Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: clarified prerequisites

This article describes how to enable two-factor authentication to the Nexus PRIME clients PRIME Explorer and PRIME Self-Service

This is solved by setting up a SAML 2.0 federation with PRIME as a Service Provider and an Identity Provider, such as Nexus Hybrid Access Gateway


Prerequisites

Expand
titlePrerequisites

Installations

PRIME must be set up:

Install the The identity provider must be set up. If Hybrid Access Gateway is used, see here:

The following certificates must be created:

    Certificate for signing and encryption for the identity provider, for example Hybrid Access Gateway
    Examples:
  • Keystorehag.saml.p12 
  • Certificate: hag.saml.pem 
  • Private Key: hag.saml.key.pem 
    Certificate for signing and encryption for PRIME 
    Examples: 
  • KeystoresamlKeystore.jks 
  • Certificate: prime.saml.pem


Certificates

Panel

Insert excerpt
Create or extract certificates for SSL and SAML
Create or extract certificates for SSL and SAML
nopaneltrue

If you need instructions to create demo certificates or extract certificates to the required formats, see Create or extract certificates for SSL and SAML.

Set up PRIME as service provider

Expand
titleSet up authentication profile

To integrate PRIME with SAML SSO, the SAML authentication profile must be used.

  1. In PRIME Designer, go to Authentication Profiles, and add a new profile with the type SAML SSO Core Object. See Set up authentication profile.
  2. Open the created authentication profile for editiing.
  3. Insert excerpt
    Copy of Set up authentication profile
    Copy of Set up authentication profile
    nopaneltrue


Expand
titleUpload keystore file

The defined keystore file must contain the certificates and the private key used for signing and decryption.

A keystore is mandatory to configure. Trying to save a configuration without a keystore, triggers an error message. 

  1. Go to the SAML Configuration tab. The checkbox Enable SAML Settings is checked by default. If SAML authentication should not be used, uncheck it. 
  2. Under Keystore configuration, click the upload symbol, browse for the keystore file and select it. 
  3. In Password, enter the keystore password. If objects in the key store are protected with a password, then they must have the same password as the keystore. 

    When the keystore configuration has been uploaded, then Available key aliases shows a list of the aliases of all available private keys in the key store.


Expand
titleCreate service provider metadata files

Each SAML federation can have multiple service providers, for example PRIME Explorer, Self-Service and any other application to be included in the federation. Each service provider must have a metadata file. 

For each service provider, do the following to create a metadata file: 

  1. Create a metadata file in .xml format, and give it a file name such as PRIME_Explorer_saml_metadata.xml.
  2. Open the file for editing. Copy and paste the example file content from below.
  3. Do the following changes:
    1. In entityID: enter a meaningful name for the service provider, for example https://prime.local/sp.
    2. Replace certificate data with the base64 encoded SAML certificate, for example prime.saml.pem.
    3. In Location: enter the location, for example http://localhost:8080/prime_explorer/saml/SSO/alias/explorer.  
Code Block
languagexml
titleExample: Service Provider metadata file
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor entityID="sp.example" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>certificate data</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>certificate data</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/prime_explorer/saml/SSO/alias/explorer" index="0"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>


This table describes some elements and attributes of the Service Provider metadata xml file: 

ElementAttributeDescription

EntityDescriptor 

The common root element for definitions of IDP and SP.

entityID 

By convention, a symbolic URL can be used both for an IDP and a SP but any identifier is allowed. The number of characters is limited to 1024.

xmlns:md 

Namespace definition of SAML V2.0 metadata.

KeyDescriptor 

Provides information about the cryptographic key(s) an entity uses for signing and encryption. The contents, including the certificate, follow the XML Signature standard.


use Allowed values are "signing" and "encryption". This attribute is optional. If it is not used the assumption is that the same certificate is used for both signing and encryption.
NameIDFormat Elements indicate what SAML name identifier formats the service supports.

SPSSODescriptor:

Element for the definition of a SP.

protocolSupportEnumeration 

Support for the SAML V2.0 protocol namespace.

AuthnRequestsSigned 

Indicates if the SAML request sent by the SP must be signed. This attribute is optional. Defaults to "false" if not set.

WantAssertionsSigned 

Indicates if the Assertion elements in the SAML response must be signed. This attribute is optional. Defaults to "false" if not set.

AssertionConsumerService

The service the SP defines to process the SAML response.

Binding 

Mapping of the SAML protocol message onto a standard communication protocol. Value "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" required.

