October 14, SAML 2 Quick Start Guide

Similar documents
Oracle Hospitality OPERA Exchange Interface Cloud Authentication. October 2017

October 14, Business Intelligence Connector Guide

Oracle Utilities Opower Solution Extension Partner SSO

What s New for Cloud at Customer What's New for the Cloud Services on Oracle Cloud at Customer New Documentation for Oracle Cloud at Customer

Oracle Hospitality Query and Analysis Languages and Translation Configuration Guide. March 2016

Oracle Hospitality Suite8 Export to Outlook User Manual Release 8.9. July 2015

Oracle Communications Configuration Management

Report Management and Editor!

Recipe Calculation Survey. Materials Control. Copyright by: MICROS-FIDELIO GmbH Europadamm 2-6 D Neuss Date: August 21 st 2007.

Oracle Hospitality MICROS Commerce Platform Release Notes Release Part Number: E December 2015

PeopleSoft Fluid Required Fields Standards

Oracle Enterprise Manager Ops Center

Oracle Hospitality Cruise Shipboard Property Management System Topaz Signature Device Installation Guide Release 8.00 E

Oracle Cloud E

Security Guide Release 4.0

Materials Control. Account Classes. Product Version Account Classes. Document Title: Joerg Trommeschlaeger

Database Change Reference Release 6.3

JavaFX. JavaFX System Requirements Release E

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Installing and Updating Local Software Packages 12c Release

Export generates an empty file

Oracle Retail MICROS Stores2 Functional Document Sales - Receipt List Screen Release September 2015

Oracle Cloud What's New for Oracle WebCenter Portal Cloud Service

Copyright 1998, 2009, Oracle and/or its affiliates. All rights reserved.

Oracle Utilities Opower Custom URL Configuration

Oracle Hospitality Suite8 XML Export of Invoice Data for Hungarian Tax Authority Release and Higher E November 2016

Oracle. Field Service Cloud Using Android and ios Mobile Applications 18B

Oracle Utilities Work and Asset Management

PeopleSoft Fluid Icon Standards

New Features in Primavera Professional 15.2

Defining Constants and Variables for Oracle Java CAPS Environments

Oracle Utilities Customer Self Service

Materials Control. Purchase Orders Internal Attachments. Product Version: Attachments Joerg Trommeschlaeger.

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need

JD Edwards EnterpriseOne Licensing

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Creating vservers 12c Release 1 ( )

OKM Key Management Appliance

Spend less on file attachment storage space Reliably back up your data or file attachments Use your OpenAir data in your reporting tools

Oracle Fusion Middleware Oracle Stream Analytics Release Notes. 12c Release ( )

Managing Zone Configuration

Release Notes for Oracle GoldenGate for Big Data 12c ( )

Oracle Hospitality BellaVita Hardware Requirements. June 2016

Oracle Communications Order and Service Management. OSM New Features

Oracle Payment Interface Installation and Reference Guide Release E April 2018

Oracle Hospitality RES 3700 Server Setup Guide Release 5.5 E May 2016

Microsoft Active Directory Plug-in User s Guide Release

What s New for Oracle Cloud Stack Manager. Topics: July Oracle Cloud. What's New for Oracle Cloud Stack Release

Oracle Linux. UEFI Secure Boot Signing Key Update Notice

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Hardware and Software Configuration

Materials Control Recipe Reduction based on Article Defaults

Managing Personally Identifiable Information in P6 Professional

Contents About Connecting the Content Repository... 5 Prerequisites for Configuring a Content Repository and Unifier... 5

Taleo Enterprise Deep Linking Configuration Guide Release 17

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Oracle Hospitality Simphony First Edition Venue Management (SimVen) Installation Guide Release 3.8 Part Number: E

Oracle Communications Policy Management Configuring NetBackup for Upgrade Method of Procedure

Oracle Simphony Venue Management (SimVen) Installation Guide Release Part Number: E

Quick Start for Coders and Approvers

Modeling Network Integrity Release 7.3.1

Oracle Communications Convergent Charging Controller. Sample Message Flows Reference Guide Release 6.0.1

Oracle Hospitality Simphony Engagement Cloud Service Release Notes Release 2.0 E January 2016

