Enable SAML Authentication for CA SDM

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents.
casm173
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents.
CA SDM supports NTLMv1 and NTLMv2.
This article explain how to enable SAML authentication for CA Service Desk Manager on the following servers:
Prerequisites
  1. If you want to use ADFS as the identity provider, you must install ADFS on Windows Server 2012 R2 and above.  After completing the installation of ADFS and CA Service Desk Manager, you must configure the ADFS with following theCA SDM related information:
    1. While configuring Add Relying Party Trust on ADFS specify the following on the
      "Configure URL"
      screen:
      • Select the
        "Enable support for the WS-Federation Passive protocol"
        check-box.
      • Enter the value in the
        "Relying party WS-Federation Passive protocol URL:"
        as below:
        https://<SDM host name>:<https port>/CAisd/pdmweb.exe
      • Select the
        "Enable support for the SAML 2.0 WebSSO protocol"
        check-box.
      • Enter the value in the
        "Relying party SAML 2.0 SSO service URL:"
        as below:
        https://<sdm host>:<https port>/CAisd/pdmweb.exe
    2. While adding claim rules, specify the following in the
      "Configure Claim Rule"
      step:
      • Claim rule name
        Specify a name for the claim rule. For example, SDM Claim Rule.
      • Attribute store
        Select the datasource from the drop-down list. For example, Active Directory.
      • LDAP Attribute
        Select "
        SAM-Account-Name
        " from the drop-down list.
      • Outgoing Claim Type
        Select "
        Name
        " from the drop-down list.
  2. If you want to use CA Single Sign-On (formerly known as CA Siteminder), as your Identify Provider, do the following:
    1. Launch CA Single Sign-on as Administrator.
    2. Go to the Federation Partnership Partnership Federation and click Partnerships.
      Federation Partnership List appears.
    3. Click the Federation Partnership name which you want to use.
      Partnerships properties page opens.
    4. Expand the IP Restrictions section and verify the Assertion Attributes properties.
    5. The value of the Namespace field must be the URI for the respective Claim. If the value is specified as "Unspecified" the SAML authentication will not work.
  3. Verify that the certificate you want to use to configure the Identity Provider is SHA 256 signed.
  4. Ensure that SSL is enabled for CA SDM. For more information see, Enable SSL Authentication for CA SM 17.3.
Enable SAML Authentication for CA SDM on Tomcat
Follow these steps:
  1. Configure the web.xml file.
    1. Navigate to the following folder and edit the file:
      NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\
      web.xml
    2. Copy and paste the following configuration under the
      <!-- Add filter here -->
      statement:
      <filter>
      <filter-name>FederationFilter</filter-name>
      <filter-class>com.auth10.federation.WSFederationFilter</filter-class>
      <init-param>
      <param-name>login-page-url</param-name>
      <param-value>main.jsp</param-value>
      </init-param>
      <init-param>
      <param-name>exclude-urls-regex</param-name>
      <param-value>/images/|/js/|/css/</param-value>
      </init-param>
      </filter>
    3. Copy and paste the following configuration under the
      <!-- Add filter-mapping here -->
      statement:
      <filter-mapping>
      <filter-name>FederationFilter</filter-name>
      <url-pattern>/*</url-pattern>
      </filter-mapping>
    4. Save and close the file.
  2. Configure the federation.properties file.
    1. Navigate to the following folder and edit the file
      NX_ROOT\bopcfg\www\CATALINA_BASE\shared\resources\federation.properties
    2. Define the following details related to the Identity Provider and CA Service Desk Manager
      1. federation.trustedissuers.issuer
        Define the Identity Provider URL.
        Example:
        Siteminder
        http://<siteminderURL>/affwebservices/public/wsfeddispatcher
        ADFS
        https://<trusted_issuer_URL>/<identity_provider>/ls/idpinitiatedsignon.aspx
      2. federation.trustedissuers.thumbprint
        Define the value of the certificate thumbprint provided by the Identity Provider. You must specify the thumbprint from "
        token-signing"
        section of the certificate.
        Example:
        0214c3035d002505b9e5e672a117d9bf5c5d4d02
        The certificate you want to use to configure the Identity Provider must be SHA-256 signed.
