Security Assertion Markup Language 2.0

The framework can be configured to act as a Service Provider (SP) in federations based on SAML 2.0 protocol and enable Web Single Sign-On. The authentication can be done via an Identifier Provider (IDP).

The Single Sing-On basic setup is based on SP and IDP metadata (XML) sharing between them which means that the SP should know about the IPD metadata and vice versa the IPD should know about the SP metadata. This is the way to create a circle of trust between them.

The metadata may be signed or not for security improvement but is optional. The signed metadata is distributed including the X509 certificate to validate the signature. The certificate must be signed by a trusted issuer so as not to fail in the certificate trust chain validation. The framework handles keys and certificates stored in a local JKS KeyStore for security operation like signing, encryption or signature validation.

The framework (SP) is configured to auto generate its own metadata. The IDP metadata can be retrieved via HTTP or stored in the local file system as an XML file.

Here's the steps for SSO setup:

  1. Set up the security context definition in %MV_HOME%/bin/rapiddeploy.properties.

    SAML security context with IDP metadata retriving via HTTP

    #-----------------------------------------------
    # Spring Security Context
    #-----------------------------------------------
    rapiddeploy.security.context.filename=applicationContext-security-saml-http.xml
    #-----------------------------------------------

    SAML security context with IDP metadate stored in the File System

    #-----------------------------------------------
    # Spring Security Context
    #-----------------------------------------------
    rapiddeploy.security.context.filename=applicationContext-security-saml-fs.xml
    #-----------------------------------------------
  2. Set up SAML settings in %MV_HOME%/bin/rapiddeploy.properties.
    #-----------------------------------------------
    # SAML Configuration (HTTP)
    #-----------------------------------------------
    rapiddeploy.security.saml.metadata.generator.entity.id=urn:rapiddeploy:midvision
    rapiddeploy.security.saml.metadata.generator.sign.metadata=false
    rapiddeploy.security.saml.metadata.idp.id=http://idp.ssocircle.com
    rapiddeploy.security.saml.metadata.idp.url=http://idp.ssocircle.com/idp-meta.xml
    rapiddeploy.security.saml.metadata.idp.timeout=5000
    rapiddeploy.security.saml.keystore.resource=classpath:samlKeystore.jks
    rapiddeploy.security.saml.keystore.https.certs.url=https://www.ssocircle.com
    rapiddeploy.security.saml.keystore.password=midvision
    rapiddeploy.security.saml.keystore.default.key=sso-saml
    rapiddeploy.security.saml.keystore.signing.entry.key=sso-saml
    rapiddeploy.security.saml.keystore.signing.entry.password=rapiddeploy
    rapiddeploy.security.saml.keystore.encryption.entry.key=sso-saml
    rapiddeploy.security.saml.keystore.encryption.entry.password=rapiddeploy
    #-----------------------------------------------