Oracle Retail MICROS Stores2 Functional Document Stores2 for Portugal Disaster Recovery Release

Documentation Accessibility. Access to Oracle Support

Oracle. Field Service Cloud Using the Parts Catalog

Oracle Database Mobile Server

Oracle Transportation Mobile. Guide Release 1.3 Part No. E

Oracle mymicros.net, icare, myinventory and mylabor Self Host Release Notes Release v April 2015

Oracle Argus Safety. 1 Configuration. 1.1 Configuring a Reporting Destination for the emdr Profile. emdr Best Practices Document Release 8.0.

Oracle Hospitality BellaVita Adding a New Language Release 2.7. September 2015

1 Understanding the Cross Reference Facility

Materials Control. Installation MC POSWebService. Product Version Joerg Trommeschlaeger. Date: Version No. of Document: 1.

Materials Control. Application Translation. Product Version Translation Joerg Trommeschlaeger. Document Title:

Oracle Utilities Work and Asset Cloud Service End-User Provisioning Guide

Oracle Cloud Known Issues for Trial and Paid Subscriptions. Release 18.1

Oracle Enterprise Manager

Oracle Utilities Meter Data Management Release Utility Reference Model Maintain Generic Usage Subscription

General Security Principles

Oracle Enterprise Manager Ops Center

Oracle SQL Developer Web Accessibility Guide. Release 18.1

Contents About This Guide... 5 Installing P6 Professional API... 7 Authentication Modes... 9 Legal Notices... 14

Oracle Cloud Using the Google Calendar Adapter with Oracle Integration

Module Code Entries Utility Oracle FLEXCUBE Universal Banking Release [December] [2016]

Oracle Retail MICROS Stores2 Functional Document Malta Taxation Release July 2017

Oracle Enterprise Manager Ops Center. Overview. What You Need. Create Oracle Solaris 10 Zones 12c Release 3 ( )

Oracle Cloud Using the Google Calendar Adapter. Release 17.3

Oracle Utilities Advanced Spatial and Operational Analytics

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need

Oracle Human Capital Management Cloud Using the HCM Mobile Application. Release 13 (update 18C)

Microsoft Internet Information Services (IIS) Plug-in User s Guide Release

Installer Troubleshooting Oracle FLEXCUBE Universal Banking Release [October] [2015]

Apple Safari Settings Oracle FLEXCUBE Release [May] [2017]

Oracle Banking Channels Bank User Base

Oracle Fusion Middleware Oracle Cloud Adapters Postinstallation Configuration Guide. 12c Release ( )

Oracle Utilities Work and Asset Management

Live Help On Demand Analytics

Oracle Public Sector Revenue Management Self Service

Oracle Hospitality Cruise Meal Count System Security Guide Release 8.3 E

Oracle Hospitality e7 Point-of-Sale Release Notes. Release 4.2

Oracle Enterprise Manager Ops Center. Introduction. Provisioning Oracle Solaris 10 Operating Systems 12c Release 2 ( )

Oracle. Sales Cloud Using Sales for Outlook. Release 13 (update 18A)

Oracle Cloud. Using the Google Calendar Adapter Release 16.3 E

Transcription:

October 14, 2017

Copyright 2013, 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be errorfree. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.

Table of Contents OpenAir... 1 Identity Provider Setup... 1 Provider Integration Setup... 1 OpenAir Account Configuration... 8

OpenAir 1 OpenAir Identity Provider Setup This section details OpenAir Service Provider authentication attribute mapping. Below are the relevant SAML assertion fields for exchanges. The mapping describes the relationship between SAML attributes to OpenAir login identifiers. These attributes must be included in all SAML assertions, unless otherwise marked as [Optional]. 1. SAML NameID: OpenAir user nickname which represents the unique user nicknames defined in the OpenAir account. Note: If this field does not send the user s nickname as a persistent attribute, then the provider must follow Step 3 below. 2. SAML assertion string attribute account_nickname: OpenAir company name. This is the name of your OpenAir account. 3. [Optional] SAML assertion string attribute user_nickname: alternate OpenAir user nickname. If specified, the user_nickname takes precedence over NameID for identifying the user. Use of this attribute provides the IdP with an option to use a transient NameID for session management, while still providing the user nickname for OpenAir authentication. Note: OpenAir does not support multiple identity providers. For example, customers cannot use both OKTA and Azure at the same time. Provider Integration Setup The steps below describe one-time setup requirements necessary before assertions can be exchanged between the IdP and OpenAir SP endpoints. 1. The Identity Provider should provide OpenAir with a copy of their service metadata, or a URL at which we can access it. 2. OpenAir SAML metadata is available for download at the following URLs: Sandbox (test) https://sandbox.openair.com/saml.pl?o=b Production https://www.openair.com/saml.pl?o=b 3. Integration testing should be performed in a sandbox server account. You should plan to provide an active SAML identity provider instance for our sandbox integration, for future support and troubleshooting. 4. The Identity Provider must support Redirect/POST SSO assertions as the default exchange method. All assertions must be signed. SAML assertion encryption is optional, but recommended. 5. Any Vendor-specific IdP custom configuration requirements should be accounted for. The following are custom configuration requirements for known IdP products. All steps assume the IdP has created an SP profile via OpenAir SP metadata first. PingFederate 6 or later 1. Manually choose POST as the primary exchange method (IdP to SP). Otherwise, the Artifact endpoint may be incorrectly used as the default.

Provider Integration Setup 2 2. In Single Log-Out (SLO) options, manually remove query string parameters such as?o=q or?o=s from the URLs. This avoids malformed assertions, a known issue in PF 6.0 and 6.1. 3. Enable the following setting: SP configuration > Protocol Settings > Signature Policy > Always sign the SAML assertion. Microsoft Active Directory Federation Services 2 1. In the SP configuration Identifiers tab, be sure to specify two identifiers representing the entityid, one with the?o=b query string and one without. 2. In the SP configuration Advanced tab, specify SHA-1 as the Secure hash algorithm. Shibboleth 2 Note: The ADFS 2 default, SHA-256, is not supported at this time. Shibboleth requires custom OpenAir authentication attribute mapping. These attributes should be used instead of those described in Identity Provider Setup. Okta 1. SAML assertion NameID: IdP-defined, transient session ID. This attribute is expected, but not used directly in OpenAir authentication. 2. SAML assertion attribute edupersonentitlement: OpenAir domain and OpenAir company name. This should contain both the service provider domain, sub-domain, and company name. The format is: urn:mace: <domain>: <server instance>:account_nickname: <account nickname> No special steps are needed. OneLogin No special steps are needed. Symplified 1. Generic SAML plugin with SAML Metadata export extension (separate purchase) For example, if assertions for an account called Sample Account are sent to the OpenAir production site, the attribute value would be: urn:mace: openair.com:production:account_nickname: SampleAccount For non-production OpenAir servers, <serverinstance> must exactly match the sub-domain, as in the following example for sandbox.openair.com: urn:mace: openair.com:sandbox:account_nickname: SampleAccount 2. SAML assertion attribute edupersonprincipalname: OpenAir user nickname The common format for this Shibboleth attribute is an email address, for example: user@someschool.edu Microsoft AD FS 3.0 Follow these steps to set up Microsoft AD FS 3.0: SSO to OpenAir: 1. Make sure that you have installed the following patches on your AD FS server: Windows Server 2008 KB2896713 This patch fixes a problem which appeared in KB2843638, when error message MSIS0038 (SAML Message has wrong signature) would appear even for correct signatures. Windows Server 2012 (R2) KB3003381 Again fixes the incorrect MSIS0038 error reported in AD FS 2.0 and AD FS 3.0 2. Install AD FS 3.0 on Windows Server.

