Cloud and On Premise customers are responsible for creating relying party trusts and claims where applicable, however, the main goal for Cloud customers is to provide the metadata information which contains Identity Provider Issuer Id, Identity Provider Single Sign On URL, and the X.509 Certificate used for message signing.
Service restarts will need to occur, so some amount of outage time should be expected in this process.
- We support SAML V2v2.0.
- If your Identity Provider (IdP) supports a default relay state it can be left blank. Unanet will correctly handle routing the user to their home dashboard by default.
- All assertions in authentication responses must be signed.
- Authentication responses can also be signed, but it is not required.
- Unanet only requires that responses contain a Subject with a Name Id in unspecified format, this format being: “urn"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified."
- The Subject’s Name Id must match the Unanet Username in the person profile.
- Unanet does not support Single Logout (SLO).
keystoreFile: The full path to a Java keystore file containing the Identity Provider’s signing certificate. This file must contain the Identity Provider’s signing certificate with an alias of “idp“
idp_signing." Note that only the public key from Identity Provider’s signing certificate is expected in this file.
allowIdpInitiatedSSO: If set to “true," allows Identity Provider initiated Single Sign On. If your Identity Provider presents authenticated users with a menu of accessible applications, you will want to set this option to “true” to allow the menu link to Unanet to work directly.
Creating a Keystore from
an X.509 Certificate
A An X.509 signing certificate in a certificate file, typically a
.cer file is required as well.
This is where the samltool SAML tool site can also prove helpful. After copying the contents of the X.509 Certificate element, you can paste it into https://www.samltool.com/format_x509cert.php and click the "Format X.509 certificate" button. This will create formatted text contents for a
.cer file, including header, footer and line breaks. You can then copy and paste the generated contents into a file with a
.cer extension and save.
The exact URL can be found by opening AD FS > Service > Endpoints in the MMC. Scroll down until you see “Metadata” and find the type : “Federation Metadata.” You will want the URL path listed here that ends in
You can then run the import with this example of syntax. The alias of
idp_signing is required as that is hard coded into the software.
The result of this command will be a new keystore file named
saml.jks (this file will be located in the bin directory where the syntax was run), using the keystore password of
changeit, and containing the signing certificate with the required alias of
It is a best practice to keep these files in one place for ease of management. If you wanted to create/keep the
saml.jks file in the
\\unanet\config directory with all the other files custom to your site, the syntax would appear as such:
c:\Program Files (x86)\Java\jre1.8.0_191\bin>keytool -importcert -trustcacerts -keystore "d:\unanet\config\saml.jks" -storepass <password> -noprompt -alias idp_signing -file d:\cert\Unanet_x509_signing.cer
To complete the SAML Login Module configuration, we can now define the following in the
- keystoreFile – As the The full path to
saml.jksfile we have just created.
- keystorePass – The password for the
saml.jkskeystore file, which in our case would be "changeit."
Configure unanet.authentication=jaas in the
When using the FINER option, logging needs to be written to a configured file, such as: as unanet.log.output=c:/tomcat/logs/unaruntime.log.
Next, Tomcat Properties needs to point to the location of the Unanet
jaas.config file. One option to access Tomcat properties is to double click the
Navigate to the Java tab > Java Options and enter the path to the
jaas.config file preceded by
Restart Tomcat service:
After all configurations are in place, restart the Tomcat service and test access or view logging in
\\tomcat\logs to see what issues may exist.
Adding an entry for the Logout Redirect URL property (unanet.logout.redirect) will help prevent confusion for users logging out of their SAML configured system as it will redirect users to a place other than the Unanet login page.
Navigate to Admin > Properties > Unanet > General > Display Options and enter a URL in the box for Logout Redirect URL.