Set up okta authentication on SDM Tomcat Example
search cancel

Set up okta authentication on SDM Tomcat Example

book

Article ID: 246265

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager

Issue/Introduction

This techdoc gives a detail example on how to integrate SDM Tomcat with okta SAML authentication

Environment

Release : 17.3

Component : SDM - Authentication/LDAP/AD/EEM

Resolution

Pre-req:

make sure SDM Tomcat SSL works on port 8443

Get the trial version of Okta Admin instance:

https://www.okta.com/mobility-free-trial/

Login to Okta site and register with the username

Once we register we get the Okta instance and credentials to join as below.

========

Okta organization name: 
Okta homepage: 
Okta username: 
Temporary password: 
Sign-in here: 

========

Once we click on sign in form we need to change the password.

Install OKTA Verify application on your registered mobile.

Once password is updated, for every login we need give the Okta Verify code.

1. Login to Okta instance and click on Admin button.

2. Click the Applications → Applications from the left tree menu. Click on the "Browse App Catalog" button

3. Search WS-FED template in the search option as below

4.

On the General tab:

Application label: SDM-WS-FED

Web Application URL: https://FQDN-of-server:8443/CAisd/pdmweb.exe

Realm: https://FQDN-of-server:8443/CAisd/pdmweb.exe

ReplyTo URL: https://FQDN-of-server:8443/CAisd/pdmweb.exe

Audience Restriction: https://FQDN-of-server:8443/CAisd/pdmweb.exe

Signature Algorithm: RSA_SHA256

Digest Algorithm: SHA_256

And click on Save.

5.

Click on Identity Provider metadata link to download FederationMetadata.xml

6.

Open “FederationMetadata.xml” and copy content between the tags <X509Certificate>, </ X509Certificate> tags to a notepad by enclosing the certificate as below. Reference link to create certificate from metadata: https://brianchildress.co/convert-x509-certificate-from-metadata/

-----BEGIN CERTIFICATE-----

MIIDqjCCApKgAwIBAgIGAYFxOC4UMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXRyaWFsLTI0MjAzNDMxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwNjE3MTAzMDU2WhcNMzIwNjE3MTAzMTU2WjCBlTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA10cmlhbC0yNDIwMzQzMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyroPeEW5geS2+YLlQNj8p5+B8RZ99D+vR2+DK85APobtGU8Opx/QxBLRXTJqpKi6vtgDzRHVmJbA/Eyv1SwLn+wMk1LSmfzmrO6+TtEp/0lp6gCEhrii9mQVnv093gzr+TNbcCBTqBsurNd1K42lH71aRJquKeWz1NtHxSZ5aP7tadCg1jihbkk0SdOSK0p2hdkfoZe+wILGIQgOJ9BZFADgwdTIpytDeyhKndgg/IPTPLzgZTtvy78Kf7gMbONXMfy9XOd+KPI9Sf37wIc6U9TSD/pMyAPyo/yCYhkpjYlaZ2PybxJtuZAF8ulw1LXkweUzTnk3qfyJdOxPvbp4MQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCn6hQxtiaFNkRtkoEFVVBMrWqe08YTf2Zk3B0+kKt1oo7bpmOXQvlgcWBrNYcBJlp7OlHpghPmpADwwgctP5V4hJNikLEAQhvAh7pKgzU9cRwIpnclzT0tjaVqbHsnGU7HX5ffViZ4BxM2uQBxlTJSiSyShW5BI7i0wPVK6X8UkSd2WDBPJ2Ra+jCPC/SyJeBgU3+cdUqUqko4zUAaR+Ln7uQNvI/+jwjvs4iY5mjurrVHRsa3rV0i98tqQhxIulGRHb9H4wyyRTa7UlmM+RTlYma0Tpb3kOnLTaMprXMmLhX7p8EUmwxaPDSMKL+NqMj2D1aTSZfaIdfg1N3hiEiw

-----END CERTIFICATE-----

7. Save above certificate as .crt file. On any machine import above certificate using MMC utility. 
8. Once above certificate is imported, open the certificate and copy the thumbprint information.
9. On the OKTA page, click on Assignments tab and assign the user “firstname.lastname”.
10. Enable SSL configuration on SDM server using SSL_Configuration utility.
11. On the SDM server update federation.propeties file:
==========
NX_ROOT\bopcfg\www\CATALINA_BASE\shared\resources\federation.properties:
federation.trustedissuers.issuer=https://trial-2420343.okta.com/app/template_wsfed/exk1dir61baJDz0PY697/sso/wsfed/passive
federation.trustedissuers.thumbprint=e65ae681941b9422e59421dd8148d2c819b8cdb8
federation.trustedissuers.friendlyname=
12. Update web.xml with the below filter and filter-mapping.
NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\web.xml
<filter>
       <filter-name>FederationFilter</filter-name>
 <filter-class>com.auth10.federation.WSFederationFilter</filter-class>
  <init-param>    
   <param-name>login-page-url</param-name> 
   <param-value>main.jsp</param-value>  
  </init-param>  <init-param>    
   <param-name>exclude-urls-regex</param-name> 
   <param-value>/images/|/js/|/css/</param-value>  
  </init-param>
</filter>

<filter-mapping>  
 <filter-name>FederationFilter</filter-name>  
 <url-pattern>/*</url-pattern>
</filter-mapping>
13. Create a copy of Administration account and create a user (this is optional step).
14. Update Administration access type with “Allow External Authentication   “ as YES and “Validation Type   “ as “No Access”
15. Create any contact with userid same as the OKTA id 
16. Restart SDM service or restart TOMCAT and access the SDM url.

Powered by Wolken Software