Single Sign-On SSO - Can't Generate Operator Console Metadata
search cancel

Single Sign-On SSO - Can't Generate Operator Console Metadata

book

Article ID: 260070

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

I am trying to setup Single Sign-In (SSO) on our Operator Console servers, following the guide here:

Generate Operator Console Metadata for SAML (UIM documentation) 

We have 2 Operator Console servers.  When I configured the first server, I was able to create the metadata, but I used the server's IP address instead of the virtual ip that we are using, so the metadata was not accurate.

I repeated the configuration on the second server, but I am unable to generate metadata, using either the 2nd server IP or the virtual ip (I get Page Not found for both attempts).

I have not configured Single Sign-On before, so I'm not sure where to start troubleshooting.

Environment

  • Release: 20.4

Cause

  • Guidance

Resolution

Configure Operator Console to Use SAML Single-Sign-On (UIM documentation)

On the OC robot,

  1. cd <install dir>\jre\jre8u332b09\bin
  2. keytool -genkey -keyalg RSA -alias UIM_204 -keystore keystore.jks -storepass <password> -validity 3650 -keysize 2048

         The -alias is just a label (can be any value).

     3. Respond to the prompts.

          Any first and last name is fine but just remember/document all of the values you enter.

     4. Enter Y when you are prompted if the information is correct.

     5. Press enter at the last prompt. 

         You'll see a Warning message but the keystore.jks is created, e.g., in cd <install dir>\jre\jre8u332b09\bin.

      6. Save the password you used.

      7. cd -> probes->service->wasp->webapps->samlsso->WEB-INF->classes->security

      8. copy the keystore.jks you created to this directory.

          Note that OC should be running on https.

      9. Open the file-> StepsGenerateEncryptedText.txt.

    10. Follow the steps to encrypt the password text, or use the following Encryption Utility:

     11. Navigate to https://<OC_robot_FQDN>/operatorconsole_portlet/encryptText.jsp

     12. Enter the alias you created earlier, e.g., UIM_204

     13. Click the Encrypt button.

     14. Then do the same to encrypt the password.

     15. Save both values in a simple notepad file.

     16. Navigate to -> probes->service->wasp->webapps->samlsso->WEB-INF-> classes

     17. Open Notepad ->Run as Administrator and

     18. Edit the properties file-> samlssoConfig

     19. Paste the alias (Encrypted Text value)

           saml.sp.keystore.aliasName=

     20. Paste the same password (Encrypted Text value) into the following parameters:

          saml.sp.keystore.aliasPassword=
          saml.sp.keystore.password=

     21. Change the parameter in the file from false to true->

           saml.configuration.enabled=true

     22. Save the samlssoConfig.properties file as All Files NOT a text file.

     23. Restart the OC wasp probe.

     24. Login to OC.

           Note that for a Multi-instance OC setup, the keystore and saml sso configuration files must be the same.

     25. Each wasp needs to be restarted after making the changes.

Generate the metadata by opening a browser and go to http://<OC_Server>/samlsso/saml/metadata. 

The SAML metadata for OC is displayed.

You can access the metadata page using the OC server FQDN, Operator Console (OC) server IP address, or via a proxy URL if you are using a proxy server. The SAML metadata address you use must match the format you will use in production. Specific metadata is generated based on the address you use to access the SAML metadata page.  In the metadata generated, if the OC Server IP address used, it may be manually replaced with the FQDN if it is resolvable and reachable.

  1. Save the generated metadata as a file of type xml.
  2. Register/install the file, spring_saml_metadata on the Active Directory Federation Services (ADFS). This is not mentioned in the SAL SSO techdocs.
  3. Based on what was pointed out during the webex, the information listed at the url above regarding ADFS, should be carefully integrated into the techdocs. The purpose of each section should be explained and it should also be noted whether or not it is required given the customer's SSO software and environment. 
  4. Lastly the sequence of the sections and steps to take should be checked and confirmed.

Additional Information

Please download and review  engineering document below for more detail

Attachments

SAML SSO UIM OC integration.pdf get_app
Powered by Wolken Software