Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Cloud and On Premise customers are responsible for creating relying party trusts and claims where applicable, however, the main goal for Cloud customers is to provide the metadata information which contains Identity Provider Issuer Id, Identity Provider Single Sign On URL, and the X.509 Certificate used for message signing. 

...

Service restarts will need to occur, so some amount of outage time should be expected in this process.

  • We support SAML V2v2.0.
  • If your Identity Provider (IdP) supports a default relay state it can be left blank. Unanet will correctly handle routing the user to their home dashboard by default.
  • All assertions in authentication responses must be signed.
  • Authentication responses can also be signed, but it is not required.
  • Unanet only requires that responses contain a Subject with a Name Id in unspecified format, this format being: “urn"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified."
  • The Subject’s Name Id must match the Unanet Username in the person profile.
  • Unanet does not support Single Logout (SLO).

...

keystoreFile: The full path to a Java keystore file containing the Identity Provider’s signing certificate. This file must contain the Identity Provider’s signing certificate with an alias of “idpidp_signing." Note that only the public key from Identity Provider’s signing certificate is expected in this file.

...

allowIdpInitiatedSSO: If set to “true," allows Identity Provider initiated Single Sign On. If your Identity Provider presents authenticated users with a menu of accessible applications, you will want to set this option to “true” to allow the menu link to Unanet to work directly.

Creating a Keystore from

...

an X.509 Certificate

A An X.509 signing certificate in a certificate file, typically a .cer file is required as well.

...

<KeyDescriptor use="signing">
   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
      <X509Data>
        <X509Certificate>MIIC8DCCAdigAw….…S7YMlf1nFS</X509Certificate>
      </X509Data>
   </KeyInfo>
</KeyDescriptor> 

This is where the samltool SAML tool site can also prove helpful. After copying the contents of the X.509 Certificate element, you can paste it into https://www.samltool.com/format_x509cert.php and click the "Format X.509 certificate" button. This will create formatted text contents for a .cer file, including header, footer and line breaks. You can then copy and paste the generated contents into a file with a .cer extension and save.

...

The exact URL can be found by opening AD FS > Service > Endpoints in the MMC. Scroll down until you see “Metadata” and find the type : “Federation Metadata.” You will want the URL path listed here that ends in .xml.

...

You can then run the import with this example of syntax. The alias of idp_signing is required as that is hard coded into the software.

...

The result of this command will be a new keystore file named saml.jks (this file will be located in the bin directory where the syntax was run), using the keystore password of changeit, and containing the signing certificate with the required alias of idp_signing.

It is a best practice to keep these files in one place for ease of management. If you wanted to create/keep the saml.jks file in the \\unanet\config directory with all the other files custom to your site, the syntax would appear as such:

c:\Program Files (x86)\Java\jre1.8.0_191\bin>keytool -importcert -trustcacerts -keystore "d:\unanet\config\saml.jks" -storepass <password> -noprompt -alias idp_signing -file d:\cert\Unanet_x509_signing.cer




To complete the SAML Login Module configuration, we can now define the following in the jaas.config file:

  • keystoreFileAs the The full path to saml.jks file we have just created.
  • keystorePass – The password for the saml.jks keystore file, which in our case would be "changeit."

...


  • Image Modified


Configure unanet.authentication=jaas in the unanet.properties file.

...

When using the FINER option, logging needs to be written to a configured file, such as:  as  unanet.log.output=c:/tomcat/logs/unaruntime.log.

Example:




Next, Tomcat Properties needs to point to the location of the Unanet jaas.config file. One option to access Tomcat properties is to double click the Tomcat8.exe file.




Navigate to the Java tab > Java Options and enter the path to the jaas.config file preceded by

-Djava.security.auth.login.config=\\path\to\jaas.config\file




Restart Tomcat service:

After all configurations are in place, restart the Tomcat service and test access or view logging in \\tomcat\logs to see what issues may exist.




Adding an entry for the Logout Redirect URL property (unanet.logout.redirect) will help prevent confusion for users logging out of their SAML configured system as it will redirect users to a place other than the Unanet login page.

Navigate to Admin > Properties > Unanet > General > Display Options and enter a URL in the box for Logout Redirect URL.

Image Added