This mode is not enabled by default "out of the box". PrerequisitesBefore you can configure your CAST AIP web applications to use SAML authentication, the following prerequisites must already be in place: | CAST AIP web applications deployed and functioning | The CAST AIP web applications must be deployed and functioning before you can proceed. In particular you must ensure that any roles and data authorizations are already configured. |
|---|
| Apache Tomcat configured for HTTPS | The Apache Tomcat host server and any CAST AIP web applications must be configured to use the HTTPS protocol. See Configuring the use of secure https protocol with Tomcat for the CAST web applications for more information. |
|---|
| FederationMetadata.xml | This file must be provided by your IT administrators before you can proceed. |
|---|
| Key pair generation | A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). See below for more information. Note: Dashboard supports the SAML Keystore file, which is generated using the SHA256 algorithm. |
|---|
Supported versions of SAML| Version | Supported |
|---|
| 2.0 |  | | 1.1 |  | | 1.0 | |
Configuration processYou must request the FederationMetadata.xml file from your IT administrators. When you have received the file, you should store it in a location that can be accessed from the CAST AIP web application, within the Apache Tomcat installation location. For example: | Code Block |
|---|
| Windows: D:/apache-tomcat/conf/FederationMetadata.xml
Linux: file:/opt/apache-tomcat/conf/FederationMetadata.xml |
Key pair generationA public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). This keystore should be specific to the SAML configuration. To do so, you need to use the keytool command line utility (provided with the JRE - see https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html for more information) on the workstation on which the web application server is running. For example: | Code Block |
|---|
| %JAVA_HOME%\keytool -genkeypair -alias <some-alias> -keyalg RSA -keypass <keypass> -keystore <samlKeystore.jks> -storepass <storepass> |
Where: | -alias | Choose an alias that is specific to the key pair. |
|---|
| -keypass | This configured a password that is used to protect the private key of the generated key pair. The value must be at least 6 characters. |
|---|
| -keystore | Choose a keystore location in which to store the key pair, for example: | Code Block |
|---|
| Windows: D:/apache-tomcat/conf/samlKeystore.jks
Linux: /opt/apache-tomcat/conf/samlKeystore.jks |
|
|---|
| -storepass | Choose a password to protect the keystore. |
|---|
Activation and configuration of the SAML authentication mode is governed by the security.properties configuration file within the CAST AIP web application: | Code Block |
|---|
| CATALINA_HOME\webapps\<deployed_war_file>\WEB-INF\security.properties |
To activate the SAML authentication mode, change the following line. For example, to change from the Default authentication security mode to SAML, do as follows. Change: | Code Block |
|---|
| security.mode=default |
to: | Code Block |
|---|
| security.mode=saml |
Save the security.properties file. Find the SAML paremeters section in the security.properties configuration file and modify each uncommented line to match the items you have already configured. Save the security.properties file when complete. | Code Block |
|---|
| # Parameters for saml mode
# ------------------------
# idp metadata file
security.saml.idp.metadata.location=file:/opt/apache-tomcat/conf/FederationMetadata.xml
# attribute name for group in saml response
security.saml.idp.metadata.group.attribute.name=http://schemas.xmlsoap.org/claims/Group
# Key store path
security.saml.keystore.path=file:/opt/apache-tomcat/conf/myKeystore.jks
# key store password
security.saml.keystore.password=changeit
# Key alias
security.saml.key.alias=somealias
# Key password
security.saml.key.password=changeit
# is Single Logout implemented in the customer IDP ?
security.saml.single.logout=true |
| security.saml.idp.metadata.location | Location of the FederationMetadata.xml file. |
|---|
security.saml.idp.metadata.group.attribute.name | Name of the group attribute (please discuss with your IT administrators if the example provided in security.properties is not satisfactory). |
|---|
security.saml.keystore.path | Location of the keystore you created previously. |
|---|
security.saml.keystore.password | The keystore password you created previously (corresponds to the -storepass option for keytool) |
|---|
security.saml.key.alias | The keystore alias you created previously. |
|---|
security.saml.key.password | The key password you created previously (corresponds to the -keypass option for keytool). |
|---|
security.saml.single.logout | If SAML authentication is in operation, but no Single Logout service is provided in the IdP, you can force the dashboard to handle this situation gracefully and display a message explaining what to do by setting the option to true (default):  Image Added
|
|---|
Restart Apache TomcatNow restart your Apache Tomcat server so that the changes you made are taken into account. When you have successfully restarted the Apache Tomcat host server, please browse to the following URL to generate the spring_metadata: | Code Block |
|---|
| https://tomcat/<deployed_war_file>/saml/metadata |
This will download a file called spring_saml_metadata.xml. Send this file to your IT administrators who will then register it in the ADFS allowing users to login to the web application. | 