garma26

SAML Bridging to allow for the Portal 4.2.x

Discussion created by garma26 Employee on Jul 13, 2018

This is an idea I got when a customer wanted to use openId Connect to log in the Portal 4.2.7.1.

We do not support this but I leverage the Gateway to do so that it can be done:

 

 

The way one can do it is with the following:

  1.  download the SAML identityprovider service that is specified here
    CA API gateway uses SAML with onelogin.com 
  2. On the Gateway
    1. Create a PKI for SAML
      1. Go to 'tools'->'Certificates...'-> 'Manage Private Keys'
      2. Create a new PKI 
      3. export the certificate of that PKI as a .pem file (which will be imported in the portal)
    2. Create a service that you will use for SAML authentication with the Portal
    3. Import the IdP service in the Gateway
    4. Modify the service to accept the call from the portal (endpoints, and other such variables)
      1. modify the 'Create Signed Bearer-Token SAML Token' assertion to add some attributes (as needed)
      2. associate that PKI to the assertion that signs the SAML AND  You also have to associate the PKI to the assertion "Build SAML Protocol Response" ( the assertion below the one shown in the screenshot [line28])

        ----------------------
      3. Save and activate the service.
  3. On the Portal
    1. Open the Tenant as an admin
    2. Go to the gear icon (top right) and choose 'Authentication'
    3. In the page, click on 'Add Authentication Scheme'
    4. Choose SAML SSO and press 'next'
    5. Fill in the basi details as you are required (name, desc, icon) and press 'next'
    6. in Provider Configuration, fill in the fields that are required as in the screenshot, substituting the following:
      1. Identity Provider URL with the full name of the service on the Gateway that will work as the SAML Bridge
      2. Issuer ID with a unique identifier that will be used in the SAML response
    7. Import the .pem file that you exported in the previous step.
    8. Choose SAMLResponse and Parameter
    9. Make sure that the Service Provider ID is the same as the ACS URL
    10. Keep a record of the ACS URL and the Service Provider ID, you will need it in the service on the Gateway
    11. Press 'Next' and map the fields as required
  4. on the Gateway,
  1. Open/got back to the service that you will use for SAML authentication with the Portal
  2. Modify the service to accept the call from the portal (endpoints, and other such variables)
    1. substitute the context variable in the service  where it mentions serviceProviderURL with the ACS URL you have in the Portal:
    2. open the 'Create Signed Bearer-Token SAML Token' assertion and make sure the Recipient and the Audience restriction to match with the ${serviceProviderURL} and make sure that the message is signed:


  3. Under line 4 of the service, change the logic to fit the requirements (call the next identity provider). See the difference herebelow between the ORIGINAL form-authentication part that Ben created and the OPENID one that I have put in:
    ORIGINAL


    OPENID



I hope it helps

Outcomes