SAML2 Profile
Since: 1.2 (Previous version: 1.1 )
The SAML2 (Security Assertion Markup Language v2.0) Profile allows OpenASelect to act as a SAML2 compliant Identity Provider (IdP). The profile supports the Web SSO feature (AuthnRequest via HTTP redirect and HTTP POST; Response via HTTP redirect, HTTP POST, and HTTP artifact), Artifact Resolution via SOAP, Metadata, and Single Logout (as an endpoint only; via HTTP redirect, HTTP POST, and SOAP).
The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. For more information, visit the SAML2 website.
Installation
These instructions require a working OpenASelect Server installation.
- Download the latest binary distribution from the download section and extract it to a temporary directory.
- Copy the extracted folders files into the <OpenASelect-Root> directory of your OpenASelect installation.
Deployment
In order to deploy the SAML2 Profile in an application container some additional deployment activities must be conducted.
JAXP XML processing
The SAML2 Profile uses the OpenSAML Java library which relies on JAXP 1.3 for low-level XML parsing and creation. In order for the profile to work properly the Apache Xerces and Xalan Java libraries should be endorsed. Please refer to your JRE or application container documentation for more information on how to endorse these libraries. The procedure for Apache Tomcat is outlined below.
For your convenience the OpenASelect SAML2 Profile contains all required libraries in a single directory. The following description shows how to endorse the necessary libraries for Tomcat in three simple steps:
- Create an endorsed libraries directory for Tomcat if it does not already exists, e.g.:
$CATALINA_HOME/common/endorsed
If this directory already exists it may contain older versions of the libraries to be endorsed. Make sure all older versions are removed before proceeding with step 2.
- Copy all the library ('jar') files from the endorsed folder of the OpenASelect SAML2 Profile distribution (resolver.jar, serializer.jar, xercesImpl.jar, xml-apis.jar, xalan.jar) to the created folder.
- Add the following line to the beginning of the tomcat catalina.sh or catalina.bat (windows) file ('$CATALINA_HOME/bin/'):
Linux:
JAVA_OPTS="$JAVA_OPTS -server -Djava.endorsed.dirs=$CATALINA_HOME/common/endorsed"
Windows:
JAVA_OPTS="%JAVA_OPTS% -server -Djava.endorsed.dirs=%CATALINA_HOME%/common/endorsed"
Alias storage
The SAML2 Profile requires storage of TGT specific SP Role aliasses.
If the OpenASelect Server runs in a redundant environment (storing TGT's in a JDBC storage), this functionality must specifically be enabled in the TGT Factory (see: TGT Alias Store configuration). This requires also that the alias_store_sp table (see the SQL script supplied by the release in setup/postgresql/oa_redundant.saml2.postgresql.sql) is available.
Configuration
Usage
In order for the SAML2 profile to be able to accept requests from your SAML2 Service Provider(s) some simple steps are to be taken:
- 1 Add the Service Provider as an OpenASelect requestor
- See the Requestor Pool section for more information on configuring requestors within OpenASelect.
- 2 Add the requestor to the SAML2 profile configuration
- Some SAML2 specific requestor configuration is required which should be configured in the SAML2 Requestors section.
- 3 Metadata
- The OpenASelect SAML2 IdP metadata can be found at the configured Metadata section location. This should also be the root URL of the SAML2 profile., eg.:
http://[host]/openaselect/profiles/saml2/
Please refer to the specific SAML2 SP documentation for information about configuring the SP to use this metadata.