Security Assertion Markup Language (SAML) is an open standard that allows an identity provider (IDP) to pass authorization credentials to a service provider (SP). SAML is the link between the authentication of users' identities and the authorization to use a service from the provider. ExtraView relies on the use of a third party IDP.
SAML is used in conjunction with SSO and often with LDAP. With an operational ExtraView installation, the configuration of SAML requires these three steps:
See the previous pages on External Authentication - LDAP, SSO and SAML.
See the previous page on LDAP Connections with SSO.
The components of the IDP configuration depend on the provider itself, but it is expected that the most relevant points are:
The following settings should be configured as appropriate for your installation. You should determine the parameter values for all the settings below to be used in the authentication response before starting the configuration.
ExtraView Setting | Explanation |
SSO_STATE | This behavior setting must be set to SAML |
SAML_ASSERTION_CONSUMER_URL |
This behavior setting is the URL of the consumer service that receives the authentication response from the SAML IDP. This is the URL that invokes the Consumer Servlet when the behavior setting SSO_STATE has a value of SAML . Typically this will have a value that looks similar to https://myserver.mydomain.com/Consumer . This is the application URL registered with the IDP. |
SAML_SSO_SERVICE | This behavior setting provides the URL of the SSO service to which the SAML SP sends an authentication request. This URL points to a target in the IDP |
SAML_SSO_SP_ENTITY_ID |
The SP Entity ID behavior setting is a URL or other identifier given by the Service Provider (SP) that uniquely identifies it to the IDP. This is derived from the metadata for the SP. A typical value is an XML fragment and will look similar to:
|
SSO_DO_UPSERT | This is set within the Configuration.properties file if it the values from the authentication are to be updated within the ExtraView database with each authentication |
SSO_PRIMARYKEY | This is the mapping for the user name that is set within the Configuration.properties file. This parameter must include the expected ExtraView User ID |
SSO_SURNAME | This is the mapping for the user's last name that is set within the Configuration.properties file |
SSO_GIVENNAME | This is the mapping for the user's given name that is set within the Configuration.properties file |
SSO_EMAIL | This is the mapping for the user's email address that is set within the Configuration.properties file |
The IDP will typically require a valid security certificate to validate the encrypted signature in the authentication response from the IDP. This certificate is stored securely within ExtraView within the Key Manager administation utility. This is located at Admin --> Advanced --> Encryption Key Management The format for the certificate is known as PEM (Privacy Enhanced Mail). The name is somewhat of a misnomer as the certificates for SAML have no connection with email. The format is a Base 64 encoded striing of characters which is pasted into the Enter certificate PEM field within the Encryption Key Manager. If there is no entry in this field, the new entry you create for the key is added as a secret key only and is not used for SAML authentication.
The entry in the key manager should look like this:
The action to save a certificate in this field builds the appropriate credentials for the SAML certificate.
There are some circumstances where you might want to bypass the SAML authentication, for example if the IDP service is not operable, or you need to access the ExtraView ADMIN account directly. To achieve this, include the parameter EV_BYPASS_SSO=YES on the URL, following the ExtraView address. This will produce the standard built-in ExtraView login screen for authorization. For example, your address might look like:
http://myserver.mycompany.com/evj/ExtraView?EV_BYPASS_SSO=YES
CLI calls, by their very nature, cannot support SAML authentication, so the EV_BYPASS_SSO option is used to overcome this limitation. The -B true option on the CLI command line allows the user to enter a valid user ID and password for authentication.
When first establishing a connection to an IDP to perform SAML authentication it can be useful to add additional logging to view the precise details of the transactions. To assist with this you may add a section to the WEB-INF/configuration/Configuration.properties
file. Look for, or add a section in this file like this:
# SAML Logging
# logging level values "ALL", "TRACE", "DEBUG", "INFO", "WARN", "ERROR" or "OFF"
SAML_LOGGING_LEVEL=INFO
The default logging level is INFO
, but this can be altered to provide more or less information on the SAML connection to the IDP. DEBUG
level logging will display the response from the IDP with the attributes, so you can determine what to map in the SSO_* parameters in Configuration.properties
. An alternative is to use a browser SAML tracer plugin to do the same thing.