Single Sign-On allows organizations to use their already defined domain authentication and not require users to create a unique username/password for ServiceAide Cloud Serviceaide Intelligent Service Management (CSM).
This article explains how to configure SAML-based authentication between CSM Intelligent Service Management and your Identity Provider (IdP). This feature is tested with Microsoft Active Directory Federation Service (ADFS 3.0) and Novell Access Manager. However, you can also configure the SAML-based authentication on other IdPs such as OpenAM and PingFederate.
You need administrator privileges in CSM Intelligent Service Management to perform the tasks that are listed in this article.
...
To enable Single Sign-On between CSM Intelligent Service Management and your IdP, establish a federation between these two systems. Configurations are required in both CSM Intelligent Service Management and the IdP server for establishing the federation.
...
- Identity Provider server is configured and running.
- Token Signing Certificate is available.
- HTTPS/SSL is enabled on IIS server.
- CSM Intelligent Service Management is installed on a server that is HTTPS/SSL enabled.
...
Federation servers use Public/Private Key pairs to add digital signature to all security tokens they produce. These keys validate the authenticity of the encrypted security token.
CSM Intelligent Service Management uses Signing Certificates to secure communications and establish trust.
Export the Public Key portion of the Signing Certificate from the IdP. Save the Signing Certificate on a local system that is accessible to CSM Intelligent Service Management. Use the XML Metadata of the certificate when configuring Single Sign-On in CSM Intelligent Service Management.
Note: Store the Signing Certificate in a Base64 encoded file in ADFS 3.0 and PEM file in Novell Access Manager.
...
If the export is successful, the certificate is saved at the location that you specified. You can open the certificate in any text editor, like Notepad.
Configure SAML Single Sign-On
...
in Intelligent Service Management
You can add multiple SAML single sign-on configurations to CSM Intelligent Service Management. This allows a single CSM Intelligent Service Management system to support different organizations that may have a different SSO/SAML setup. To enable Single Sign-On, configure CSM Intelligent Service Management to trust assertions that are sent by the IdP.
...
After the Single Sign-On is configured in CSM Intelligent Service Management, the metadata becomes available online. The URL to the metadata file varies for different instances of the application. Consider the following examples:
...
You can download the metadata from this location and can save it as an XML file. Use the information in this XML file and add CSM Intelligent Service Management as a trusted partner in your IdP.
Note: Contact the support team for the metadata URL applicable to your application instance.
Add
...
Intelligent Service Management as Trusted Service Provider in the IdP
Add the metadata that is generated from CSM Intelligent Service Management to your IdP to enable the SAML communication between them. For information about generating the metadata, see Configure SAML Single Sign-On in CSM.
Follow these steps on Microsoft ADFS 3.0:
- Log in to the IdP server and navigate to Administrative Tools> ADFS 3.0 Management> Relying Party Trusts> Add Relying Party Trust.
- Follow the instructions in the Add Relying Party Trust wizard to add the metadata.
- Verify that the following conditions are met:
- The Permit all users to access this relying party option is selected.
- An entry for CSM Intelligent Service Management is displayed in the Endpoints tab.
- The Secure Hash Algorithm (SHA) value under the Advanced tab is set to SHA-1.
- On the Finish page, select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. The Edit Claim Rules dialog helps you set the attributes for identifying a user.
- Add user identification attributes in the Edit Claim Rules dialog. For more information about claim rules, see Configure Identity Provider To Send User Identifier As Name ID.
CSM Intelligent Service Management is added as a trusted service provider in your IdP.
...
- Log in to Novell iManager Administration Console and navigate to Access Manager> Identity Servers> Servers.
- On the Servers tab, select a server cluster, and click Edit.
- Click SAML 2.0, New, Service Provider.
- Add a name for CSM Intelligent Service Management service provider. In the Source field, you can either add the metadata URL or paste the text from the metadata file.
- Click Finish.
- Navigate to Access Manager, Identity Servers, and click Update All.
CSM Intelligent Service Management is added as a trusted service provider in your IdP.
...
After configuring your IdP and CSM Intelligent Service Management to trust assertions, set up the attribute statement for SAML assertion. This attribute statement is used to identify a user. You can use a unique identifier to identify each user, like Principle Name, or Email ID.
Note: While using ADSync Utility, use the Name Identifier that is mapped to the username on CSM Intelligent Service Management.
Follow these steps on Microsoft ADFS 3.0:
...
Single Sign-On is configured for CSM Intelligent Service Management with ADFS 3.0 as the IdP.
...
Single Sign-On is configured for CSM Intelligent Service Management with Novell Access Manager as the IdP.
...
When an SSO login is initiated, a server error is displayed.
Cause
CSM Intelligent Service Management sends an encoded SAML request XML to the IDP, to process the SSO login. The encoded XML contains an attribute entityID, which is not a standard SAML request attribute, thus causing the error.
...