Difference between revisions of "Command Center SSO Installation"
(→Overview) |
(→Trouble-Shooting your SSO Configuration) |
||
(31 intermediate revisions by 3 users not shown) | |||
Line 14: | Line 14: | ||
* Enter <b>Admin</b> mode |
* Enter <b>Admin</b> mode |
||
− | === Create |
+ | === Create Command Center Groups/People === |
* Click <b>Directory->Groups</b> on left |
* Click <b>Directory->Groups</b> on left |
||
− | * Create <b> |
+ | * Create <b>Command Center Admin</b> group |
− | * Create <b> |
+ | * Create <b>Command Center Manager</b> group |
− | * Create <b> |
+ | * Create <b>Command Center Developer</b> group |
+ | * Create <b>Command Center Translator</b> group |
||
* Choose <b>Directory->People</b> on left |
* Choose <b>Directory->People</b> on left |
||
− | * Add accounts and assign to appropriate |
+ | * Add accounts and assign to appropriate Command Center Groups |
+ | |||
+ | <b>NOTE: Indivuals should not be assigned to the Okta application. Groups should be assigned to the Okta application, and individuals should be assigned to the appropriate group!</b> |
||
=== Create Okta Application === |
=== Create Okta Application === |
||
Line 27: | Line 30: | ||
* Choose <b>SAML 2.0</b> and then Next |
* Choose <b>SAML 2.0</b> and then Next |
||
* Give your app a name and click Next |
* Give your app a name and click Next |
||
− | * Single sign on URL: <your server machine>/ |
+ | * Single sign on URL: <your server machine>/command-center/login/saml2/sso/<your-saml-key>, for example https://cc.saml.lingoport.io/command-center/login/saml2/sso/cckey |
− | * Audience URI: <your server machine>/ |
+ | * Audience URI: <your server machine>/command-center/saml2/service-provider-metadata/<your-saml-key>, for example https://cc.saml.lingoport.io/command-center/saml2/service-provider-metadata/cckey |
* Attributes Section: enter in the following: |
* Attributes Section: enter in the following: |
||
− | First Name, Unspecified, user.firstName |
||
− | Last Name, Unspecified, user.lastName |
||
Email, Unspecified, user.email |
Email, Unspecified, user.email |
||
+ | Username, Unspecified , user.login |
||
+ | Last Name, Unspecified , user.lastName |
||
* Groups Section: enter in the following: |
* Groups Section: enter in the following: |
||
− | memberOf, Unspecified, Contains, |
+ | memberOf, Unspecified, Contains, Command Center |
* Select <b>I'm an Okta customer adding an internal app</b> |
* Select <b>I'm an Okta customer adding an internal app</b> |
||
* Check <b>This is an internal app that we have created</b> |
* Check <b>This is an internal app that we have created</b> |
||
* Go to <b>Assignments</b> tab |
* Go to <b>Assignments</b> tab |
||
− | * Assign the |
+ | * Assign the four Command Center groups to your app |
=== Download Artifacts === |
=== Download Artifacts === |
||
Line 55: | Line 58: | ||
* Create a file named sp.xml with the following contents |
* Create a file named sp.xml with the following contents |
||
<?xml version="1.0" encoding="UTF-8"?> |
<?xml version="1.0" encoding="UTF-8"?> |
||
− | <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" <b>entityID</b>="https://saml.lingoport. |
+ | <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" <b>entityID</b>="https://cc.saml.lingoport.io/command-center/saml2/service-provider-metadata/<your-saml-key>"> |
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> |
||
− | <md:Extensions><idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" <b>Location</b>="https://saml.lingoport. |
+ | <md:Extensions><idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" <b>Location</b>="https://cc.saml.lingoport.io/command-center/login/auth?disco=true"/> |
</md:Extensions><md:KeyDescriptor use="signing"> |
</md:Extensions><md:KeyDescriptor use="signing"> |
||
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data> |
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data> |
||
Line 67: | Line 70: | ||
</ds:X509Data></ds:KeyInfo> |
</ds:X509Data></ds:KeyInfo> |
||
</md:KeyDescriptor> |
</md:KeyDescriptor> |
||
− | <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" <b>Location</b>="https://saml.lingoport. |
+ | <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" <b>Location</b>="https://cc.saml.lingoport.io/command-center/saml/SingleLogout"/> |
− | <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" <b>Location</b>="https://saml.lingoport. |
+ | <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" <b>Location</b>="https://cc.saml.lingoport.io/command-center/saml/SingleLogout"/> |
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> |
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> |
||
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> |
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> |
||
Line 74: | Line 77: | ||
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> |
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> |
||
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> |
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> |
||
− | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" <b>Location</b>="https://saml.lingoport. |
+ | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" <b>Location</b>="https://cc.saml.lingoport.io/command-center/login/saml2/sso/<your-saml-key>" index="0" isDefault="true"/> |
− | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" <b>Location</b>="https://saml.lingoport. |
+ | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" <b>Location</b>="https://cc.saml.lingoport.io/command-center/login/saml2/sso/<your-saml-key>" index="1" isDefault="false"/> |
− | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" <b>Location</b>="https://saml.lingoport. |
+ | <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" <b>Location</b>="https://cc.saml.lingoport.io/command-center/login/saml2/sso/<your-saml-key>" index="2" isDefault="false"/> |
</md:SPSSODescriptor> |
</md:SPSSODescriptor> |
||
</md:EntityDescriptor> |
</md:EntityDescriptor> |
||
Line 82: | Line 85: | ||
* Modify <b>entityId</b> to match what you specified as <b>Audience</b> in your Okta app. |
* Modify <b>entityId</b> to match what you specified as <b>Audience</b> in your Okta app. |
||
* Replace the two <b>CERTIFICATEs</b> with the certificate you downloaded from Okta. Open the file and grab the lines between BEGIN CERTIFICATE and END CERTIFICATE in the downloaded file. |
* Replace the two <b>CERTIFICATEs</b> with the certificate you downloaded from Okta. Open the file and grab the lines between BEGIN CERTIFICATE and END CERTIFICATE in the downloaded file. |
||
+ | * Replace cc.saml.lingoport.io with your machine name |
||
− | * Update the various <b>Locations</b> to be the machine your Globalyzer Server is running on ... keeping the /gzserver/login/saml2/sso/<your-saml-key> or /gzserver/saml/SingleLogout endings |
||
+ | * Replace <your-saml-key> with the key name you chose above |
||
− | == Configure |
+ | == Configure saml_configuration.conf == |
− | * Copy <your-key-store.jks>, sp.xml, and idp.xml files |
+ | * Copy <your-key-store.jks>, sp.xml, and idp.xml files under <userHomeDirectory>/Lingoport_Data/saml on the machine running the Command Center Server. Create that directory if not there. |
− | * |
+ | * Under <userHomeDirectory>/Lingoport_Data/saml, add and configure the following lines to saml_configuration.conf: |
− | // tell |
+ | // tell Command Center and the Plugin to use saml |
− | + | commandcenter.saml.mode = true |
|
grails.plugin.springsecurity.saml.active = true |
grails.plugin.springsecurity.saml.active = true |
||
grails.plugin.springsecurity.providerNames = ['samlAuthenticationProvider','anonymousAuthenticationProvider'] |
grails.plugin.springsecurity.providerNames = ['samlAuthenticationProvider','anonymousAuthenticationProvider'] |
||
Line 97: | Line 101: | ||
// keystore configuration |
// keystore configuration |
||
// assuming you created a keystore named saml-keystore.jks and a key named samlkey ... |
// assuming you created a keystore named saml-keystore.jks and a key named samlkey ... |
||
− | grails.plugin.springsecurity.saml.keyManager.storeFile = "file:/ |
+ | grails.plugin.springsecurity.saml.keyManager.storeFile = "file:" + samlpath + "/saml-keystore.jks" |
grails.plugin.springsecurity.saml.keyManager.storePass = '<your-keystore-pw>' |
grails.plugin.springsecurity.saml.keyManager.storePass = '<your-keystore-pw>' |
||
grails.plugin.springsecurity.saml.keyManager.passwords = [<your-saml-key>:'<your-keystore-pw>'] |
grails.plugin.springsecurity.saml.keyManager.passwords = [<your-saml-key>:'<your-keystore-pw>'] |
||
Line 107: | Line 111: | ||
// leave as is if created okta app as specified above |
// leave as is if created okta app as specified above |
||
grails.plugin.springsecurity.saml.userGroupAttribute = 'memberOf' |
grails.plugin.springsecurity.saml.userGroupAttribute = 'memberOf' |
||
− | grails.plugin.springsecurity.saml.userAttributeMappings = ['username' : ' |
+ | grails.plugin.springsecurity.saml.userAttributeMappings = ['username' : 'Username', 'email': 'Email', 'fullname' : 'Last Name'] |
− | grails.plugin.springsecurity.saml.userGroupToRoleMapping = ['ROLE_ADMIN': ' |
+ | grails.plugin.springsecurity.saml.userGroupToRoleMapping = ['ROLE_ADMIN': 'Command Center Admin', 'ROLE_MANAGER': 'Command Center Manager', 'ROLE_DEV': 'Command Center Developer', 'ROLE_TRANSLATOR': 'Command Center Translator'] |
// idp configuration |
// idp configuration |
||
− | grails.plugin.springsecurity.saml.metadata.defaultIdp = 'entity id found in idp.xml' |
+ | grails.plugin.springsecurity.saml.metadata.defaultIdp = '<entity id found in idp.xml>' |
− | grails.plugin.springsecurity.saml.metadata.idp.file = 'file: |
+ | grails.plugin.springsecurity.saml.metadata.idp.file = 'file:' + samlpath + '/idp.xml' |
− | grails.plugin.springsecurity.saml.metadata.providers = [' |
+ | grails.plugin.springsecurity.saml.metadata.providers = ['samlkey':'file:' + samlpath+'/idp.xml'] |
// sp configuration |
// sp configuration |
||
− | grails.plugin.springsecurity.saml.metadata.sp.file = " |
+ | grails.plugin.springsecurity.saml.metadata.sp.file = samlpath + "/sp.xml" |
− | grails.plugin.springsecurity.saml.metadata.sp.alias = "entity id found in sp.xml file" |
+ | grails.plugin.springsecurity.saml.metadata.sp.alias = "<entity id found in sp.xml file>" |
− | grails.plugin.springsecurity.saml.metadata.sp.defaults.alias = 'entity id found in sp.xml file' |
+ | grails.plugin.springsecurity.saml.metadata.sp.defaults.alias = '<entity id found in sp.xml file>' |
− | grails.plugin.springsecurity.saml.metadata.sp.defaults.entityId = 'entity id found in sp.xml file' |
+ | grails.plugin.springsecurity.saml.metadata.sp.defaults.entityId = '<entity id found in sp.xml file>' |
− | |||
− | // true if want token to auto renew when user logs into server |
||
− | grails.plugin.springsecurity.saml.autoRenewToken = true |
||
− | |||
− | // specify number of days until token expires |
||
− | grails.plugin.springsecurity.saml.renewTokenDays = 90 |
||
− | |||
− | === Encrypting SSO Passwords === |
||
− | To support SSO logins, there are some passwords required in the GzserverConfig.groovy file: |
||
− | * grails.plugin.springsecurity.saml.keyManager.storePass = 'my plain password' |
||
− | * grails.plugin.springsecurity.saml.passwords = [samlkey:'my plain password'] |
||
− | |||
− | You may encrypt these passwords, rather than having them appear in the config file as plain text. |
||
− | |||
− | To encrypt the passwords, you must use the <b>globalyzer-encrypt-password.jar</b> that is available in the Globalyzer-Server.zip file. |
||
− | |||
− | Run the jar to generate an encrypted password: |
||
− | $ java -jar globalyzer-encrypt-password.jar -in "my plain password" |
||
− | Encrypted Password: CLCjzYV02uZaWDTDkcvK65BndTfUlH5leL00vsgWkmY= |
||
− | |||
− | Then place the generated password in the GzserverConfig.groovy file within ENC(): |
||
− | grails.plugin.springsecurity.saml.keyManager.storePass = 'ENC(CLCjzYV02uZaWDTDkcvK65BndTfUlH5leL00vsgWkmY=)' |
||
− | grails.plugin.springsecurity.saml.passwords = [<your-saml-key>:'ENC(CLCjzYV02uZaWDTDkcvK65BndTfUlH5leL00vsgWkmY=)'] |
||
== Extra Configuration for Https == |
== Extra Configuration for Https == |
||
Line 152: | Line 133: | ||
scheme="https" |
scheme="https" |
||
/> |
/> |
||
+ | |||
+ | |||
+ | Or you can configure your reverse proxy to preserve https in the request header. In apache, it would look like this: |
||
+ | RequestHeader add X-Forwarded-Proto https |
||
== Trouble-Shooting your SSO Configuration == |
== Trouble-Shooting your SSO Configuration == |
||
− | If you are having difficulty logging in to your SSO-configured |
+ | If you are having difficulty logging in to your SSO-configured Command Center Server (login is failing, for example), configure the Command Center Server to write more information to the tomcat/temp/ccserver.log file during the login process. This will help in fixing your configuration. |
− | To do this, place |
+ | To do this, place a special logback.xml file (provided by Lingoport) to a location on your server. Then add <b>-Dlogging.config</b> to your JAVA_OPTS environment variable. |
+ | For example: |
||
− | For example, the modified enterprise.bat would look like this: |
||
− | <code> |
+ | <code>JAVA_OPTS=-Xms256m -Xmx1600m -Dlogging.config=/path/to/logback.xml"</code> |
− | Then stop and start your |
+ | Then stop and start your Command Center Server to incorporate the changes. You should now see more information written to the ccserver.log file. |
− | |||
− | Note, if you are running Tomcat as a service rather than starting/stopping using the enterprise script, then update your JAVA_OPTS environment variable on the Server machine and then restart the Tomcat service. |
||
== What Differences Will I see Using SSO? == |
== What Differences Will I see Using SSO? == |
||
Line 172: | Line 155: | ||
* On server login screen, an SSO login button displays, rather than Email and Password |
* On server login screen, an SSO login button displays, rather than Email and Password |
||
* On server login screen, <b>Forgot Password</b> link is removed |
* On server login screen, <b>Forgot Password</b> link is removed |
||
− | * Admin users can no longer create other |
+ | * Admin users can no longer create other users, except for API users |
+ | * When an SSO user initially logs in to the server, a server account will be created if they were authenticated by the Identity Provider and authorized (by belonging to one of the four Command Center groups) |
||
− | * Manager users can no longer create other Managers or Members |
||
− | * No users can edit their profile |
||
− | * When an SSO user initially logs in to the server, a server account will be created if they were authenticated by the Identity Provider and authorized (by belonging to one of the three Globalyzer groups) |
||
* If user is NOT authenticated or authorized, login will fail |
* If user is NOT authenticated or authorized, login will fail |
||
− | * On subsequent logins, the user's server account is updated with the latest information from the Identity Provider, EXCEPT for their level of access. If they were authorized to be a Globalyzer Manager when their account was created, they will always be a Globalyzer Manager. An existing Manager account will not be switched to a Member account or an Admin account, for example. The Manager account can be deleted from the Globalyzer server (by another Manager or Admin), and then on login, the account will be recreated at the current access level as configured in the Identity Provider. |
||
− | |||
− | Client Workbench changes: |
||
− | * Forgot Password link still displays (since clients can connect to various servers) but if they are connected to an SSO-configured server, a message displays saying that the password cannot be retrieved from an SSO-configured server |
||
− | |||
− | Client access to an SSO-configured Server: |
||
− | * To run a Globalyzer Client (Workbench, Lite) against an SSO-configured Server, you need to generate a token from the Server (click on the <b>download Globalyzer Client here</b> link at the bottom of the home screen) and use your email address as the username and the token as the password when connecting to the server. |
||
− | * Tokens expire in 90 days, but the number of days is configurable in the GzserverConfig.groovy file. |
||
− | * Tokens may be auto renewed by logging into the server. This feature is configurable in GzserverConfig.groovy. |
||
− | * Attempting to log in with expired tokens will fail. |
Latest revision as of 20:18, 25 January 2024
Contents
Overview
Many companies use SAML SSO with an Identity Provider to manage users and access to applications. To integrate Command Center with SAML SSO, first, the Identity Provider must be configured to allow access to Command Center. Then, Command Center must be configured for SSO. The result is three key files referenced from saml_configuration.conf
- a keystore that contains the identity provider certificate and a key
- the idp.xml file that describes the identity provider (Okta in our example)
- the sp.xml file that describes the service provider (our Command Center application)
Configure the Identity Provider
We will be using Okta as the Identity Provider in order to illustrate how to configure Globalyzer.
Set up Okta Developer Account
- https://developer.okta.com/signup/
- Enter Admin mode
Create Command Center Groups/People
- Click Directory->Groups on left
- Create Command Center Admin group
- Create Command Center Manager group
- Create Command Center Developer group
- Create Command Center Translator group
- Choose Directory->People on left
- Add accounts and assign to appropriate Command Center Groups
NOTE: Indivuals should not be assigned to the Okta application. Groups should be assigned to the Okta application, and individuals should be assigned to the appropriate group!
Create Okta Application
- Click Applications->Applications on the left.
- Click Create App Integration
- Choose SAML 2.0 and then Next
- Give your app a name and click Next
- Single sign on URL: <your server machine>/command-center/login/saml2/sso/<your-saml-key>, for example https://cc.saml.lingoport.io/command-center/login/saml2/sso/cckey
- Audience URI: <your server machine>/command-center/saml2/service-provider-metadata/<your-saml-key>, for example https://cc.saml.lingoport.io/command-center/saml2/service-provider-metadata/cckey
- Attributes Section: enter in the following:
Email, Unspecified, user.email Username, Unspecified , user.login Last Name, Unspecified , user.lastName
- Groups Section: enter in the following:
memberOf, Unspecified, Contains, Command Center
- Select I'm an Okta customer adding an internal app
- Check This is an internal app that we have created
- Go to Assignments tab
- Assign the four Command Center groups to your app
Download Artifacts
- Go to Sign On tab of your app
- Click View SAML setup instructions
- Download certificate
- Copy IDP Metadata to a file named idp.xml
Generate Keys and Keystore
- Generate key and keystore:
keytool -genkey -alias <your-saml-key> -keyalg RSA -keystore <your-key-store.jks>
- Accept Identity Provider Certficate
keytool -import -alias okta -keystore <your-key-store.jks> -file <certificate you downloaded from okta>
Generate sp.xml
- Create a file named sp.xml with the following contents
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://cc.saml.lingoport.io/command-center/saml2/service-provider-metadata/<your-saml-key>"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions><idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://cc.saml.lingoport.io/command-center/login/auth?disco=true"/> </md:Extensions><md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data> <ds:X509Certificate>CERTIFICATE</ds:X509Certificate> </ds:X509Data></ds:KeyInfo></md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data> <ds:X509Certificate>CERTIFICATE</ds:X509Certificate> </ds:X509Data></ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cc.saml.lingoport.io/command-center/saml/SingleLogout"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cc.saml.lingoport.io/command-center/saml/SingleLogout"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cc.saml.lingoport.io/command-center/login/saml2/sso/<your-saml-key>" index="0" isDefault="true"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://cc.saml.lingoport.io/command-center/login/saml2/sso/<your-saml-key>" index="1" isDefault="false"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://cc.saml.lingoport.io/command-center/login/saml2/sso/<your-saml-key>" index="2" isDefault="false"/> </md:SPSSODescriptor> </md:EntityDescriptor>
- Modify entityId to match what you specified as Audience in your Okta app.
- Replace the two CERTIFICATEs with the certificate you downloaded from Okta. Open the file and grab the lines between BEGIN CERTIFICATE and END CERTIFICATE in the downloaded file.
- Replace cc.saml.lingoport.io with your machine name
- Replace <your-saml-key> with the key name you chose above
Configure saml_configuration.conf
- Copy <your-key-store.jks>, sp.xml, and idp.xml files under <userHomeDirectory>/Lingoport_Data/saml on the machine running the Command Center Server. Create that directory if not there.
- Under <userHomeDirectory>/Lingoport_Data/saml, add and configure the following lines to saml_configuration.conf:
// tell Command Center and the Plugin to use saml commandcenter.saml.mode = true grails.plugin.springsecurity.saml.active = true grails.plugin.springsecurity.providerNames = ['samlAuthenticationProvider','anonymousAuthenticationProvider'] grails.plugin.springsecurity.saml.loginFormUrl = '/saml2/authenticate/<your-saml-key>'
// keystore configuration // assuming you created a keystore named saml-keystore.jks and a key named samlkey ... grails.plugin.springsecurity.saml.keyManager.storeFile = "file:" + samlpath + "/saml-keystore.jks" grails.plugin.springsecurity.saml.keyManager.storePass = '<your-keystore-pw>' grails.plugin.springsecurity.saml.keyManager.passwords = [<your-saml-key>:'<your-keystore-pw>'] grails.plugin.springsecurity.saml.keyManager.defaultKey = '<your-saml-key>' grails.plugin.springsecurity.saml.metadata.sp.defaults.signingKey = '<your-saml-key>' grails.plugin.springsecurity.saml.metadata.sp.defaults.encryptionKey = '<your-saml-key>' grails.plugin.springsecurity.saml.metadata.sp.defaults.tlsKey = '<your-saml-key>'
// leave as is if created okta app as specified above grails.plugin.springsecurity.saml.userGroupAttribute = 'memberOf' grails.plugin.springsecurity.saml.userAttributeMappings = ['username' : 'Username', 'email': 'Email', 'fullname' : 'Last Name'] grails.plugin.springsecurity.saml.userGroupToRoleMapping = ['ROLE_ADMIN': 'Command Center Admin', 'ROLE_MANAGER': 'Command Center Manager', 'ROLE_DEV': 'Command Center Developer', 'ROLE_TRANSLATOR': 'Command Center Translator']
// idp configuration grails.plugin.springsecurity.saml.metadata.defaultIdp = '<entity id found in idp.xml>' grails.plugin.springsecurity.saml.metadata.idp.file = 'file:' + samlpath + '/idp.xml' grails.plugin.springsecurity.saml.metadata.providers = ['samlkey':'file:' + samlpath+'/idp.xml']
// sp configuration grails.plugin.springsecurity.saml.metadata.sp.file = samlpath + "/sp.xml" grails.plugin.springsecurity.saml.metadata.sp.alias = "<entity id found in sp.xml file>" grails.plugin.springsecurity.saml.metadata.sp.defaults.alias = '<entity id found in sp.xml file>' grails.plugin.springsecurity.saml.metadata.sp.defaults.entityId = '<entity id found in sp.xml file>'
Extra Configuration for Https
If your server is running under https, in the tomcat server.xml file, you must set the scheme for the Connector to https. For example:
<Connector port="8080" protocol="HTTP/1.1" ... scheme="https" />
Or you can configure your reverse proxy to preserve https in the request header. In apache, it would look like this:
RequestHeader add X-Forwarded-Proto https
Trouble-Shooting your SSO Configuration
If you are having difficulty logging in to your SSO-configured Command Center Server (login is failing, for example), configure the Command Center Server to write more information to the tomcat/temp/ccserver.log file during the login process. This will help in fixing your configuration.
To do this, place a special logback.xml file (provided by Lingoport) to a location on your server. Then add -Dlogging.config to your JAVA_OPTS environment variable.
For example:
JAVA_OPTS=-Xms256m -Xmx1600m -Dlogging.config=/path/to/logback.xml"
Then stop and start your Command Center Server to incorporate the changes. You should now see more information written to the ccserver.log file.
What Differences Will I see Using SSO?
When an SSO server has been successfully configured and launched, you will see these changes.
Server changes:
- On server login screen, an SSO login button displays, rather than Email and Password
- On server login screen, Forgot Password link is removed
- Admin users can no longer create other users, except for API users
- When an SSO user initially logs in to the server, a server account will be created if they were authenticated by the Identity Provider and authorized (by belonging to one of the four Command Center groups)
- If user is NOT authenticated or authorized, login will fail