Location 

The URI under which the endpoint is reachable. Must include the path /saml/SSO/alias/<alias>.

index A unique integer of the endpoint for reference in a protocol message.



Expand
titleUpload service provider metadata files to authentication profile

After the metadata files have been created they must be uploaded to the authentication profile in PRIME Designer. Multiple service providers can be configured, for example for the different PRIME applications and any other applications to be included in the federation. 

  1. Open the SAML SSO authentication profile that was created earlier.
  2. Go to the SAML Configuration tab.  
  3. Under Service Provider Configuration, do the following for each service provider:
    1. Click on the + button to add a service provider. 
    2. In Service Provider Details, define the service provider as follows: 
      1. In Configuration file, click on the upload symbol and select the metadata file. 
      2. In Alias, enter a name to define the service provider. This must match the <alias> in the Location in the metadata file. If needed, multiple aliases can be given to the same application.
        Example: explorer or self-service.  
      3. In Alias for Signing Key and Alias for Encryption Key, enter the names of the private keys for signing and encryption that must be available in Available Key Aliases
Note

The metadata file for the SAML identity provider will be uploaded in a later step.



Expand
titleAdditional configurations for PRIME Self-Service

PRIME Self-Service needs the following additional configurations:

  1. Make sure that SAML is enabled in the configuration file /prime-ussp/assets/config/config.json:

    Code Block
    languagexml
    titleExample: config.json
    /prime-ussp/assets/config/config.json
     
    ...
    {
      ...
     
      "saml": {
        "enabled": true
      }
    }


  2. Set up the communication between PRIME Self-Service and PRIME Explorer:
    1. Open the file \prime_ussp\WEB-INF\classes\application.yaml.
    2. Adapt the URLs pointing to PRIME Explorer. If you use HTTPS instead of HTTP you must ensure that the SSL server certificate of PRIME Explorer is trusted by the java environment that runs the PRIME Self-Service (tomcat). 

    3. Make sure that cookie forwarding is activated, that is, that there are empty values for the propertysensitiveHeaders for the SAML routes in the configuration file.

      This is the default configuration.

      Code Block
      languagexml
      titleExample: application.yaml
      application.yaml
       
      ...
      zuul:
        ...
        routes:
          ...
          saml:
            path: /saml
            sensitiveHeaders:
            url: http://localhost:8080/prime_explorer/saml/login
          samllogin:
            path: /saml/**
            sensitiveHeaders:
            url: http://localhost:8080/prime_explorer/saml/


Set up identity provider, for example Hybrid Access Gateway

Expand
titleInstall Identity Provider server certificate

To have a secure communication between the identity provider and PRIME, server certificates must be provided by each server. 

Example - Add server certificate in Hybrid Access Gateway: 

  1. Log in to Hybrid Access Gateway administration interface.
  2. Go to Manage System > Certificates.
  3. In Server Certificates, click Add Server Certificate… 
  4. Enter a Display Name and browse for the files, to define Certificate and Key:

    Panel
    titleExample: Add server certificate

    Display Name: hag.local

    Certificate: hag.local.pem

    Key: key.pem


  5. Click Next > to finish the wizard.


Expand
titleImport Identity Provider SAML certificate

Private keys are used to digitally sign SAML messages and encrypt their content. Both parties need their own key-pair that could be created in self-signed mode (for testing purpose) or received from a public key infrastructure (for productive systems). 

Example - Enable Hybrid Access Gateway to use the SAML certificate for signing:

  1. Log in to Hybrid Access Gateway administration interface.
  2. Go to Manage System > Certificates.
  3. In Server Certificates, click Add Server Certificate… 
  4. Enter a Display Name and browse for the files, to define Certificate and Key:

    Panel
    titleExample: Add SAML certificate

    Display Name: SAML IdP Signing

    Certificate: hag.saml.pem

    Key: hag.saml.key.pem


    Note

    The Hybrid Access Gateway SAML certificate must be trusted by the Java installation that runs PRIME to have a secure communication between them.

    To allow SSL communication between PRIME Explorer and PRIME Self-Service, the SSL certificate needs to be trusted as well by the Java installation. The SSL certificate can be exported from the Java Key Store with the following command:

    Code Block
    titleExample: java keytool command
    keytool -export -keystore prime.local.jks -alias selfsigned -file prime.local.cer



  5. Click Next > to finish the wizard.


Expand
titleOptional: Create DNS name for identity provider

As identity provider, you can use any SAML2 compliant system. Follow the instructions of that software in order to configure it as SAML IdP. If you use Hybrid Access Gateway as identity provider, follow the steps here to create a DNS name.

