Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Both Cloud an OP have to set up SAML the same, it’s just the Cloud doesn’t have access to directories/files to make the updates, configure the configuration

...

Configuring SAML for Unanet

Below is information on requirements for SAML implementation.

...


An example of the Single Sign On URL can be: https://erp.unanet.net/erp/action/login/validate

Servername: erperp 
Domain: unanetunanet 
Root Domain: .netnet 
Site Context: erp

To complete the setup, the Unanet webserver will require the following information for your IdP configuration:

  • Identity Provider Issuer Id
  • Identity Provider Single Sign-On URL
  • X.509 Certificate used for message signing


You can either configure and submit this information specifically or provide a copy of your IdP metadata file.  

With this information, On Premise customers can configure files and import the X.509 certificate as a trusted certificate in the Java keystore.

...

The SAML information needs to be entered in the jaas.config file located in the \\unanet\config directory. 


Example configuration file for ‘erp’ customer site utilizing OneLogin.

...

<KeyDescriptor use="signing">
   <KeyInfo    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>MIIC8DCCAdigAw….…S7YMlf1nFS</X509Certificate>
            </X509Data>
   <   </KeyInfo>
</KeyDescriptor>KeyDescriptor> 

This is where the samltool site can also prove helpful. After copying the contents of the X509 Certificate element, you can paste it into https://www.samltool.com/format_x509cert.php and click the ‘Format X.509 certificate’ button.  This will create formatted text contents for a CER file, including header, footer and line breaks. You can then copy and paste the generated contents into a file with a .cer extension and save.

...

MIICYdCCAgqgAwIBAgICBoowdQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYdVQQI
EwpdYWxpZm9YbmlhMRQwEgYdVQQHEwtTYW50YSBdbGFYYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcYBJbmMuMRowGAYdVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VYdGlmaWNh
dgYdVR0PAQHBAQdAgTwMB8GA1UdIwQYMBaAFdugITfYlTCfsWYNLTXdl7cMdUKuuMBgGA1UdEQQR
MA+BdW1hYbGxhQHN1bi5jb20wdQYJKoZIhvcNAQEEBQAdQQB6dOB6sRqCZu2OenM9eQR0gube85enTTxU4a7x1naFxzYXK1iQ1vMARKMjdb19QEJIEJKZldK4uS7YMlf1nFSBdW1hYbGxhQHN1bi5jb20wdQYJKoZIhvcNAQEEBQAdQQB6dOB6sRqCZu2OenM9eQR0gube85
enTTxU4a7x1naFxzYXK1iQ1vMARKMjdb19QEJIEJKZldK4uS7YMlf1nFS

-----END CERTIFICATE-----


Obtain x509 certificate for AD FS installation on Server 2016 (easier option if using AD FS)

 

Browse to: https://<ADFS FQDN>/FederationMetadata/2007-06/FederationMetadata.xml
The exact URL can be found by opening AD FS -> Service -> Endpoints in the MMC. Scroll down until you see “Metadata” and find the type: “Federation Metadata”. You will want the URL path listed here that ends in .xml.


Open the downloaded FederationMetadata.xml file and find the following portion:

<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate> <<- Abbreviated 
</X509Certificate></X509Data></KeyInfo></KeyDescriptor>


The next step is to create the keystore with the certificate. This  
This can be done utilizing the Java keytool, although the openSSL tool is an option as well. Since  
Since keytool is installed with your required Java version, this may be the preferred option to utilize.

...

You can then run the import with this example of syntax. The alias of idp_signing is required as that is hard coded into the software.

...

   keytool -importcert -trustcacerts -keystore saml.jks -storepass changeit -noprompt -alias idp_signing -file

...

Unanet_x509_signing.cer


The result of this command will be a new keystore file named saml.jks(this file will be located in the bin directory where the syntax was run), using the keystore password of changeit, and containing the signing certificate with the required alias of idp_signing.

It is a best practice to keep these files in one place for ease of management. If you wanted to create/keep the saml.jks file in the \\unanet\config directory with all the other files custom to your site, the syntax would appear as such:

...

c:\Program Files (x86)\Java\

...

jre1.

...

8.0_

...

191\bin>keytool -importcert -trustcacerts -keystore "d:\unanet\config\saml.jks" -storepass

...

<password> -noprompt -alias idp_signing -file d:\

...

cert\Unanet_x509_signing.cer



To complete the SAML Login Module configuration, we can now define the following in the jaas.config file:

...

unanet.log.level=FINER is the best option
unanet.security.saml.debug=true to troubleshoot any issues that may come along with implementing SAML

...

-Djava.security.auth.login.config=\\path\to\jaas.config\file


Restart Tomcat service

After all configurations are in place, restart the Tomcat service and test access or view logging in \\tomcat\logs to see what issues may exist.

...