        The thumbprint you use from the SHA-256 certificate must be the SHA-1 thumbprint.
      3. federation.trustedissuers.friendlyname
        Define a common name for the Identity Provider.
        Example:
        ADFS
        TestIP - <trusted_issuer_URL>
        Siteminder
        TestIP
      4. federation.audienceuris
        Define the URI of the application from where to accept the tokens.
        Example:
        https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe|https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
      5. federation.realm
        Define the location from where the tokens are sent.
        Example:
        https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
      6. federation.enableManualRedirect
        Define if you want to enable manual redirection of the token. Set the value as True to enable the manual redirect and set the value as False to disable the manual redirect.
        Default:
        false.
      7. federation.reply
        Define the URL of the location that receives responses.
        Example:
        https://<SDM_HOST>:<SDM_TOM_SSL_PORT>/CAisd/pdmweb.exe
    3. Save and close the file.
  3. Restart the CA Service Desk Manager services.
  4. Launch CA SDM and enable the external user authentication from UI for the user role that you want to allow the SAML based SSO access.
Enable SAML Authentication for CA SDM on IIS
Follow these steps:
  1. Ensure that the Microsoft.NET Framework 4 is installed on the server where CA SDM is installed. For more information, see Enable SSL Authentication for CA SM 17.3. For more information, see Microsoft Documentation on How to Setup SSL on IIS.
  2. Open the web.config file in an editor. The file is typically available under the path NX_ROOT\bopcfg\www\ wwwroot\.
  3. Locate the following statement in the file:
    <!-- To Enable SAML, Comment above code and Uncomment below code. -->
  4. Comment all the code that appears above the statement in the file, that means adding the tag <!-- at the beginning and  the tag --> at the end of the code.
  5. Uncomment all the code that appears below the statement in the file, that means removing the tag <!-- at the beginning and the tag --> at the end of the code.
  6. Find the following lines and replace the text "Define the URI of the application from where to accept the tokens" with http://<SDM host name>:<SSL Port>/CAisd/pdmweb.exe:
    <audienceUris>
    <add value="Define the URI of the application from where to accept the tokens" />
    </audienceUris>
    Example:
    <audienceUris>
    <add value="http://CAServiceDesk:443/CAisd/pdmweb.exe" />
    </audienceUris>
  7. Find the following lines and modify the value of "add thumbprint" and "name" parameters. You must specify the thumbprint from "
    token-signing"
    section of the certificate.
    <trustedIssuers>
    <add thumbprint="Define the value of the certificate thumbprint provided by the Identity Provider" name="Define a common name for the Identity Provider" />
    </trustedIssuers>
    Example:
    <trustedIssuers>
    <add thumbprint="bb89519f06dc7b1ab43871e1a3310eca893b94cb" name="sdmcomputer01.casm.local" />
    </trustedIssuers>
  8. Find the following lines and modify the value of "issuer", ""realm", "reply" and "requireHttps" parameters:
    <federationConfiguration>
    <cookieHandler requireSsl="false" />
    <wsFederation passiveRedirectEnabled="true" issuer="Define the Identity Provider URL" realm="Define the location from where the tokens are sent" reply="Define the URL of the location that receives responses" requireHttps="true|false" />
    </federationConfiguration>
    1. issuer
      Define the Identity Provider URL
      Example:
      ADFS:
      https://hostname.casm.local/adfs/ls/idpinitiatedsignon.aspx
      Siteminder:
      http://hostname:88/affwebservices/public/wsfeddispatcher
    2. realm
      Replace the text
      realm="Define the location from where the tokens are sent"
      with
      realm="https://<SDM host name>:<SSL Port>/CAisd/pdmweb.exe"
      Example:
      realm="https://CAServiceDesk:443/CAisd/pdmweb.exe"
    3. reply
      Replace the text
      reply="Define the URL of the location that receives responses"
      with reply="https://<
      SDM host name
      >:<
      SSL Port
      >/CAisd/pdmweb.exe"
      Example:
      reply="https://CAServiceDesk:443/CAisd/pdmweb.exe"
    4. requireHttps
      Define whether the require https is true or false.