Example - Create a DNS name for the Hybrid Access Gateway access point:

  1. Log in to Hybrid Access Gateway administration interface.
  2. Go to Manage Resource Access > Global Resource Settings.
  3. Go to the DNS Name Pool tab.
  4. Add a new DNS name for the access point. Give the DNS name, for example idp.hag.local, and select the corresponding Hybrid Access Gateway server certificate, for example hag.local.pem.
  5. Click Add and then Save 


Expand
titleCreate SAML Federation

The identity provider must be configured to define the SAML federation with the service provider, using the metadata created in PRIME. 

Example - Add service provider in Hybrid Access Gateway:

  1. Go to Manage Resource Access > SAML Federation.
  2. Click Add SAML Federation....
  3. Enter a Display Name, for example PRIME.
  4. Check Acting as Identity Provider.
  5. Uncheck Import metadata automatically.
  6. Go to the Export tab.
  7. Give a unique Entity ID: for example https://hag.local/idp.
  8. Select the Signing Certificate, for example SAML IdP Signing.
  9. Go to the Role Identity Provider tab and click Add service provider...
  10. Verify that SAML 2.0 is checked.
  11. Upload SAML 2.0 metadata, click Choose file and select the file that was created before (for example prime_explorer_saml_metadata.xml). Click Next.
  12. Confirm the message about the signer certificate by clicking Yes.
  13. Click Finish Wizard.
  14. Click on the created service provider, to open it.
    The Display Name and Entity ID is now updated according to the metadata file.


    Note

    Entity ID must be unique within the federation, for example https://prime.local/sp

    Service Provider URL is where the IdP will redirect the user after successful authentication, so this must be an exact match with the SP domain, in this case https://<prime_url>/prime_explorer/saml/SSO 

    Example: https://prime.local/prime_explorer/saml/SSO  

    <prime_url> must be the same as the url that was called initially. To be sure that the SAML request and response belong together, the communication must go to the same url and protocol (http or https), and both IdP and SP must be synchronized in terms of time.

    To set up NTP in HAG, see Deploy Hybrid Access Gateway and do initial setup.

     

  15. Disable Require signed authentication request 

  16. Go to the Assertion Settings tab.

  17. In Subject > Select source of subject: select E-mail. This is the unique identifier PRIME uses in standard cases, and will be used when Hybrid Access Gateway sends a SAML ticket to PRIME.

  18. Go to the tab Manage Access Rules.

  19. Select any suitable access rule or leave it as Any Authentication 

  20. Click Finish Wizard and then Add. 

  21. Repeat the same steps to add PRIME Self-Service as an additional service provider.  


Expand
titleDownload SAML metadata

After the service provider was configured successfully in the identity provider, the SAML metadata must be downloaded and uploaded in PRIME.

Example - Download the metadata from Hybrid Access Gateway: 

  1. Go to Manage Resource Access > SAML Federation.
  2. Click on the created service provider, to open it.
  3. Go to the tab Export.
  4. Click Download metadata.
  5. Upload the metadata file to the SAML Authentication Profile in PRIME Explorer and select the Type as METADATA. No File Properties needs to be configured for the identity provider meta-data.

Note

Make sure that the PRIME server and the Hybrid Access Gateway server have the same time configured.


Upload identity provider metadata to PRIME

Expand
titleUpload identity provider metadata to SAML authentication profile in PRIME

After the metadata files have been created they must be uploaded to the authentication profile in PRIME Designer. This section describes how to upload the identity provider metadata files. 

  1. Open the SAML SSO authentication profile that was created earlier.
  2. Go to the SAML Configuration tab.  
  3. Under Identity Provider Configuration, do the following:
    1. In Configuration File, click the upload symbol to browse for and select the metadata file that has been provided from the identity provider, for example downloaded from Hybrid Access Gateway. 
    2. In Attribute Type, select either option for where the authentication information shall be communicated: 
      1. NameID refers to the subject of a SAML response. Use an appropriate value that matches the desired field in the CoreObject.
      2. Attribute Statement refers to attributes associated with the subject of a SAML response.
    3. If Attribute Statement was selected, then also enter one or more names in Attribute Name
Note

Make sure that the PRIME server and the Identity Provider server (for example Hybrid Access Gateway) have the same time configured.