Configuring SSO Using SAML
The Security Assertion Markup Language (SAML) is an XML based open standard data format for exchanging authentication and authorization information data between parties. SAML is implemented for Prime Service Catalog so that any other application integrating with Prime Service Catalog can use this as a means to provide Authentication and import person profile information from IDP.
There are three key elements in SAML:
- User —The client that is attempting to log-in to a service provider (Cisco Prime Service Catalog).
- Identity Provider (IDP) —Typically a portal where the user logs in, it has the authority on a user's identity. It knows the user's username, password, and any groups/attributes.
Note The Prime Service Catalog 12.0 release supports only one IDP connection to authenticate a user at login.
- Service Provider (SP) —The application the user wishes to use. In this case, Cisco Prime Service Catalog.
Caution
You cannot configure both LDAP and SAML configured for SSO login in Prime Service Catalog. If you wish to use SAML SSO, the LDAP Login event must be manually disabled, failing which will lead to incorrect login behavior.
To disable LDAP login, go to Administration > Directories > Events and click Edit for the Login event. Change the event status to Disabled and click Update.
Log In Behavior
Implementing single sign-on via SAML means that the sign in process and user authentication are handled entirely outside of Prime Service Catalog. Prime Service Catalog uses SAML as means of securely authenticating against an IDP; authorization is provided by Prime Service catalog. With SAML configured in a system, the user must first authenticate with the IDP. On successful authentication the user is imported into Prime Service Catalog, if the user does not exist and is redirected to PSC, they will be granted access only if they have a valid permission and the IDP is correctly configured. On the same browser the user sessions are maintained.
Log Out Behavior
Log out behaviors are different based on the saml.enable.globalLogout property settings made in newscale.properties file, see section Properties for SAML Configuration.
By default global logout is enabled. In this case, when the user logs out of one instance of Prime Service Catalog the user is also logged out of other instance on the same browser.
With global logout disabled, when the user logs out of Prime Service Catalog or other applications integrated with Prime Service Catalog, SAML logs the user out only from that particular application. This is called local logout.
The below table describes the various logout behavior when the global logout is set on two SPs on the same browser. Here SP1 and SP2 are two instances of Prime Service Catalog.
|
Global Logout Setting on SP1
|
Global Logout Setting on SP2
|
|
1 |
True |
True |
Both SP1 and SP2 would be logged out, if either of the SP is logged out. |
2 |
True |
False |
- If SP1 logout, SP2 will also be logged out.
- If SP2 logout, SP1 will not be logged out.
|
3 |
False |
True |
- If SP1 logout, SP2 will not be logged out.
- If SP2 logout, SP1 will also be logged out.
|
4 |
False |
False |
If either SP1 or SP2 logout, the other SP is not logged out. |
User Management in SAML
After you have enabled SAML all the user management and authentication is handled outside of Prime Service Catalog. However, changes made outside of your Prime Service Catalog are immediately synced back to Prime Service Catalog. User information is imported on first attempt at authentication against an IDP, thereafter, the user info will not be updated on consecutive attempts, also there is no update of the user. Any changes to the user will be synced when LDAP event is enabled for Person lookup OOB, Authorization delegate, Person Lookup Service form, and the Import person event is set. If you delete a user in your system, the user will no longer be able to sign in to Prime Service Catalog (though their account will still exist in Prime Service Catalog).
Properties for SAML Configuration
Below table describes the configuration settings in newscale.properties that allows you to configure SAML for your system.
|
|
saml.lb.protocol |
Set to 'http' or 'https' for LB. |
saml.lb.hostname |
Set to the exposed RC endpoint Ensure it is not loop back address (127.0.0.1 or localhost). If LB or Reverse proxy is used this will be the exposed endpoint’s IP or domain name. |
saml.lb.port |
Set to the appropriate port number. |
saml.lb.config.includeServerPortInRequestURL |
Set to true or false. If set to true the port will be used for validating request/response during SAML exchanges between SP and IDP. |
saml.matadata.refreshInterval |
Set the time interval for the matadata refresh. |
saml.provider.trustCheck |
Sets the validation of signature trust for all providers. |
saml.force.auth |
Sets whether the user must authenticate even if the session is valid. |
saml.enable.global.logout |
Sets whether global logout is enabled or disabled. By default, it is set to true. |
saml.certificate.validation.config |
Sets the certificate validation configurations. For more information, see SAML Certificate Validation Settings. |
SAML Certificate Validation Settings
This section provides information on the validation settings provided in Prime Service Catalog for SAML Certificates while configuring the SAML certificate validation.
