Online Help

SafeNet Trusted Access for OpenIAM

Overview

Configuring SafeNet Trusted Access for OpenIAM is a three-step process:

1.OpenIAM setup

2.SafeNet Trusted Access setup

3.Verify authentication

OpenIAM Setup

As prerequisites:

Download the Identity Provider Signing Certificate from the SafeNet Trusted Access console by clicking the Download X.509 certificate button. You will need this certificate the steps below.

In OpenIAM, end users must be in active state before configuring single sign-on (SSO).

 

Configuring SafeNet Trusted Access as your Identity Provider in OpenIAM requires:

Creating a service provider

Creating an identity provider

Assigning a service provider (as a default resource) to OpenIAM users for SSO

Creating a Service Provider

Perform the following steps to create a service provider:

1.Login to OpenIAM as an administrator using the http://<FQDN of the Client Machine>:8080/webconsole URL, where <FQDN of the Client Machine> is the domain name of the client machine.

For example, http://localhost.openiam.com:8080/webconsole

2.On the OpenIAM administrator console, click the Access Control tab, and click Authentication Providers.

3.In the left pane, click Create New Provider.

4.In the right pane, under Create a New Authentication Provider, in the Select a Provider Type drop-down list, select SAML Service Provider.

5.Under Create new SAML Service Provider, perform the following steps:

a.Under Provider Information, in the Provider Name field, enter a name for the service provider (for example, OpenIAMSP).

b.In the Linked to Managed System field, select OPENIAM.

c.In the Authentication Policy field, select Default Authn Policy.

d.In the Password Policy field, select Default Pswd Policy.

e.In the SAML Issuer Name field, enter the http://<FQDN of client the machine>:8080/idp/SAMLLogin.html URL.

For example, http://localhost.openiam.com:8080/idp/SAMLLogin.html

f.In the Sign-in page URL field, enter the Single Sign on Service URL provided on the SafeNet Trusted Access console.

On the SafeNet Trusted Access console, you can copy this URL by clicking on the Copy to Clipboard icon available next to the SINGLESIGNONSERVICE field.

g.In the Sign-out page URL field, enter the Single Sign on Service URL provided on the SafeNet Trusted Access console.

On the SafeNet Trusted Access console, you can copy this URL by clicking on the Copy to Clipboard icon available next to the SINGLESIGNONSERVICE field.

h.Under Signature, ensure that the SAML Signing Enabled, Sign Authentication Requests, and Want Assertion Signed check boxes are selected.

i.In the Public Key for Validating Signatures field, click Choose file to search and select the identity provider certificate that you downloaded earlier form the STA console.

j.Under Authentication, in the Authentication Context Class field, select urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.

k.Under Name ID, in the Name ID Format field, select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

l.Click Save. You will be redirected to the Edit SAML Service Provider window.

6.On the Edit SAML Service Provider window, scroll down, and click View SAML Metadata. The metadata is displayed in a web browser. Copy the entire text of the matadata, paste it in a text editor, and save it as a .xml file (for example, OpenIAM metadata.xml) on your local machine.

Creating an Identity Provider

Perform the following steps to create an identity provider:

1.On the OpenIAM Administrator console, click the Access Control tab, and click Authentication Providers.

2.In the left pane, click Create New Provider.

3.In the right pane, under Create a New Authentication Provider, in the Select a Provider Type drop-down list, select SAML IDP Provider.

4.Under Create New SAML Identity Provider, perform the following steps:

a.Under Provider Information, in the Provider Name field, enter a name for the identity provider (for example, SafeNet IDP).

b.In the Linked to Managed System field, select OPENIAM.

c.In the Assertion Consumer URL field, enter the http://<FQDN of Client Machine>:8080/idp/saml2/sp/login URL.

For example, http://localhost.openiam.com:8080/idp/saml2/sp/login

d.In the Request Issuer field, enter the http://<FQDN of client machine>:8080/idp/SAMLLogin.html URL.

For example, http://localhost.openiam.com:8080/idp/SAMLLogin.html

e.In the Response Issuer field, enter the Issuer/Entity ID URL provided on the SafeNet Trusted Access console.

On the SafeNet Trusted Access console, you can copy this URL by clicking on the Copy to Clipboard icon available next to the ISSUER/ENTITY ID field.

f.Under Signature, ensure that the SAML Signing Enabled, Expect AuthnRequests to be signed and Sign Assertions check boxes are selected.

g.In the Public Key for Validating Signatures field, click Choose file to search and select the identity provider certificate that you downloaded earlier from the STA console.

h.Under Authentication, in the Authentication Context Class field, select urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.

i.Under Name ID, in the Name ID Format field, select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

j.Under Single Logout, in the Single-Logout URL of Service Provider field, enter the http://<FQDN of Client Machine>:8080/idp/saml2/sp/logout URL.

For example, http://localhost.openiam.com:8080/idp/saml2/sp/logout

k.Click Save.

Assigning a Service Provider (as the Default Resource) to OpenIAM Users for SSO

Perform the following steps to assign a service provider to OpenIAM users for SSO:

1.On the OpenIAM administrator console, click the Access Control tab, and click Resource.

2.In the right pane, under Search Resources, in the Action column, click on the edit icon for the service provider (for example, OpenIAMSP) that you created in step 5(a) of Creating a Service Provider.

3.Under Edit Resource, in the URL field, enter the http://<FQDN of Client Machine>:8080/selfservice URL.

For example, http://localhost.openiam.com:8080/selfservice

4.Click Save.

5.In the left pane, click Entitlements.

6.In the right pane, under Resource Entitlement, in the Name column, right-click on Users, and click Add.

7.Select the OpenIAM user to whom you want to assign the resource (for example: OpenIAMSP) to perform single sign-on (SSO).

Note:  The OpenIAM users who have been assigned this resource (for example, OpenIAMSP) can perform SSO.

8.Click Save.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in OpenIAM, the second step is to activate the OpenIAM application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the OpenIAM application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, OpenIAM) and proceed to the next step.

2.Under STA Setup, click Upload OpenIAM Metadata.

3.On the Metadata upload window, click Browse to search and select the OpenIAM metadata, that you downloaded earlier in step 6 of Creating a Service Provider.

Under Account Details, the service provider metadata information is displayed.

4.In the Name ID field, ensure that SAS User ID is selected.

5.Click Save Configuration to save the details and activate the OpenIAM application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the OpenIAM login URL, http://<FQDN of Client Machine>:8080/idp/saml2/sp/login?issuer=http://<FQDN of Client Machine>:8080/idp/SAMLLogin.html

For example: http://localhost.openiam.com:8080/idp/saml2/sp/login?issuer=http://localhost.openiam.com:8080/idp/SAMLLogin.html

You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the OpenIAM application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the OpenIAM application icon, you should be redirected to the OpenIAM application after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks held by their respective owners.