SAML with ADFS Setup Guide

Similar documents
ADFS Setup (SAML Authentication)

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

Microsoft ADFS Configuration

SSL/TLS Certificate Generation

How to convert.crt SSL Certificate to.pfx format (with openssl Linux command) and Import newly generated.pfx to Windows IIS Webserver

SSL/TLS Certificate Generation

SAP Edge Services, cloud edition Streaming Service - Configuration Guide Version 1803

Provisioning Certificates

SSL/TLS Certificate Generation

Configuring Alfresco Cloud with ADFS 3.0

Configuration Guide - Single-Sign On for OneDesk

Wildcard Certificates

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Qualys SAML & Microsoft Active Directory Federation Services Integration

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

eroaming platform Secure Connection Guide

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

Configure DNA Center Assurance for Cisco ISE Integration

SSL or TLS Configuration for Tomcat Oracle FLEXCUBE Universal Banking Release [December] [2016]

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.6

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Oracle Insurance Policy Administration Configuration of SAML 1.1 Between OIPA and OIDC

SAML-Based SSO Configuration

Securing U2 Soap Server

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Creating an authorized SSL certificate

Assuming you have Icinga 2 installed properly, and the API is not enabled, the commands will guide you through the basics:

OIOIDWS Integration testing

SSL Configuration Oracle Banking Liquidity Management Release [April] [2017]

Configure Cisco DNA Assurance

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Configuring NiFi Authentication and Proxying with Apache Knox

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Oracle Access Manager Configuration Guide

VIEVU Solution AD Sync and ADFS Guide

Configuring the RTP Server

HPE Enterprise Integration Module for SAP Solution Manager 7.1

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

Genesys Security Deployment Guide. What You Need

SAML-Based SSO Configuration

SSL Configuration: an example. July 2016

CLI users are not listed on the Cisco Prime Collaboration User Management page.

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Integrating YuJa Active Learning into ADFS via SAML

Configuring SAML-based Single Sign-on for Informatica Web Applications

Cloud Access Manager Configuration Guide

Dynamic Edge Processing Streaming and Persistence Service - Configuration Guide Version 3.0

LDAP Synchronization Secure Coding Guide

UPDATE GUIDE. Version 1.6. Corresponding Software Version. SAP Process Mining by Celonis 4.3

Using Certificates with HP Network Automation

Public Key Enabling Oracle Weblogic Server

AD FS CONFIGURATION GUIDE

How to use an EPR certificate with the MESH client

Configuring SSL for EPM /4 Products (Cont )

D9.2.2 AD FS via SAML2

Installation Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.0

Unity Connection Version 10.5 SAML SSO Configuration Example

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Digital it Signatures. Message Authentication Codes. Message Hash. Security. COMP755 Advanced OS 1

ADP Federated Single Sign On. Integration Guide

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Integrating YuJa Active Learning with ADFS (SAML)

Security Provider Integration SAML Single Sign-On

Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

Pentaho Server SAML Authentication with Hybrid Authorization

Security Provider Integration: SAML Single Sign-On

Plug-in Guide Advanced Authentication- ADFS Multi- Factor Authentication Plug-in. Version 6.1

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

SSL Configuration on WebSphere Oracle FLEXCUBE Universal Banking Release [February] [2016]

Access SharePoint using Basic Authentication and SSL (via Alternative Access URL) with SP 2016 (v 1.9)

Certificate Properties File Realm

AirWatch Mobile Device Management

Colligo Console. Administrator Guide

McAfee Cloud Identity Manager Installation Guide For McAfee Cloud Identity Manager v3.1 August 2012

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Unified Management Portal

Keytool and Certificate Management

SAP Edge Services, on-premise edition Streaming Service - Configuration Guide Version 3.0 FP01

This section includes troubleshooting topics about single sign-on (SSO) issues.

IBM Domino WEB Federated Login

SAML-Based SSO Solution

SSL/TLS Certificate Check

SafeNet KMIP and Google Drive Integration Guide

Public Key Infrastructures

No-Nonsense Guide to SSL

JAVA - DRI Connection Test Manual

Manage SAML Single Sign-On

Configuring CA WA Agent for Application Services to Work with IBM WebSphere Application Server 8.x

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Deploy In-Memory Parallel Graph Analytics (PGX) to Oracle Java Cloud Service (JCS)

Veritas Access Software-Defined Storage (SDS) Management Platform Solutions Guide

Setting Up the Server

Personal Security Environment (PSE) Token properties. Realisation of PSEs : Tokens. How to store private keys? Chapter 6.

RSA SecurID Access WS-Fed Configuration for Microsoft SharePoint

HP Enterprise Integration Module for SAP Solution Manager

Transcription:

SAML with ADFS Setup Guide Version 1.0 Corresponding Software Version: 4.2 This document is copyright of the Celonis SE. Distribution or reproduction are only permitted by written approval of the Celonis SE. Usage only permitted, if a valid software license is available.

