Setting Up Login via SAML

To set up authorization using SAML, execute the following operations:

1. Install BI server and web application back end.

2. Set up platform repository:

2.1. To save the encrypted password to log in to repository, start the PP.Util.exe utility under the appropriate account (with which web application pool works) with the following parameters: "/save_creds "repository name" /dc "user name". The utility is located in the folder with installed Foresight Analytics Platform. After the successful startup the password for entering the repository is requested. Enter the password. After this the message "Password for metabase "repository name" and login "user name" saved" is displayed.

2.2. Save certificate to the repository:

PP.Util.exe /save_cert "path to certificate" <repository ID> <user name>

After this the utility requires password of the specified user. The obtained credentials are used to connect to the repository. The following message appears if the authorization is successful and the certificate is saved:

Certificate from file "certificate path" with identifier "certificate ID" saved to metabase "repository ID"

2.3. Save private key to the registry:

PP.Util.exe /save_private_key "key file path" <Certificate ID> <encryption algorithm := gos|pro, if is not specified, then pro>

After this the message is displayed:

Certificate from file "key path" with identifier "certificate ID" saved

3. In the PP.xml file in the <metabase> section:

3.1 Set the authentication attribute to SAML2.

3.2 In the samlUrl attribute set URL of identification provider via SAML 2.0.

4. Set up the BI server:

4.1. Replace the idp.xml file located at < path to the folder with installed Foresight Analytics Platform>/etc/shibboleth/ with the same-name file with necessary settings. The settings file must be requested from the SSO server administrator.

4.2. In the shibboleth2.xml file, specify the entityId attribute of the <SSO> element equal to the entityId attribute value of the <EntityDescriptor> element from the idp.xml file. The idp.xml and shibboleth2.xml files are located in the same folder.

4.3. Generate metadata:

In the file <path to the folder with installed Foresight Analytics Platform>/ etc/shibboleth/example_sp.xml as the value for the Location attribute of the <AssertionConsumerService> element specify the web application page URL, on which the login is performed via SAML 2.0.

Below is the URL example highlighted in red:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://test/fp_App_v9.2/app/PPService.axd?action=saml" index="0" isDefault="true"/>

Where:

test. The name of the workstation that hosts the web application

fp_App_v9.2. Name of the virtual directory that stores the web application.

Make sure that the unique user name for the SSO server registration is similar in two files:

shibboleth2.xml (the entityId attribute value of the <ApplicationDefaults> element)

example_sp.xml (the entityId attribute values of the <EntityDescriptor> element).

User identifier at the server must be unique.

4.4. Transfer Foresight Analytics Platform metadata generated in the example_sp.xml file (see p. 4.3), to the administrator of the SSO web server for registration.

4.5. Make changes to the shibboleth2.xml and Protocols.xml files:

In shibboleth2.xml for the handlerUrl attribute of the <Sessions> element, determine the /fp_App_v9.2/app value, where fp_App_v9.2 is the name of the virtual directory where web application is stored.

In Protocols.xml specify the "PPService.axd?action=saml" value for the "path" attribute of the <Binding> element with the "...HTTP-POST" identifier of the service with the id="SSO". Below are elements highlighted in red to be replaced:

<Service id="SSO">

      <Initiator id="SAML2" />

      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" path="/PPService.axd?action=saml"/>

      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" path="/SAML2/Artifact" />

      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" path="/SAML2/ECP" />

</Service>

To check, make sure that:

http://test + handlerUrl attribute of the <Sessions> element + the 'path' attribute of the <Binding> element = Location attribute of the <AssertionConsumerService> element (see. p. 4.3)

That is:

http://test + /fp_App_v9.2/app + /PPService.axd?action=saml = http://test/fp_App_v9.2/app/PPService.axd?action=saml

4.6. If required, regenerate sp-cert.pem certificate and sp-key.pem private key. Certificate in this case must be inserted twice to the example_sp.xml.

5. Open the web application, then you will be moved to the identification provider. Enter user name and password.

See also:

Questions and Answers | Setting Up Login via OAuth