search cancel

Introscope SAML configuration

book

Article ID: 121392

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

This is some information to document the process of SAML configuration for APM, to give background and suggestions on how it should be configured

The SAML authentication consists of two steps :
1. SP sends request to IdP
  •      not encrypted because does not contain any sensitive info
  •     SP signs the request with SP private key
  •     IdP verifies the signature with SP public key
2. IdP replies with response ( SAML Assertion ) to SP
  •     IdP encrypts the response with SP public key
  •    IdP signs the response with IdP private key
  •     SP decrypts the response with SP private key
  •     SP verifies the response with IdP public key

SP == Service Provider, i.e. EM/WebView
IdP == Identity Provider, installed separately by user

Environment

CA APM 10.x

Resolution

1. perform fresh install of EM, verify that SAML works with internal IdP
     introscope.saml.enable=true
     introscope.saml.internalIdp.enable=true


2. change configuration to external IdP, for this you would need to:
    a. turn off internal IdP
                  introscope.saml.internalIdp.enable=false
    b. set urls for external IdP 
                  introscope.saml.idpUrl=
    c. on IdP side, register SP with the default private key that comes with EM

    d. import IdP public key into EM 

             The IdP's public key can be found in IdP's metadata file. 

         Follow the steps listed below to import the certificate into the keystore. 
  •        Copy the certificate information in IdP metadata into a new file (e.g: idp_public.pem). The certificate in IdP metadata is in format called PEM 
  •         Add header and footer to the new file. After adding header and footer, the file should look similar to this:


               -----BEGIN CERTIFICATE----- 
               MIIDeTCCAmGgAwIBAgIEb1CaGjANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEXMBUGA1UE 
               [..]
               z6LUS/iuMCCtjoA1FGMsF1EZiQ2Pt/MPZgPAAsMrZWkikXqNke4= 
                -----END CERTIFICATE----- 
 
  •              Save the file. 
  •              Convert the file from PEM to DER format using openssl 


                     openssl x509 -outform der -in idp_public.pem -out idp_public.der 
  •               Import the certificate in DER format into the EM/Webview keystore using keytool 


                       keytool -import -alias your-alias -keystore keystore -file idp_public.der 

     The password for the keystore is "password" without the enclosing quotes. 
  •             Verify that SAML login works.

3. replace default SP private key with new one generated by customer. This means importing it with alias spprivatekey and updating SP registration on IdP side. verify that it works.

 

Additional Information

 These logging properties can be added for IntroscopeEnterpriseManager.properties for troubleshooting purposes:

log4j.logger.org.apache.xml=DEBUG,console,logfile 
log4j.logger.org.opensaml.xml=DEBUG,console,logfile 

Documentation relating to SAML configuration

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7/administrating/apm-security/securing-introscope/securing-introscope-using-saml-2-0.html