enable alias (default false). Used when lids application server is running on different context than the real server name. | true |
| lids.saml.alias.url | string | false | Alias url. | https://server:8443/lids |
Troubleshooting
Endless redirect after being logged on identity provider site
- This is likely caused by bad service provider xml configuration.
- Check element AssertionConsumerService, attribute Location. Is the value "lasUri/saml/SSO"? Is SSO in capitals?