Provider Integration Setup 3 3. Download the AD FS Metadata XML from the following location: https://{your_federation_server_name}/federationmetadata/2007 06/ federationmetadata.xml 4. In AD FS 3.0, open the Add Relying Party Trust Wizard. Click Start. 5. On the Select Data Source step, select Import data about the relying party published online or on a local network, and enter one of the following in the Federation metadata address (host name or URL) field https://sandbox.openair.com/saml.pl?o=b (Sandbox metadata for testing) https://www.openair.com/saml.pl?o=b (Production metadata) Note: This procedure uses the Sandbox metadata in its examples. To set up AD FS in Production, replace the references to the Sandbox URLs with the Production URLs. Click Next. 6. Click OK when the following warning appears: AD FS Management: Some of the content in the federation metadata was skipped because it is not supported by AD FS. Review the properties of the trust carefully before you save the trust to the AD FS configuration database. 7. On the Specify Display Name step, enter a name for the Relying Party Trust in the Display name field. Click Next. 8. On the Configure Multi-factor Authentication Now? step, select I do not want to configure multi-factor authentication settings for this relying party trust at this time. Click Next. 9. On the Choose Issuance Authorization Rules step, select the option permitted by your company s policies or preferences. Click Next. 10. Click Next on the Ready to Add Trust step. 11. On the Finish step, clear the Open the Edit Claim Rules dialog... option and click Close on the Finish step. 12. Go to the Relying Party Trusts menu in AD FS, right-click the Relying Party Trust name you entered in step 7, and click Properties.

Provider Integration Setup 4 13. Click the Monitoring tab and clear the Monitor relying party option. Click Apply. 14. In the Encryption tab, click Remove and click Yes in the confirmation message. 15. In the Signature tab, confirm that a certificate still appears in the list. 16. In the Identifiers tab, confirm that the https://sandbox.openair.com/saml.pl?o=b link appears, enter the following into the Relying party identifier field, and click Add: https://sandbox.openair.com/saml.pl 17. Click OK to close the Properties. You will now need to create claim rules for your account s Company ID and nameid/user Name. The following steps set up examples of these Claim Rules. Please note that your company s specific claim rules may appear differently depending on what you use for nameid or companyid. See Identity Provider Setup for more details. Set Up a Claim Rule Using E-mail Address as NameID 1. Go to the Relying Party Trusts menu in AD FS and right click the OpenAir Relying Party Trust. Click Edit Claim Rules... 2. Click Add rule... 3. In the Choose Rule Type step, select Send LDAP Attributes as Claims for the Claim rule template. Click Next.

Provider Integration Setup 5 4. In the Configure Claim Rule step: Enter a name for the rule in the Claim rule name field. Select Active Directory from the Attribute store dropdown list. Select E-Mail-Addresses in the LDAP Attribute list. Select E-Mail Address in the Outgoing Claim Type list. Click Finish. Set Up a Claim Rule to Transform an Incoming Claim 1. Go to the Relying Party Trusts menu in AD FS and right click the OpenAir Relying Party Trust. Click Edit Claim Rules... 2. Click Add rule... 3. In the Choose Rule Type step, select Transform an Incoming Claim for the Claim rule template. Click Next.

Provider Integration Setup 6 4. In the Configure Claim Rule step: Enter a name for the rule in the Claim rule name field. Select E-Mail Address in the Incoming claim type dropdown list. Select Name ID in the Outgoing claim type dropdown list. Select Unspecified in the Outgoing name ID format dropdown list. Select E-Mail Address in the Outgoing Claim Type list. Select the Pass through all claim values radio button. Click Finish.

Provider Integration Setup 7 Set up a Claim Rule for a CompanyID 1. Go to the Relying Party Trusts menu in AD FS and right click the OpenAir Relying Party Trust. Click Edit Claim Rules... 2. Click Add rule... 3. In the Choose Rule Type step, select Send Claims Using a Custom Rule. Click Next. 4. In the Configure Claim Rule step: Enter a name for the rule in the Claim rule name field. Enter => issue(type = account_nickname, Value = testaccount ); in the Custom rule field. Note: You should replace testaccount in this example with your company s account nickname. Click Finish. 18. Open a web browser and test your connection at the following address: https://{your_federation_server_name}/adfs/ls/idpinitiatedsignon.aspx

OpenAir Account Configuration 8 OpenAir Account Configuration OpenAir Customer Service or Professional Services can enable the SAML feature on request in your OpenAir account. Once enabled, additional account settings for customizing your SAML user experience will be available at Administration > Integration: SAML Single Sign-On.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback