Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

CAST AIC Portal is unsupported. We encourage you to switch to AIP Console.


Panel

On this page:

Table of Contents

Target audience:

CAST AI Administrators

...

  • Following any changes you make, save the security.properties file and then restart your application server so that the changes are taken into account.

SAML mode

...

Expand

This mode is not enabled by default "out of the box".

Prerequisites

Before you can configure your CAST AIP web applications to use SAML authentication, the following prerequisites must already be in place:

CAST AIP web applications deployed and functioningThe CAST AIP web applications must be deployed and functioning before you can proceed. In particular you must ensure that any roles and data authorizations are already configured.
Apache Tomcat configured for HTTPSThe Apache Tomcat host server and any CAST AIP web applications must be configured to use the HTTPS protocol. See Configuring the use of secure https protocol with Tomcat for the CAST web applications for more information.
FederationMetadata.xmlThis file must be provided by your IT administrators before you can proceed.
Key pair generation

A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). See below for more information.

Note: Dashboard supports the SAML Keystore file, which is generated using the SHA256 algorithm. 

Supported versions of SAML

VersionSupported
2.0(tick)
1.1(error)
1.0(error)

Configuration process

Request FederationMetadata.xml

You must request the FederationMetadata.xml file from your IT administrators. When you have received the file, you should store it in a location that can be accessed from the CAST AIP web application, within the Apache Tomcat installation location. For example:

Code Block
languagetext
Windows: D:/apache-tomcat/conf/FederationMetadata.xml
Linux: file:/opt/apache-tomcat/conf/FederationMetadata.xml

Key pair generation

A public/private key pair must be generated on the Apache Tomcat host server in a dedicated keystore to allow encrypted communication with the Active Directory Federation Server (ADFS). This keystore should be specific to the SAML configuration. To do so, you need to use the keytool command line utility (provided with the JRE - see https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html for more information) on the workstation on which the web application server is running. For example:

Code Block
languagetext
%JAVA_HOME%\keytool -genkeypair -alias <some-alias> -keyalg RSA -keypass <keypass> -keystore <samlKeystore.jks> -storepass <storepass>

Where:

-aliasChoose an alias that is specific to the key pair.
-keypass

This configured a password that is used to protect the private key of the generated key pair. The value must be at least 6 characters.

-keystore

Choose a keystore location in which to store the key pair, for example:

Code Block
languagetext
Windows: D:/apache-tomcat/conf/samlKeystore.jks
Linux: /opt/apache-tomcat/conf/samlKeystore.jks


-storepassChoose a password to protect the keystore.

Activate and configure the authentication mode in the CAST AIP web application

Activation and configuration of the SAML authentication mode is governed by the security.properties configuration file within the CAST AIP web application:

Code Block
languagetext
CATALINA_HOME\webapps\<deployed_war_file>\WEB-INF\security.properties

To activate the SAML authentication mode, change the following line. For example, to change from the Default authentication security mode to SAML, do as follows. Change:

Code Block
languagetext
security.mode=default

to:

Code Block
languagetext
security.mode=saml

Save the security.properties file.

Configure SAML authentication

Find the SAML paremeters section in the security.properties configuration file and modify each uncommented line to match the items you have already configured. Save the security.properties file when complete.

Code Block
languagetext
# Parameters for saml mode
# ------------------------
# idp metadata file
security.saml.idp.metadata.location=file:/opt/apache-tomcat/conf/FederationMetadata.xml
# attribute name for group in saml response
security.saml.idp.metadata.group.attribute.name=http://schemas.xmlsoap.org/claims/Group
# Key store path
security.saml.keystore.path=file:/opt/apache-tomcat/conf/myKeystore.jks
# key store password
security.saml.keystore.password=changeit
# Key alias
security.saml.key.alias=somealias
# Key password
security.saml.key.password=changeit
# is Single Logout implemented in the customer IDP ?
security.saml.single.logout=true


security.saml.idp.metadata.location

Location of the FederationMetadata.xml file.

security.saml.idp.metadata.group.attribute.name

Name of the group attribute (please discuss with your IT administrators if the example provided in security.properties is not satisfactory).

security.saml.keystore.path

Location of the keystore you created previously.

security.saml.keystore.password

The keystore password you created previously (corresponds to the -storepass option for keytool)

security.saml.key.alias

The keystore alias you created previously.

security.saml.key.password

The key password you created previously (corresponds to the -keypass option for keytool).

security.saml.single.logout

If SAML authentication is in operation, but no Single Logout service is provided in the IdP, you can force the dashboard to handle this situation gracefully and display a message explaining what to do by setting the option to true (default):

Image Added

Restart Apache Tomcat

Now restart your Apache Tomcat server so that the changes you made are taken into account.

Generate spring_metadata

When you have successfully restarted the Apache Tomcat host server, please browse to the following URL to generate the spring_metadata:

Code Block
languagetext
https://tomcat/<deployed_war_file>/saml/metadata

This will download a file called spring_saml_metadata.xml. Send this file to your IT administrators who will then register it in the ADFS allowing users to login to the web application.

User groups and roles

The CAST AIC Portal provides a means to restrict access to certain functions through the use of groups and roles. Currently, two roles are available:

...