    or

    #-----------------------------------------------
    # SAML Configuration (FS)
    #-----------------------------------------------
    rapiddeploy.security.saml.metadata.generator.entity.id=urn:rapiddeploy:midvision
    rapiddeploy.security.saml.metadata.generator.sign.metadata=false
    rapiddeploy.security.saml.metadata.idp.id=http://idp.ssocircle.com
    rapiddeploy.security.saml.metadata.idp.path=file:/midvision/sso/idp.xml
    rapiddeploy.security.saml.keystore.resource=file:/midvision/sso/samlKeystore.jks
    rapiddeploy.security.saml.keystore.https.certs.url=https://www.ssocircle.com
    rapiddeploy.security.saml.keystore.password=midvision
    rapiddeploy.security.saml.keystore.default.key=sso-saml
    rapiddeploy.security.saml.keystore.signing.entry.key=sso-saml
    rapiddeploy.security.saml.keystore.signing.entry.password=rapiddeploy
    rapiddeploy.security.saml.keystore.encryption.entry.key=sso-saml
    rapiddeploy.security.saml.keystore.encryption.entry.password=rapiddeploy
    #-----------------------------------------------
    • rapiddeploy.security.saml.metadata.generator.entity.id Service Provider Identifier. This value must be unique in the circle of trust of the IDP. For Example: "urn:rapiddeploy:midvision". SP metadata example
    • rapiddeploy.security.saml.metadata.generator.sign.metadata Set whether metadata will be signed or not. For simple implementation, please not use metadata signature, set this value in false. For metadata signing, the IDP might need keys signed by a specific certification authority.
    • rapiddeploy.security.saml.metadata.idp.id The IDP Identifier. This must be the same value located in the IDP metadata.
    • rapiddeploy.security.saml.metadata.idp.url IDP metadata URL where the framework will retrieve it. (Only HTTP setup)
    • rapiddeploy.security.saml.metadata.idp.timeout Timeput value for IDP metadata HTTP connection. (Only HTTP setup)
    • rapiddeploy.security.saml.metadata.idp.path File system resource path for IDP metadata XML file (Only FS setup). IDP metadata example
    • rapiddeploy.security.saml.keystore.resource Resouce name of the JKS keystore file. The framework comes with a built-in keystore locate in "classpath:samlKeystore.jks". For external KeyStore use, please use the following file pattern: "file:C:/midvision/sso/myKeyStore.jks"
    • rapiddeploy.security.saml.keystore.https.certs.url IDP may use a secure connection like HTTPS. This value is optional (leave in blank is it is not needed) and should be the HTTPS URL to the IDP to import automatically the SSL/TLS certificates to the KeyStore.
    • rapiddeploy.security.saml.keystore.password KeyStore password. Built-in KeyStore password is "midvision"
    • rapiddeploy.security.saml.keystore.default.key Default Certificate alias key. Built-in certificate alias key is "sso-saml"
    • rapiddeploy.security.saml.keystore.signing.entry.key Signing Key alias in the KeyStore. Built-in signing key alias is "sso-saml"
    • rapiddeploy.security.saml.keystore.signing.entry.password Signing key password. Built-in signing key password is "rapiddeploy"
    • rapiddeploy.security.saml.keystore.encryption.entry.key Encryption Key alias in the KeyStore. Built-in encryption key alias is "sso-saml"
    • rapiddeploy.security.saml.keystore.encryption.entry.password Encryption key password. Built-in encryption key password is "rapiddeploy"
  3. Circle of trust between SP and IDP configuration
    1. After framework configuration, please start or restart the Web Application (%MV_HOME%/bin/start-web-app.bat)
    2. Go to SSO Providers info page,

      Here's the URL example: http://localhost:9090/MidVision/ui/sso/info.xhtml

    3. On SSO Providers info page, you can see SP and IDP metadata in different tabs
    4. Copy the SP metadata XML
    5. Go to your IDP site, create your account and import the SP metadata extracted from the previous step.
    6. Final try to enter to the main URL page and you will be forwarded to the ID Provider.

      Here's the URL example: http://localhost:9090/MidVision/

  4. Set your SSO user as Administrator
    1. Once you have SSO working and logged in, please do a SSO Logout and then stop the Web Application (%MV_HOME%/bin/stop-web-app.bat)
    2. Put back the security context in the rapiddeploy configuration (%MV_HOME%/bin/rapiddeploy.properties) to the default value and save your changes.
      #-----------------------------------------------
      # Spring Security Context
      #-----------------------------------------------
      rapiddeploy.security.context.filename=applicationContext-security.xml
      #-----------------------------------------------
    3. Start the Web Application (%MV_HOME%/bin/start-web-app.bat) and log in as mvadmin user
    4. Assign full rights to the SSO user listed in the user list page.
    5. Do log out and stop the Web Application (%MV_HOME%/bin/stop-web-app.bat)
    6. Change the security context in the rapiddeploy configuration (%MV_HOME%/bin/rapiddeploy.properties) to SSO as explained above.
    7. Start the Web Application (%MV_HOME%/bin/start-web-app.bat) and then do a SSO login with the user granted with full rights. Now This user will be the new Administrator.