Under SAML specifications, when you receive messages, the messages must be digitally signed. Signing is always required for SAML. You can validate the SAML certificate by setting the following properties:
Property |
Description |
checkFQDNValidity |
When set to true, it checks the fully qualified domain name or the common name in the certificate. |
allowSelfSignedCertificates |
When set to true, allows the Self-Signed certificates. |
allowOnlyRootCertificates |
When set to true, allows only the root certificates. Default is false.
Note If you set allowOnlyRootCertificates to true, it allows all the Self-Signed certificates even if allowSelfSignedCerticates is set to false. As all root certificates are self-signed.
|
checkValidity |
When set to true, checks the validity period of the certificate. |
checkMaxExpiryDays |
When set to true, checks the maximum period of the certificate validity. |
checkCertificateRevocation |
When set to true, checks the dynamic certificate revocation list in the certificate. |
checkTrust |
When set to true, it validates the certificate from the trust chain. |
SAML REST API
The SAML nsAPIs can be accessed only by the Site Administrator and users having SAML Configuration capability. The nsAPI authentication for SAML Configurations and IDP Mappings uses RC DB even when SAML is enabled. So the user needs to use their RC DB credentials.
The response messages for a successfully submitted order is 200.
For information on the error response messages, see REST/Web Services Error Messages table and Error Messages.
Table 9-1 SAML REST API Table
|
|
DELETE |
Delete an IDP Configuration DELETE URL: http://<ServerURL>/RequestCenter/nsapi/v1/idp/configs/<idp configuration name> To delete an IDP Configuration, enter the unique name of the IDP. |
GET |
Get an IDP Configuration GET URL: http://<ServerURL>/RequestCenter/nsapi/v1/idp/configs/<idp configuration name> To get an IDP configuration, enter the unique name of the IDP. |
PUT |
Refresh metadata(s) on node. PUT URL http://<ServerURL>/RequestCenter/nsapi/v1/idp/refreshThis |
POST |
Save an IDP Configuration POST URL: http://<ServerURL>/RequestCenter/nsapi/v1/idp/configs Sample Input:
"name": "ssocirclef631a5967b044cec94893ac700851de3",
"metadata": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<md:EntityDescriptor \r\n\txmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" \r\n\tentityID=\"https://auth.miniorange.com/moas\">\r\n\r\n\t<md:IDPSSODescriptor \r\n\t\tWantAuthnRequestsSigned=\"true\" \r\n\t\tprotocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\r\n\r\n\t\t<md:KeyDescriptor \r\n\t\t\tuse=\"signing\">\r\n\t\t\t<ds:KeyInfo \r\n\t\t\t\txmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\r\n\t\t\t\t<ds:X509Data>\r\n\t\t\t\t\t<ds:X509Certificate>MIICnjCCAgegAwIBAgIJAK3CyOFtrUj MA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUFVORTETMBEGA1UECgwKbWluaU9yYW5nZTETMBEGA1UECwwKbWluaU9yYW5nZTETMBEGA1UEAwwKbWluaU9yYW5nZTAeFw0xNTAyMTEwNDQ1NDdaFw0xODAyMTAwNDQ1NDdaMGgxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUFVORTETMBEGA1UECgwKbWluaU9yYW5nZTETMBEGA1UECwwKbWluaU9yYW5nZTETMBEGA1UEAwwKbWluaU9yYW5nZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx WMW0HNXVL4VB14PklXDo6rJlK3W4XHsxD7rBsG8e2LgbfjEjC0b k2/5ODuP9OvVQyHaZhMPWbS2z5S6cxCIxPfAJC5pCn9EVVoSDbz4C1Biyg9NJAUYp7oF 8JfKByLeWCOPRb9/G8/Bq5xQRAf CH/hSSsrNEQm5h NnhcCAwEAAaNQME4wHQYDVR0OBBYEFFq3KKnNFb1777slDNKfn30gXcvjMB8GA1UdIwQYMBaAFFq3KKnNFb1777slDNKfn30gXcvjMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACP2t4JNkGh2ElJltQ3FSdWWHsvhGpGnpAdltdC8vW/Sf3a97IDeixr5GcQVfUfyYE nMQU0g2NJLYG1 hb13J58eQ9NhU8PgkSsJWaskST1KTNRu 30K3Dm8TOhZShWEvYBUzSDjcSJFUguXeoK/gx4wBuA8WEaKb9PC6xvac/4=</ds:X509Certificate>\r\n\t\t\t\t</ds:X509Data>\r\n\t\t\t</ds:KeyInfo>\r\n\t\t</md:KeyDescriptor>\r\n\r\n\t\t<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>\r\n\t\t<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>\r\n\t\t<md:SingleSignOnService \r\n\t\t\tBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" \r\n\t\t\tLocation=\"https://auth.miniorange.com/moas/idp/samlsso\"/>\r\n\t\t<md:SingleSignOnService \r\n\t\t\tBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" \r\n\t\t\tLocation=\"https://auth.miniorange.com/moas/idp/samlsso\"/>\r\n\t</md:IDPSSODescriptor>\r\n</md:EntityDescriptor>",
"costCenter": "costCenter",
"organizationUnit": "Department",
Note OrganizationalUnit, Locale, Business Unit and Cost Center are optional. You can send blank values if you don't want to map those fields. |
PUT |
Update an IDP Configuration PUT URL: http://<ServerURL>/RequestCenter/nsapi/v1/idp/configs Sample Input:
"metadata": "<?xml version=\"1.0\"?>\n<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"https://app.onelogin.com/saml/metadata/581650\">\n <IDPSSODescriptor xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n <KeyDescriptor use=\"signing\">\n <ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n <ds:X509Data>\n <ds:X509Certificate>MIIEDjCCAvagAwIBAgIUBtd7yzkKX1N8+cmROGrTbzCn8OowDQYJKoZIhvcNAQEF\nBQAwVTELMAkGA1UEBhMCVVMxDjAMBgNVBAoMBVBTQ1FBMRUwEwYDVQQLDAxPbmVM\nb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgOTA5MzYwHhcNMTYw\nODMxMDYzMjI4WhcNMjEwOTAxMDYzMjI4WjBVMQswCQYDVQQGEwJVUzEOMAwGA1UE\nCgwFUFNDUUExFTATBgNVBAsMDE9uZUxvZ2luIElkUDEfMB0GA1UEAwwWT25lTG9n\naW4gQWNjb3VudCA5MDkzNjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nALjcSyIa/RW7w3fh+KpdhmXsw2WSuYFJkfmZEqwHTSHGd0n1Kv6RvYtarWEvGsVN\njVTSgfMDZ14uW2qvTpCVjf5vWNvnGnOQFFjGWgMgsnrbKFGh62kvkNxKppqpdC1v\nwOZucoLvlaCJR/Od3SQNfQLwDAcpmbMiHb1bZm03bKMAPO+cw6mkKl8Ov3zuKt4I\nEdvwCIzZraRW9RUPPKXX7Y5sli3ywaxEy/69mxwaeuhMtFCk2BwYT8AJ+LMoeLXx\nIURPSobdTpqBQPEOmFcJ/8SaMHsr+1EP1HGxKM4bXocE0soFYH5MxPCTmedxnQ7L\nhBiSdVEGTJMGAzpejf2f85cCAwEAAaOB1TCB0jAMBgNVHRMBAf8EAjAAMB0GA1Ud\nDgQWBBRJ1vyA3mh0H7eH+OFrrq7oyTMAYTCBkgYDVR0jBIGKMIGHgBRJ1vyA3mh0\nH7eH+OFrrq7oyTMAYaFZpFcwVTELMAkGA1UEBhMCVVMxDjAMBgNVBAoMBVBTQ1FB\nMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291\nbnQgOTA5MzaCFAbXe8s5Cl9TfPnJkThq028wp/DqMA4GA1UdDwEB/wQEAwIHgDAN\nBgkqhkiG9w0BAQUFAAOCAQEAQxh4/+8Vt2oSpWmMYPf8CpbH3sQuhphhEJzkEP7y\nkZILM1tV8szt9YFlfjUIH/usGOx/aIBEDpPj0T/UTGl4QhZyv5V+T3DhcZeOK7g3\nGJTy0w6HfWuGBY8FZTMOdGOdRSLQUOoKehIV0iIlrZAlEyMrPIx7qGrYf1zxFqoa\nyPzNT6/AUXqujcQjZwyRBwqT6429xX74ksVe0C8KmfEUvgPfNj+wtf+KhsCqckLX\nH/HQo6Ua4nU6vuBQLym9E0OEKAOHIYccJFqlBoREtRw/V/J7Gk5Z0yEq7XAM9EC/\n/A3vQG0DL6eIG9Tff5Tf+G4gyXQfGCDOhjkAxTbkoW+jJg==</ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n </KeyDescriptor>\n <SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pscqa.onelogin.com/trust/saml2/http-redirect/slo/581770\"/>\n \n <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>\n \n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://pscqa.onelogin.com/trust/saml2/http-redirect/sso/581770\"/>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://pscqa.onelogin.com/trust/saml2/http-post/sso/581770\"/>\n <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:SOAP\" Location=\"https://pscqa.onelogin.com/trust/saml2/soap/sso/581770\"/>\n </IDPSSODescriptor>\n <ContactPerson contactType=\"technical\">\n <SurName>Support</SurName>\n <EmailAddress>support@onelogin.com</EmailAddress>\n </ContactPerson>\n</EntityDescriptor>\n",
"organizationUnit": "Department",
|
GET |
Get SAML Configuration GET URL: http://<ServerURL>/RequestCenter/nsapi/v1/saml/configs |
PUT |
Update SAML Configuration PUT URL: http://<ServerURL>/RequestCenter/nsapi/v1/saml/configs Sample Input:
"entityID": "75781d57-a5cd-4db2-a1d5-58407a8c7887",
"b64Certificate": "MIIDsjCCApqgAwIBAgIEIXc9vjANBgkqhkiG9w0BAQsFADB5MUMwQQYDVQQDDDo3YjQwNDMwYS04\nODAxLTQ2NDctOTNjNy03YzNjMjVkZTBkYTQtc2VydmljZWNhdGFsb2dkZWZhdWx0MQ0wCwYDVQQL\nDAROb25lMRQwEgYDVQQKDAtOb25lIEw9Tm9uZTENMAsGA1UEBhMETm9uZTAeFw0xNjExMDIxMzUw\nNTBaFw0xNzAxMzExMzUwNTBaMHkxQzBBBgNVBAMMOjdiNDA0MzBhLTg4MDEtNDY0Ny05M2M3LTdj\nM2MyNWRlMGRhNC1zZXJ2aWNlY2F0YWxvZ2RlZmF1bHQxDTALBgNVBAsMBE5vbmUxFDASBgNVBAoM\nC05vbmUgTD1Ob25lMQ0wCwYDVQQGEwROb25lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAryLcEinIjhnUu9wP8H/AWn/rYA2IkcuacD6VNEzHaNCBR+k//2MNv5jsVGAxpxUkjMi8uIjM\nJvTvW7wVEzMGVTai6XDG48jpZSTIkftnpeZuO3iydJoSI5BOiYxn4d6VqZnEDPas1QxrfiKsMqbC\nbfuWCtdOYE2Rqh8s0U6+BA2D/pXxbykfMYGa3hNbTgsvZjkfUropWTxrkNbP6mWOMbcC03e9ih9i\n95y3Et1APQ9uLDxcGf3Rr7h/md7k1S7pEunuJw7YSgmSDsg2gFnEnubT9SeWUvj5oT3/fHFElOvQ\nf8QlGKAJdRG1sP07mBSztDMlSYbtHWJfi+bYitD81wIDAQABo0IwQDAfBgNVHSMEGDAWgBQPOMLi\nmFPO0Ooj9Vs7UKmMdmhg3zAdBgNVHQ4EFgQUDzjC4phTztDqI/VbO1CpjHZoYN8wDQYJKoZIhvcN\nAQELBQADggEBAAwyRikaRzL/7ZahIonrsIxRr8QW+JRCAXJS52PRag/dGlpsxCp6/xD3QxJ+/EY2\n7gvO0lyBth23oKJVt3zgIH5tC+VHTdmT4Eeluv4iw4ZU0qYD/NCCEBilII68xOrASbE5fiBWpn3Q\nm7le5IXK7KIFUa5VmfOuGgXap9s0AF1TelGPjjlNXmMxWJgxlu8ms7/Uoaju2HdFyznAyK0bdzSX\nguR2VsQiwbWTuBDKySc9hoZd4qVFTJmVTVrjbpmrAEY/xk+OCVb0T1JJBtlZQEsYe6KR2xdnE6ny\nqycNHpclxVJ8yIXxeoLnJK2pmCbIcBt8v2fQPhPneBbaZOlerBg=",
"b64PrivateKey": "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvItwSKciOGdS73A/wf8Baf+tg\nDYiRy5pwPpU0TMdo0IFH6T//Yw2/mOxUYDGnFSSMyLy4iMwm9O9bvBUTMwZVNqLpcMbjyOllJMiR\n+2el5m47eLJ0mhIjkE6JjGfh3pWpmcQM9qzVDGt+IqwypsJt+5YK105gTZGqHyzRTr4EDYP+lfFv\nKR8xgZreE1tOCy9mOR9SuilZPGuQ1s/qZY4xtwLTd72KH2L3nLcS3UA9D24sPFwZ/dGvuH+Z3uTV\nLukS6e4nDthKCZIOyDaAWcSe5tP1J5ZS+PmhPf98cUSU69B/xCUYoAl1EbWw/TuYFLO0MyVJhu0d\nYl+L5tiK0PzXAgMBAAECggEALqim4N/o4pLXLkVuqbAfWv0BhFGWtOD9gDHsJkbeSXpjNvlZZ3zI\nSOdA7ynBkLX9StSgErm/ShGvQ01UgAzz/vfTZ0X4du8r3xpxpRLJhlVhwM5jHNV/R6JGijax5mca\nkFi69okxeoEYkj5CiiwLWKnSS4kZBGcmC6DKm+jSjtlop+ErzcLmiBqBPlQHL/rZpp0T62ojOMB/\nD8Au0IFecNIyitnTORBaOVRt1ohQXBhsrjSHQcXmP7TsDrm6H5XmE3sDfDT6UrYyvLNMuCNBfmrj\noE/kNnFUiQZthJWkFWoHSM1eehuUR6nsubg0q0KGrsI9ta+rof0FY51Ogr5jYQKBgQD44/5LT1u1\n6NLfM24dd2f6gD8cSV4VVfRLRktLogjqa8n3kTZOb/ELgLQDPotcHOQXDwDmK2OYpcfRG2RgGt22\nMXdLHawjWItmr2wkzhanojapdssiCU9NDb209eHOUpT82pz0Vouw9LlzV26J1++KiBoyGMO5Xh+L\nKjm5aNZQHQKBgQC0I4nuCvFMvJ14gIRvVmcCcHbHREVmuSeFOKsXL8kYkYsrUvcJmSkw6GnMtiSh\nfsHwFtJmakZa+QDBNUJhKuvyhfC+9vaUsPjXK20Oa5dd8eQoN9Bz9dTptjx001fphFiidNE4+f/1\nsKN/0YnKoBOJsEb7Zv3yzJCMPBoPHvmWgwKBgQCvTl+iCf6N7bUB88a+yIkbf1N0iBTVsFpG3vdQ\nCYyAGXYDg2ud6ej9ciTZGCeutMbPmwjGFo+rSDGrDsEvlBzQJJ1i8j56Evb1V+AzOFnqry4TRRIl\nIiuSGXiiyoHHApHgW9crnv37oRQyssWwH8GgcOcKnDjYCvzq184a00YI3QKBgDWqMLkdwW0e87qm\nbs3Ma7uqTXhnulUz67Ygf7fUoJAVK+SoPrg5TLApTPuTd6402QnxgpTILFWFwNfOSgwwgUIq7OG3\nKRZ68mcHpOGa4+k02seweQVSwy8s/y2+mH4U02LycjILKFnFWbAGeIpIzglC3qKeuCDRGG7uqMTA\ncZKJAoGAcrP9/zpxLyyBm8WjmAmC0UVgpCZmBDEEQKZxqNmqP/oIYbXCKClS5sQc7ybeXigyq37B\ncAuyHa+rVVl/FClnWlsgG9DmZOTjqyL7ttJSP9hJjHzlJp5dw6uVVexzWheZWFKbGC0obLod5522\nM+n5j+epGNK6tTRWfVERYnXthcc="
|