The Security Assertion Markup Language or SAML is an XML-based data format for exchanging authentication and authorization data between an 'identity provider' and a 'service provider'.
The most important requirement that SAML addresses is web browser 'single sign-on' or SSO. Single sign-on allows a user to login with a single ID and password to gain access to a connected system or several systems without using different usernames or passwords. (https://en.wikipedia.org/wiki/SAML)
Prior to configuring SAML on EASA insure that HTTPS is enabled.
1. Edit: <SERVERDATA>\easa\admin\config\Authentication.properties
2. Edit: <SERVERDATA>\easa\admin\config\auth.properties
3. Edit <EASAROOT>\webapps\easa\WEB-INF\web.xml
<!-- <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-security-context.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> *org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> -->
4. If the identity provider’s metadata comes from a file then:
5. Edit: <EASAROOT>\webapps\easa\WEB-INF\spring-security-context.xml
<!-- <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">/usr/local/metadata/idp.xml</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> -->
6. Replace '/usr/local/metadata/idp.xml' with the full path of the identity provider’s metadata file.
7. Comment out the following HTTPMetadataProvider bean,
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider"> <constructor-arg> <value type="java.lang.String">https://idp.ssocircle.com/idp-meta.xml</value> </constructor-arg> <constructor-arg> <value type="int">5000</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean>
8. If the identity provider’s metadata comes from an URL, then:
9. Comment out (if uncommented) the FilesystemMetadataProvider bean below.
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">/usr/local/metadata/idp.xml</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean>
10. In the following samlUserDetailsService bean….
<bean id="samlUserDetailsService" class="com.easa.custom.auth.sso.saml.AttributeSAMLUserDetailsService"> <!-- If below is empty the NameID will be used --> <property name="usernameAttribute" value=""/> <!-- Below optional --> <!-- Firstname may be first or full name --> <property name="firstNameAttribute" value="FirstName"/> <property name="lastNameAttribute" value="LastName"/> <property name="emailAttribute" value="EmailAddress"/> </bean>
11. If there is more than one EASA machine then each machine will need its own entityId in their metadata.
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> <constructor-arg> <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> <property name="entityId" value="com.easa.sso1"/> </bean> </constructor-arg> </bean>
12. If an explicit domain name will be used in the URL used to access the EASA site,
13. Once SAML SSO has been configured, restart the EASA Server.
14. In a browser enter the URL: <protocol>://<hostname>:<port>/easa/saml/metadata
15. Download the file (this is EASA’s service provider metadata for this machine).
This metadata file needs to be added to the identity provider.
For reason's beyond our control ADFS will give a message, Signature trust establishment failed for metadata entry… with Java 7.
There is a workaround to turn off the metadata trust check as follows:
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">C:/...<EASAROOT>/webapps/easa/WEB-INF/FederationMetadata.xml</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> <constructor-arg> <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> <constructor-arg> <value type="java.io.File">C:/...<EASAROOT>/webapps/easa/WEB-INF/FederationMetadata.xml</value> </constructor-arg> <property name="parserPool" ref="parserPool"/> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/> </constructor-arg> <property name="metadataTrustCheck" value="false"/> </bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> <constructor-arg> <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> <property name="entityId" value="com.easa.sso"/> </bean> </constructor-arg> </bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> <constructor-arg> <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> <property name="entityId" value="com.easa.sso"/> <property name="extendedMetadata"> <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> <property name="sslHostnameVerification" value="allowAll"/> </bean> </property> </bean> </constructor-arg> </bean>
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"/>
<bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> <property name="responseSkew" value="180"/> </bean>