Gateway SAML configuration
Useful links
- Application Server SAML configuration - support for LIDS Explorer
Client support
- Dynamic App
Prerequisities
- Identity provider and service provider registered on both sides.
- Key manager with identity provider public key.
Identity provider metadata
- This is simple xml file that you need to get from customer.
- It contains xml configuration of identity provider, which both sides need for communication.
Service provider metadata
- This is simple xml file that you need create and send to customer
- See example below. Change just attribute Location in element AssertionConsumerService.
- The assertion consumer service location is url on which dynamic app calls gateway requests with context /saml. If you are not sure, try to login standard way into gateway with developer console (F12) in your browser. There should be something like "http://samo/a/user" request. Just change user for saml and that should be the correct location.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="samo-gtw.asseco-ce.com">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://samo/a/saml" index="1" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
Metadata registration
- Both xml metadata files must be registered on both sides. Send service provider metadata file to customer, so he can register it on identity provider side.
- Service provider (Gateway) registration use environment properties, see correct definition of properties in environment properties section.
Key Manager
- Generate new keystore using keytool.
- Import identity provider public certificate into this keystore (public certificate is usually part of identity provider metadata).
Environment properties
| Property | Type | Required for SAML authentication | Description | Example value |
|---|---|---|---|---|
| gateway.saml.enabled | boolean | true (default false) | Enable SAML authentication (default false). | true |
| gateway.saml.identity_provider_metadata | string | true | Path to identity provider metadata. | file:///C:/SAML/idp-metadata.xml |
| gateway.saml.service_provider_metadata | string | true | Path to service provider metadata. | file:///C:/SAML/sp-metadata.xml |
| gateway.saml.key_manager.store_file | string | true | Path to SAML keystore file. | file:///C:/SAML/keystore.jks |
| gateway.saml.key_manager.default_key | string | true | Username to SAML keystore. | username |
| gateway.saml.key_manager.store_password | string | true | Password to SAML keystore. | password |
| gateway.saml.assertion_consumer_service_location | string | true | Url of assection consumer service (the same as inside service provider metadata). | http://samo/a/saml |
| gateway.saml.dynamic_app_url | string | true | Url of dynamic app, where saml authentication is configured. | http://samo |
| gateway.saml.max_authentication_age | number | false (default 7200) | How old can the saml authentication be to be considered valid. | 28800 |
Application configuration
- In your application configuration json file, under section authenticationMethods, add following:
{
"type": "saml",
"configurationProperty": "gateway.saml"
}