Configuring External Identity Provider Settings

Using a Third Party Service Provider

You can configure authentication settings for a third-party service provider with or without SSO. Details on configuring settings with SSO are provided below.

1. On the General tab, in the Browser sessions drop-down list select Single Sign-On.
2. In the Browser authentication drop-down list, select Third Party Authentication System. The External Identity Provider tab appears.
3. On the External Identity Provider tab, select Use 3rd Party Service Provider.
4. Select the Enable Login Form check box to display a login page to users when user validation fails. Clear the check box if you do not want the page to appear.
5. Enter the Custom HTTP header that is used by the identity provider to pass the user ID to SBM. The default value is REMOTE_USER.
6. Select Configure custom authentication filter to enter your own custom filter for the external identity provider.

   For example:

   <filter>
       <filter-name>MySample3rdPartyFilter</filter-name>
       <filter-class>com.acme.authentication.MySample3rdPartyFilter</filter-class>
       <init-param>
         <param-name>param1</param-name>
         <param-value>value1</param-value>
       </init-param>
       <init-param>
         <param-name>param2</param-name>
         <param-value>value2</param-value>
       </init-param>
   </filter>
   <filter-mapping>
       <filter-name>MySample3rdPartyFilter</filter-name>
       <url-pattern>/login</url-pattern>
   </filter-mapping>

7. Click Apply to save your changes.

Using a SAML2 Service Provider

SAML2 requires a trust relationship between the identity provider and the service provider via an exchange of metadata between the two entities. On the SSO server, you will use SBM Configurator to retrieve the service provider metadata (which includes a unique entity ID) and you will use it to register the SSO server with your identity provider. You will then obtain metadata from the identity provider and enter it into SBM Configurator to establish the trust.

If you have multiple SSO servers (as you would in a multi-environment installation), depending on the identity provider requirements you might need to register the entity ID from each SSO server individually with the identity provider.

The following steps describe how to perform a typical metadata exchange.

1. On the General tab, in the Browser sessions drop-down list select Single Sign-On.
2. In the Browser authentication drop-down list, select Third Party Authentication System. The External Identity Provider tab appears.
3. On the External Identity Provider tab, select Use SAML2 Service Provider.
4. If Tomcat is configured to use HTTPS, the Use HTTPS for endpoints check box is selected by default. Clear this check box if HTTPS is not used or not desired by SBM as the service provider.
5. The Force authentication option instructs the identity provider to force re-authentication on every call from SBM. If force authentication is supported by your SAML2 identity provider, you can use this option to ensure that sessions are not inadvertently expired.
   Note: If your identity provider is configured to use an auto-login mechanism such as NTLM, the session is automatically re-authenticated and valid for an additional time period according to the identity provider. However, if the identity provider uses a login form to gather credentials, this option will force users to reenter their credentials as soon as their SSO token expires.
6. Use the Maximum authentication age option to set the default tolerance period for the SAML2 authentication statement. This helps prevent login issues related to stale authentication statements. Enter the maximum number of seconds that the identity provider allows for its authentication statements.
7. Use the Response skew option to set the maximum tolerance for clock differences between the identity provider clock and the service provider clock.
8. In the Identity Provider section, click Edit Metadata. Enter metadata that you obtain from the identity provider using one of the following methods:
   • Import From File – Browse to a local file that contains the metadata.
   • Import From URL – Enter an URL that SBM Configurator can use to connect and download the metadata. For HTTPS addresses, you can optionally select Ignore SSL certificate errors to perform the GET operation without checking the SSL name and certificate.
   • Copy and paste – Copy and paste the identity provider metadata directly into the dialog box.
   Click OK when you are finished.
9. In the Service Provider section, click Generate Certificate to add a self-signed certificate. This creates a certificate with a private key and adds the x509 certificate information to the service provider metadata that you will send to the external identity provider.
   Note: The certificate is generated using the SHA-1 secure hash algorithm. The SSO token signature uses the following ds:Digest element:

   <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

10. In the Service Provider section, click View Metadata. In the dialog box that appears, click Export or Copy and save the data that appears to a text file. Use this metadata to register with the identity provider.
    Tip: Depending on the policies of your identity provider, HTTPS URLs might be required for the service provider bindings. If you configure SSL on the IIS and Tomcat tabs in SBM Configurator, the bindings in the service provider metadata are automatically created using HTTPS as well.
11. Click Apply to save your changes.

The exchange of metadata is now complete and the trust relationship between SBM and your external identity provider has been established.

Related Topics

About Third-Party Authentication