To configure
SBM
to accept authenticated users from an external identity provider, select one of
the following:
- Use 3rd Party Service Provider
- Use SAML2 Service Provider (appears if you
have selected
Single Sign-On)
Refer to one of the following sections according to your selection.
Using a Third Party Service Provider
You can configure authentication settings for a third-party service
provider with or without
SSO.
Both options are covered below.
To configure authentication with a third-party
service provider:
- On the
General tab, select
External Identity Provider in the
Validate user credentials against drop-down
list. The
External Identity Provider tab appears.
- In the
User sessions are managed by drop-down list,
select
Other or
Single Sign-On depending on whether or not you want to use
SSO.
- On the
External Identity Provider tab, select
Use 3rd Party Service Provider.
- If you are using
Single Sign-On, select the
Enable Login Form check box to display a login
page to users when user validation fails. Clear the check box if you do not
want the page to appear.
- Enter the
Custom HTTP header that is used by the
identity provider to pass the user ID to
SBM.
The default value is
REMOTE_USER.
- If you are using
Single Sign-On, select
Configure custom authentication filter to
enter your own custom filter for the external identity provider.
For example:
<filter>
<filter-name>MySample3rdPartyFilter</filter-name>
<filter-class>com.acme.authentication.MySample3rdPartyFilter</filter-class>
<init-param>
<param-name>param1</param-name>
<param-value>value1</param-value>
</init-param>
<init-param>
<param-name>param2</param-name>
<param-value>value2</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>MySample3rdPartyFilter</filter-name>
<url-pattern>/login</url-pattern>
</filter-mapping>
- Click
Apply to save your changes.
Using a SAML2 Service Provider
SAML2 requires a trust relationship between the identity provider and
the service provider via an exchange of metadata between the two entities. On
the
SSO
server, you will use
SBM Configurator
to retrieve the service provider metadata (which includes a unique entity ID)
and you will use it to register the
SSO
server with your identity provider. You will then obtain metadata from the
identity provider and enter it into
SBM Configurator
to establish the trust.
If you have multiple
SSO
servers (as you would in a multi-environment installation), depending on the
identity provider requirements you might need to register the entity ID from
each
SSO
server individually with the identity provider.
The following steps describe how to perform a typical metadata
exchange.
- On the
General tab, select
External Identity Provider in the
Validate user credentials against drop-down
list. The
External Identity Provider tab appears.
- In the
User sessions are managed by drop-down list,
select
Single Sign-On.
- On the
External Identity Provider tab, select
Use SAML2 Service Provider.
- In the
Identity Provider section, click
Edit Metadata. Click
Import or paste the metadata that you obtain
from the identity provider. Click
OK when you are finished.
- In the
Service Provider section, click
Generate Certificate to add a self-signed
certificate. This creates a certificate with a private key and adds the x509
certificate information to the service provider metadata that you will send to
the external identity provider.
- In the
Service Provider section, click
View Metadata. In the dialog box that appears,
click
Export or
Copy and save the data that appears to a text
file. Use this metadata to register with the identity provider.
Tip: Depending on the policies of your identity provider,
HTTPS URLs might be required for the service provider bindings. If you
configure SSL on the IIS and Tomcat tabs in
SBM Configurator,
the bindings in the service provider metadata are automatically created using
HTTPS as well.
- Click
Apply to save your changes.
The exchange of metadata is now complete and the trust relationship
between
SBM
and your external identity provider has been established.
Copyright © 2007–2016 Serena Software, Inc. All rights reserved.