Configuring External Identity Provider Authentication

Using a Third Party Service Provider

You can configure authentication settings for a third-party service provider with or without SSO. Both options are covered below.

To configure authentication with a third-party service provider:

1. On the General tab, select External Identity Provider in the Validate user credentials against drop-down list. The External Identity Provider tab appears.
2. In the User sessions are managed by drop-down list, select Other or Single Sign-On depending on whether or not you want to use SSO.
3. On the External Identity Provider tab, select Use 3rd Party Service Provider.
4. If you are using Single Sign-On, select the Enable Login Form check box to display a login page to users when user validation fails. Clear the check box if you do not want the page to appear.
5. Enter the Custom HTTP header that is used by the identity provider to pass the user ID to SBM. The default value is REMOTE_USER.
6. If you are using Single Sign-On, select Configure custom authentication filter to enter your own custom filter for the external identity provider.

   For example:

   <filter>
       <filter-name>MySample3rdPartyFilter</filter-name>
       <filter-class>com.acme.authentication.MySample3rdPartyFilter</filter-class>
       <init-param>
         <param-name>param1</param-name>
         <param-value>value1</param-value>
       </init-param>
       <init-param>
         <param-name>param2</param-name>
         <param-value>value2</param-value>
       </init-param>
   </filter>
   <filter-mapping>
       <filter-name>MySample3rdPartyFilter</filter-name>
       <url-pattern>/login</url-pattern>
   </filter-mapping>

7. Click Apply to save your changes.

Using a SAML2 Service Provider

SAML2 requires a trust relationship between the identity provider and the service provider via an exchange of metadata between the two entities. On the SSO server, you will use SBM Configurator to retrieve the service provider metadata (which includes a unique entity ID) and you will use it to register the SSO server with your identity provider. You will then obtain metadata from the identity provider and enter it into SBM Configurator to establish the trust.

If you have multiple SSO servers (as you would in a multi-environment installation), depending on the identity provider requirements you might need to register the entity ID from each SSO server individually with the identity provider.

The following steps describe how to perform a typical metadata exchange.

1. On the General tab, select External Identity Provider in the Validate user credentials against drop-down list. The External Identity Provider tab appears.
2. In the User sessions are managed by drop-down list, select Single Sign-On.
3. On the External Identity Provider tab, select Use SAML2 Service Provider.
4. In the Identity Provider section, click Edit Metadata. Click Import or paste the metadata that you obtain from the identity provider. Click OK when you are finished.
5. In the Service Provider section, click Generate Certificate to add a self-signed certificate. This creates a certificate with a private key and adds the x509 certificate information to the service provider metadata that you will send to the external identity provider.
6. In the Service Provider section, click View Metadata. In the dialog box that appears, click Export or Copy and save the data that appears to a text file. Use this metadata to register with the identity provider.
   Tip: Depending on the policies of your identity provider, HTTPS URLs might be required for the service provider bindings. If you configure SSL on the IIS and Tomcat tabs in SBM Configurator, the bindings in the service provider metadata are automatically created using HTTPS as well.
7. Click Apply to save your changes.

The exchange of metadata is now complete and the trust relationship between SBM and your external identity provider has been established.

Related Topics

About External Identity Provider Authentication