Index Notes 3 Set up your config values 3 Set up your certificates 4 Retrieve SAML Meta Data from your Identity Provider (ADFS) 5 Generate Meta Data from your Celonis Server 6 Register your service as a relying party in ADFS 6 Configure additional attributes 11 Test your setup 16 2017 Celonis SE SAML with ADFS Setup Guide 2

Notes This guide describes the setup of SAML for use in Celonis. If you set up ADFS from scratch, make sure to install ADFS Version 2.0 older ADFS Versions do not yet have SAML support built in. For reference, please refer to https://technet.microsoft.com/de-de/library/dd807092(v=ws.10) Set up your config values You setup SAML for Celonis by adding the following lines to your custom-config.properties-file. The following configuration options are available when using SAML with Celonis: # SAML Configuration # ------------------ # To enable SAML based authentication, set active to true saml.active=true # The SAML claim attribute which contains a list of groups of the authenticated user saml.claims.groups=http://schemas.xmlsoap.org/claims/group # The SAML claim attribute which contains the first name of the user saml.claims.firstname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname # The SAML claim attribute which contains the last name of the user saml.claims.lastname=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname # The SAML claim attribute which contains the email address of the user saml.claims.emailaddress=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress # Set to true to automatically create all groups the user is mapped to saml.groups.autocreate=false # Set to true to automatically assign all groups the user is mapped to. # When using autocreate, this is automatically set to true saml.groups.autoassign=false # Set to true to automatically create users when they log in saml.users.autocreate=false # Enter a group name which is required for users to be able to log in (and be created). # Note that all group names are Case Sensitive saml.users.requiredgroup=testgroup # Key store settings for SAML saml.keystore.path=e:/work/saml-example/samlkeystore.jks saml.keystore.password=somepw # The name of the key in the keystore to be used for encryption and signing saml.keystore.keyname=somekey saml.keystore.keypassword=somepw # SAML Entity configuration saml.entityid=de:celonis:pm:samldemo # SAML Metadata Configuration. Right now, Celonis only supports static metadata configuration. saml.metadatapath=e:/work/saml-example/federationmetadata.xml 2017 Celonis SE SAML with ADFS Setup Guide 3

The options which are mandatory and should be customized in any case are the keystore, the metadata path and the entity id. The entity ID is used to identify your service for the ADFS Server. The federation metadata can be retrieved from your ADFS Server and describes the service endpoint (containing the certificates used for encryption and signature). Note that Celonis only supports local meta data right now, no HTTP based meta data retrieval is implemented. Set up your certificates IMPORTANT: It is highly recommended to use the supplied keytool located in <sappminstalldir>/jre/bin/keytool When using SAML, you need to generate certificates for your server. These certificates can either come from your enterprise certification authority, or, for testing, you can use a self-signed certificate. For the application to be able to access these certificates, both the private key and the public key have to be available in a JKS key store. To generate a self-signed certificate, use the following commands (Note that the key has to be an RSA key): keytool -genkeypair -alias somekey -keyalg RSA -keysize 2048 -keypass somepw -keystore samlkeystore.jks to import an existing certificate provided by a Certification Authority (e.g. in PFX format) use the following command: keytool -importkeystore -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass password \ -alias some-alias -destkeystore samlkeystore.jks -destalias some-alias \ -destkeypass changeit The values printed in BOLD have to be updated in the config file. 2017 Celonis SE SAML with ADFS Setup Guide 4

This is the output of the certificate setup used in this guide. Retrieve SAML Meta Data from your Identity Provider (ADFS) In the next step and before finishing the setup, we need to retrieve the SAML Meta Data from our Identity Provider. To retrieve SAML Meta Data from the Identity Provider, use the following URL in a browser: https://myserver.domain.com/federationmetadata/2007-06/federationmetadata.xml where myserver.domain.com is the ADFS server. In our example, ADFS is installed on https://testdc.test.celonis.corp/federationmetadata/2007-06/federationmetadata.xml This file should be stored on the Celonis Server and the configuration pointed to it. When all the paths are set correctly in the configuration, fire up the Celonis server. Note that the SAML setup is not done yet, but the SAML meta data from the Celonis server has to be generated and published in ADFS to establish the trust. Also note that the Celonis server should have SSL enabled for SAML to work correctly. 2017 Celonis SE SAML with ADFS Setup Guide 5

Generate Meta Data from your Celonis Server You should start your Celonis server now. Monitor the log for exceptions. If the server comes up correctly, you should be able to open the https://localhost/cpm/saml/metadata URL which will provide you with your server s SAML meta data. If you can t open this URL, please check that the paths are all set correctly and check the log for errors. For testing SSL, you can also deactivate SAML from the configuration. A file celonis_saml_metadata.xml will be downloaded by the browser. This file contains the certificates of your Celonis service, your entity ID and some additional information. This file now has to be published and registered in ADFS. Register your service as a relying party in ADFS To register your service as a relying party, open the ADFS 2.0 Management Console. Click Add Relying Party Trust from the actions on the right. 2017 Celonis SE SAML with ADFS Setup Guide 6

2017 Celonis SE SAML with ADFS Setup Guide 7

Choose Import data about the relying party from a file and upload the metadata file generated earlier. 2017 Celonis SE SAML with ADFS Setup Guide 8

Name your party/service appropriately 2017 Celonis SE SAML with ADFS Setup Guide 9

Choose who you want to be able to access the relying party (the Celonis Service). By default, everybody who can successfully authenticate will get access to the Celonis Service. Review and finish the wizard. 2017 Celonis SE SAML with ADFS Setup Guide 10

Configure additional attributes You can configure additional attributes which will be auto-populated for the user account when automated user account creation is enabled. The following configuration will synchronize all AD groups of the user, as well as first name, last name and email. Click Add Rule and add a Rule providing the Name ID as well as additional information. 2017 Celonis SE SAML with ADFS Setup Guide 11

2017 Celonis SE SAML with ADFS Setup Guide 12

We choose Name ID as name. Add the following attributes: 2017 Celonis SE SAML with ADFS Setup Guide 13

2017 Celonis SE SAML with ADFS Setup Guide 14

The rule has been set up. Our Celonis Service is set up as a relying party now and we should be able to access the service with SSO. 2017 Celonis SE SAML with ADFS Setup Guide 15

Make sure the secure hash algorithm is set to SHA-256. Test your setup Restart your Celonis Service. Open your Celonis instances root path (in our test case: https://localhost/cpm/). 2017 Celonis SE SAML with ADFS Setup Guide 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback