Globalyzer Server SSO Installation

From Lingoport Wiki
Revision as of 17:56, 22 June 2022 by MaryH (talk | contribs) (Overview)
Jump to: navigation, search

Overview

Many large companies use SAML SSO with an Identity Provider to manage users and access to applications. To integrate Globalyzer with SAML SSO, first, the Identity Provider must be configured to allow access to Globalyzer. Then, Globalyzer must be configured for SSO. The result is three key files referenced from GzserverConfig.groovy

  1. a keystore that contains the identity provider certificate and a key
  2. the idp.xml file that describes the identity provider (Okta in our example)
  3. the sp.xml file that describes the service provider (our Globalyzer application)

Configure the Identity Provider

We will be using Okta as the Identity Provider in order to illustrate how to configure Globalyzer.

Set up Okta Developer Account

Create Globalyzer Groups/People

  • Click Directory->Groups on left
  • Create Globalyzer Admin group
  • Create Globalyzer Manager group
  • Create Globalyzer Member group
  • Choose Directory->People on left
  • Add accounts and assign to appropriate Globalyzer Groups

Create Okta Application

  • Click Applications->Applications on the left.
  • Click Create App Integration
  • Choose SAML 2.0 and then Next
  • Give your app a name and click Next
  • Single sign on URL: <your server machine>/gzserver/saml/SSO, for example https://saml.lingoport.net/gzserver/saml/SSO
  • Audience URI: whatever you put here must match the entity id you put in the sp.xml file, for example, GlobalyzerServer
  • Attributes Section: enter in the following:
   First Name, Unspecified, user.firstName
   Last Name, Unspecified, user.lastName
   Email, Unspecified, user.email
  • Groups Section: enter in the following:
   memberOf, Unspecified, Contains, Globalyzer
  • Select I'm an Okta customer adding an internal app
  • Check This is an internal app that we have created
  • Go to Assignments tab
  • Assign the three Globalyzer groups to your app

Download Artifacts

  • Go to Sign On tab of your app
  • Click View SAML setup instructions
  • Download certificate
  • Copy IDP Metadata to a file named idp.xml

Generate Keys and Keystore

  • Generate key and keystore:
   keytool -genkey -alias samlkey -keyalg RSA -keystore saml-keystore.jks
  • Accept Identity Provider Certficate
   keytool -import -alias okta -keystore saml-keystore.jsk -file <certificate you downloaded from okta>

Generate sp.xml

  • Create a file named sp.xml with the following contents
   <?xml version="1.0" encoding="UTF-8"?>
   <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="GlobalyzerServer">
   <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
   <md:Extensions><idpdisco:DiscoveryResponse xmlns:idpdisco="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://saml.lingoport.net/gzserver/login/auth?disco=true"/> 
   </md:Extensions><md:KeyDescriptor use="signing">
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data>
   <ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
   </ds:X509Data></ds:KeyInfo></md:KeyDescriptor>
   <md:KeyDescriptor use="encryption">
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data>
   <ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
   </ds:X509Data></ds:KeyInfo>
   </md:KeyDescriptor>
   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://saml.lingoport.net/gzserver/saml/SingleLogout"/>
   <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.lingoport.net/gzserver/saml/SingleLogout"/>
   <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
   <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
   <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
   <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> 
   <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
   <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://saml.lingoport.net/gzserver/saml/SSO" index="0" isDefault="true"/>
   <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://saml.lingoport.net/gzserver/saml/SSO" index="1" isDefault="false"/>
   <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://saml.lingoport.net/gzserver/saml/SSO" index="2" isDefault="false"/>
   </md:SPSSODescriptor>
   </md:EntityDescriptor>
  • Modify entityId to match what you specified as Audience in your Okta app
  • Replace the two CERTIFICATEs with the certificate you downloaded from Okta. Open the file and grab the lines between BEGIN CERTIFICATE and END CERTIFICATE in the downloaded file.
  • Update the various Locations to be the machine your Globalyzer Server is running on ... keeping the /gzserver/saml/SSO or /gzserver/saml/SingleLogout endings

Configure GzserverConfig.groovy

  • Copy saml-keystore.jks, sp.xml, and idp.xml files to a specific location on the machine running the Globalyzer Server.
  • Add and configure the following lines to GzserverConfig.groovy:
   // tell Globalyzer and the Plugin to use saml
   gzserver.saml.mode = true
   grails.plugin.springsecurity.saml.active = true
   grails.plugin.springsecurity.providerNames = ['samlAuthenticationProvider','anonymousAuthenticationProvider']
   // keystore configuration
   // assuming you created a keystore named saml-keystore.jks and a key named samlkey ...
   grails.plugin.springsecurity.saml.keyManager.storeFile = "file:/path/to/saml-keystore.jks"
   grails.plugin.springsecurity.saml.keyManager.storePass = 'saml.keystore.pw'
   grails.plugin.springsecurity.saml.keyManager.passwords = [samlkey:'saml.keystore.pw']
   grails.plugin.springsecurity.saml.keyManager.defaultKey = 'samlkey'
   grails.plugin.springsecurity.saml.metadata.sp.defaults.signingKey = 'samlkey';
   grails.plugin.springsecurity.saml.metadata.sp.defaults.encryptionKey = 'samlkey';
   grails.plugin.springsecurity.saml.metadata.sp.defaults.tlsKey = 'samlkey';


   // leave as is if created okta app as specified above
   grails.plugin.springsecurity.saml.userGroupAttribute = 'memberOf'
   grails.plugin.springsecurity.saml.userAttributeMappings = ['username' : 'Email', 'firstName': 'First Name', 'lastName' : 'Last Name']
   grails.plugin.springsecurity.saml.userGroupToRoleMapping = ['ROLE_ADMIN': 'Globalyzer Admin', 'ROLE_MANAGER': 'Globalyzer Manager', 'ROLE_USER': 'Globalyzer Member']


   // idp configuration
   grails.plugin.springsecurity.saml.metadata.defaultIdp = 'entity id found in idp.xml'
   grails.plugin.springsecurity.saml.metadata.idp.file = '/path/to/idp.xml'
   grails.plugin.springsecurity.saml.metadata.providers = ['samlkey':'/path/to/idp.xml']


   // sp configuration
   grails.plugin.springsecurity.saml.metadata.sp.file = "/path/to/sp.xml"
   grails.plugin.springsecurity.saml.metadata.sp.alias = "entity id found in sp.xml file"
   grails.plugin.springsecurity.saml.metadata.sp.defaults.alias = 'entity id found in sp.xml file';
   grails.plugin.springsecurity.saml.metadata.sp.defaults.entityId = 'entity id found in sp.xml file'
   
  
   // http or https along with your machine name
   grails.plugin.springsecurity.saml.scheme = "https"
   grails.plugin.springsecurity.saml.serverName = "saml.lingoport.net"




Encrypting the LDAP Password

To support LDAP logins, the Globalyzer Server requires an LDAP account that can connect to your LDAP server and perform reads. As of 6.3, this password may be encrypted, rather that appear in plain text. To encrypt the password, you must use the globalyzer-encrypt-password.jar that is available in the Globalyzer-Server.zip file (starting with the 6.3 release).

Run the jar to generate an encrypted password:

$ java -jar globalyzer-encrypt-password.jar -in "my plain password"
Encrypted Password: CLCjzYV02uZaWDTDkcvK65BndTfUlH5leL00vsgWkmY=

Then place the generated password in the GzserverConfig.groovy file within ENC():

grails.plugin.springsecurity.ldap.context.managerPassword = 'ENC(CLCjzYV02uZaWDTDkcvK65BndTfUlH5leL00vsgWkmY=)'

Plain passwords are still supported and are configured like this:

grails.plugin.springsecurity.ldap.context.managerPassword = 'my plain password'

Example LDAP Configuration

As an example, let's assume that your LDAP has the following directory structure:

dc=example, dc=com
    ou=Groups
         cn=GlobalyzerAdmin
         cn=GlobalyzerManager
         cn=GlobalyzerMember
         cn=SomeOtherGroup
    ou=Users
         uid=mheilner
         uid=lcameron
         uid=olibouban

The configuration for this is shown below:

grails.plugin.springsecurity.ldap.authorities.groupSearchBase = 'ou=Groups,dc=example,dc=com'
grails.plugin.springsecurity.ldap.authorities.groupRoleAttribute = 'cn'
grails.plugin.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}' 
grails.plugin.springsecurity.ldap.search.base = 'dc=example,dc=com'
grails.plugin.springsecurity.ldap.search.filter = '(uid={0})'

Trouble-Shooting your SSO Configuration

If you are having difficulty logging in to your SSO-configured Globalyzer Server (login is failing, for example), configure the Globalyzer Server to write more information to the tomcat/temp/gzserver.log file during the login process. This will help in fixing your configuration.

To do this, place the logback-debug.groovy file (delivered in the Globalyzer Server zip file) to a location on your server. Then add -Dlogging.config to your JAVA_OPTS in your enterprise.sh/bat script to use this file.

For example, the modified enterprise.bat would look like this:

set "JAVA_OPTS=-Xms256m -Xmx1600m -Dstringchararrayaccessor.disabled=true -Dlogging.config=C:\path\to\logback-debug.groovy"

Then stop and start your Globalyzer Server to incorporate the changes. You should now see more information written to the gzserver.log file.

Note, if you are running Tomcat as a service rather than starting/stopping using the enterprise script, then update your JAVA_OPTS environment variable on the Server machine and then restart the Tomcat service.

How Does SSO Work on Globalyzer Login?

When logging in to the Globalyzer Server or Client, the user will enter in their LDAP username and password. Globalyzer logs in to the LDAP server using the configured managerDN and managerPassword. A search is performed to authenticate the LDAP user as entered on the login screen. The search for this user will begin at the configured ldap.search.base and use the configured ldap.search.filter. If the user is not found, or the password is incorrect, the login will fail.

If the user is a valid LDAP user, then a search for the groups the user belongs to is performed. This group search begins at the configured groupSearchBase. Groups are identified in LDAP by the configured groupRoleAttribute. It uses the configured groupSearchFilter to determine if the found user is a member of the group. Users may be members of several groups across LDAP, but only one Globalyzer group.

If logging into the server, and the user is authenticated (user is a valid LDAP user) but the user does not belong to one of the three Globalyzer groups (admin, manager, or member), the user will be logged in, but won't be able to perform any actions, since not authorized to do so.

If logging into the client, and the user is authenticated (user is a valid LDAP user) but the user does not belong to one of the three Globalyzer groups, login will fail.

On initial login, if the user is authenticated (user is valid LDAP user) and authorized (user belongs to one of the three Globalyzer groups), a Globalyzer account is created at the appropriate access level.

On subsequent logins, if the user is authenticated (user is a valid LDAP user) and authorized (user belongs to one of the three Globalyzer groups), the existing server account is then updated with the latest information in LDAP, except for the level of access. If the user was authorized to be a Globalyzer Manager when the account was created, the user will always be a Globalyzer Manager. Switching the user to a different access level requires that the Globalyzer account be deleted (by a Globalyzer Manager or Member), and then on login, the Globalyzer account will be recreated at the current access level as configured in LDAP.

What Differences Will I see Using LDAP?

When an LDAP server has been successfully configured and launched, you will see these changes.

Server changes:

  • On server login screen, LDAP User and LDAP Password is displayed, rather than Email and Password
  • On server login screen, Forgot Password link is removed
  • Admin users can no longer create other Admins, Managers, or Members
  • Manager users can no longer create other Managers or Members
  • No users can edit their profile
  • When an LDAP user initially logs in to the server, a server account will be created if they were authenticated by LDAP and authorized (by belonging to one of the three Globalyzer groups)
  • If user is NOT authenticated by LDAP, login will fail
  • If user is authenticated by LDAP, but not authorized (via group membership), a screen appears saying they are not authorized to access Globalyzer
  • On subsequent logins, the user is first authenticated (account is validated against LDAP) and authorized (if Globalyzer group member). Their existing server account is then updated with the latest information in LDAP, EXCEPT for their level of access. If they were authorized to be a Globalyzer Manager when their account was created, they will always be a Globalyzer Manager. An existing Manager account will not be switched to a Member account or an Admin account, for example. The Manager account can be deleted from the Globalyzer server (by another Manager or Admin), and then on login, the account will be recreated at the current access level as configured in LDAP.

Client Workbench changes:

  • Forgot Password link still displays (since clients can connect to various servers) but if they are connected to an LDAP-configured server, a message displays saying that the password cannot be retrieved from an LDAP-configured server
  • When LDAP users initially log in to the client (haven't logged in to server yet), a server account will be created for them if they are authenticated by LDAP and authorized (by belonging to one of the three Globalyzer groups).
  • If user is NOT authenticated by LDAP, login will fail.
  • If user is authenticated by LDAP, but not authorized (via group membership), login will fail.