      True
      Specify the value as
      true,
      if the
      Identify Provider URL is https based.
      False
      Specify the value as
      false,
      if the
      Identify Provider URL is http based.
  9. Save and close the file.
  10. Restart the CA Service Desk Manager services.
  11. Launch CA SDM and enable the external user authentication from UI for the user role that you want to allow the SAML based SSO access.
Enable SAML Authentication for CA SDM on Apache
Follow these steps:
  1. Ensure that HTTPS is enabled for
    CA Service Management
    . For more information, see Enable SSL Authentication for CA SM 17.3
  2. Download and install Shibboleth Service Provider on the Apache server where
    CA Service Management
    is installed. You must download the Shibboleth Service Provider specific to the operating system you are using. We recommend to use Shibboleth Service Provider version 2.6. Shibboleth Service Provider does not support installation on Solaris. For more information about Shibboleth installation and software download, see Shibboleth Documentation.
  3. Start the Shibboleth service.
  4. Launch the Identity Provider’s Metadata URL in a browser and generate the
    FederationMetadata.xm
    l file and copy to the path
    \etc\shibboleth\
    and rename the file as
    partner-metadata.xml
    . For example, if you are using ADFS as identity provider, the Metadata URL is https://<ADFS server>/federationmetadata/2007-06/federationmetadata.xml
  5. Modify the Shibboleth2.xml file as follows. The file is typically available under the path: \etc\shibboleth\.
    1. Find the following lines in the file and modify the values of the parameters “entity ID” and “REMOTE_USER”.
      <
      ApplicationDefaults entityID="https://<SDM host name>:<SSL Port>" REMOTE_USER="<IdP claim user detail property>" cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"
      >
      Example:
      <
      ApplicationDefaults entityID="https://CAServiceDesk:443"
      REMOTE_USER="smuser"
      cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2"
      >
    2. Find the following lines in the file and modify the values of the parameters “entity ID”.
      <SSO entityID="<URL of the Identity Provider> "
      discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
      SAML2 SAML1
      </SSO>
      Example:
      <SSO entityID="http://adfscomputer/adfs/services/trust"
      discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
      SAML2 SAML1
      </SSO>
    3. Open the shibboleth.xml file and replace the entity ID value with the entity ID value available in the partner-metadata.xml file.
    4. Find the following lines and comment them, that means adding the tag <!-- at the beginning and the tag --> at the end of the code, if not already commented.
      <!-- Example of remotely supplied batch of signed metadata. -->
      <!--
      <MetadataProvider type="XML" validate="true"
      uri="http://example.org/federation-metadata.xml"
      backingFilePath="federation-metadata.xml" reloadInterval="7200">
      <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
      <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
      <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
      attributeName="http://macedir.org/entity-category"
      attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      attributeValue="http://refeds.org/category/hide-from-discovery" />
      </MetadataProvider>
      -->
    5. Add the following lines below the commented code as explained above.
      <!-- Example of locally maintained metadata. -->
      <MetadataProvider type="XML" validate="false" file="partner-metadata.xml"/>
  6. Open the file attribute-map.xml from the path: ../etc/shibboleth/ and edit the file as follows:
    Add the following lines in the beginning of the file.
    <Attribute name="<IdP claim to send to the relying party>" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="<IdP claim to send to the relying party>"/>
    Example:
    <Attribute name="smuser" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="smuser"/>
    Note:
    When you are creating the "Relying Party Trust" using ADFS for Shibboleth, the metadata you need to upload to ADFS can be obtained by launching the Service Provider’s Metadata URL. For example, https://<Shibboleth Server Name>/Shibboleth.sso/Metadata.
  7. Open the file httpd.conf and edit as follows. The file is typically available under the path:
    etc/httpd/conf/
    . Add the following lines at the end of the file:
    #Shibboleth configuration
    LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
    <Location /Shibboleth.sso>
    SetHandler shib
    </Location>
    <Location />
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require valid-user
    ShibUseHeaders Off
    </location>
  8. Restart Shibboleth service.
  9. Restart Apache server.
  10. Launch CA SDM and enable the external user authentication from UI for the user role that you want to allow the SAML based SSO access.