This mode is not enabled by default "out of the box".
Before you can configure your CAST AIP web applications to use SAML authentication, the following prerequisites must already be in place:
|CAST AIP web applications deployed and functioning||The CAST AIP web applications must be deployed and functioning before you can proceed. In particular you must ensure that any roles and data authorizations are already configured.|
|Apache Tomcat configured for HTTPS||The Apache Tomcat host server and any CAST AIP web applications must be configured to use the HTTPS protocol. See Configuring the use of secure https protocol with Tomcat for the CAST web applications for more information.|
|FederationMetadata.xml||This file must be provided by your IT administrators before you can proceed.|
|Key pair generation|
A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). See below for more information.
Note: Dashboard supports the SAML Keystore file, which is generated using the SHA256 algorithm.
Supported versions of SAML
You must request the FederationMetadata.xml file from your IT administrators. When you have received the file, you should store it in a location that can be accessed from the CAST AIP web application, within the Apache Tomcat installation location. For example:
Key pair generation
A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). This keystore should be specific to the SAML configuration. To do so, you need to use the keytool command line utility (provided with the JRE - see https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html for more information) on the workstation on which the web application server is running. For example:
%JAVA_HOME%\keytool -genkeypair -alias <some-alias> -keyalg RSA -keypass <keypass> -keystore <samlKeystore.jks> -storepass <storepass>
|-alias||Choose an alias that is specific to the key pair.|
This configured a password that is used to protect the private key of the generated key pair. The value must be at least 6 characters.
Choose a keystore location in which to store the key pair, for example:
|-storepass||Choose a password to protect the keystore.|
Activate and configure the authentication mode in the CAST AIP web application
Activation and configuration of the SAML authentication mode is governed by the security.properties configuration file within the CAST AIP web application:
To activate the SAML authentication mode, change the following line. For example, to change from the Default authentication security mode to SAML, do as follows. Change:
Save the security.properties file.
Configure SAML authentication
Find the SAML paremeters section in the security.properties configuration file and modify each uncommented line to match the items you have already configured. Save the security.properties file when complete.
# Parameters for saml mode
# idp metadata file
# attribute name for group in saml response
# Key store path
# key store password
# Key alias
# Key password
# is Single Logout implemented in the customer IDP ?
Location of the FederationMetadata.xml file.
Name of the group attribute (please discuss with your IT administrators if the example provided in security.properties is not satisfactory).
Location of the keystore you created previously.
The keystore password you created previously (corresponds to the -storepass option for keytool)
The keystore alias you created previously.
|The key password you created previously (corresponds to the -keypass option for keytool).|
If SAML authentication is in operation, but no Single Logout service is provided in the IdP, you can force the dashboard to handle this situation gracefully and display a message explaining what to do by setting the option to true (default):
Restart Apache Tomcat
Now restart your Apache Tomcat server so that the changes you made are taken into account.
When you have successfully restarted the Apache Tomcat host server, please browse to the following URL to generate the spring_metadata:
This will download a file called spring_saml_metadata.xml. Send this file to your IT administrators who will then register it in the ADFS allowing users to login to the web application.