Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Following any changes you make, save the file and then restart your application server so that the changes are taken into account.

SAML mode



This mode is not enabled by default "out of the box".


Before you can configure your CAST AIP web applications to use SAML authentication, the following prerequisites must already be in place:

CAST AIP web applications deployed and functioningThe CAST AIP web applications must be deployed and functioning before you can proceed. In particular you must ensure that any roles and data authorizations are already configured.
Apache Tomcat configured for HTTPSThe Apache Tomcat host server and any CAST AIP web applications must be configured to use the HTTPS protocol. See Configuring the use of secure https protocol with Tomcat for the CAST web applications for more information.
FederationMetadata.xmlThis file must be provided by your IT administrators before you can proceed.
Key pair generation

A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). See below for more information.

Note: Dashboard supports the SAML Keystore file, which is generated using the SHA256 algorithm. 

Supported versions of SAML


Configuration process

Request FederationMetadata.xml

You must request the FederationMetadata.xml file from your IT administrators. When you have received the file, you should store it in a location that can be accessed from the CAST AIP web application, within the Apache Tomcat installation location. For example:

Code Block
Windows: D:/apache-tomcat/conf/FederationMetadata.xml
Linux: file:/opt/apache-tomcat/conf/FederationMetadata.xml

Key pair generation

A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). This keystore should be specific to the SAML configuration. To do so, you need to use the keytool command line utility (provided with the JRE - see for more information) on the workstation on which the web application server is running. For example:

Code Block
%JAVA_HOME%\keytool -genkeypair -alias <some-alias> -keyalg RSA -keypass <keypass> -keystore <samlKeystore.jks> -storepass <storepass>


-aliasChoose an alias that is specific to the key pair.

This configured a password that is used to protect the private key of the generated key pair. The value must be at least 6 characters.


Choose a keystore location in which to store the key pair, for example:

Code Block
Windows: D:/apache-tomcat/conf/samlKeystore.jks
Linux: /opt/apache-tomcat/conf/samlKeystore.jks

-storepassChoose a password to protect the keystore.

Activate and configure the authentication mode in the CAST AIP web application

Activation and configuration of the SAML authentication mode is governed by the configuration file within the CAST AIP web application:

Code Block

To activate the SAML authentication mode, change the following line. For example, to change from the Default authentication security mode to SAML, do as follows. Change:

Code Block


Code Block

Save the file.

Configure SAML authentication

Find the SAML paremeters section in the configuration file and modify each uncommented line to match the items you have already configured. Save the file when complete.

Code Block
# Parameters for saml mode
# ------------------------
# idp metadata file
# attribute name for group in saml response
# Key store path
# key store password
# Key alias
# Key password
# is Single Logout implemented in the customer IDP ?


Location of the FederationMetadata.xml file.

Name of the group attribute (please discuss with your IT administrators if the example provided in is not satisfactory).


Location of the keystore you created previously.


The keystore password you created previously (corresponds to the -storepass option for keytool)


The keystore alias you created previously.


The key password you created previously (corresponds to the -keypass option for keytool).


If SAML authentication is in operation, but no Single Logout service is provided in the IdP, you can force the dashboard to handle this situation gracefully and display a message explaining what to do by setting the option to true (default):

Image Added

Restart Apache Tomcat

Now restart your Apache Tomcat server so that the changes you made are taken into account.

Generate spring_metadata

When you have successfully restarted the Apache Tomcat host server, please browse to the following URL to generate the spring_metadata:

Code Block

This will download a file called spring_saml_metadata.xml. Send this file to your IT administrators who will then register it in the ADFS allowing users to login to the web application.

User groups and roles

The CAST AIC Portal provides a means to restrict access to certain functions through the use of groups and roles. Currently, two roles are available: