Configure 
DX Platform
 As a SAML 2.0 Service Provider

You can configure  to authenticate user accounts that are stored in a third-party Identity Provider (IdP).
dxp10
You can configure 
DX Platform
 to authenticate user accounts that are stored in a third-party Identity Provider (IdP).
 
 
2
 
 
Collect the Required Information
Collect the following information, which is required during authentication. 
Information
Description
Your Value
Service Provider (SP) Entity ID
Uniquely identifies a tenant to the IdP.
Provide this value to the IdP:
DXI_
<TenantIDInUppercase>
 
___________________________________________
Assertion Consumer Service (ACS) URL
Processes the assertion response from the IdP. Provide this value to the IdP:
 https://cloud.ca.com/ess/authn/<TenantIDInUppercase
>
 
_____________________________________________
IdP-Initiated Authentication URL
Redirects users who log into the IdP to 
DX Platform
.
Provide this value in the UpsertSamlConfiguration.sh script that redirects login requests.
_____________________________________________
IdP Entity ID
Uniquely identifies the IdP that a tenant environment should use to authenticate users. Collect this information from the IdP administrator.
_____________________________________________
SAML Protocol URL
Specifies the IdP URL where authentication requests are sent when an IdP user logs into 
DX Platform
.
Collect this information from the IdP administrator.
_____________________________________________
Signature Verification Certificate
The certificate used to authenticate requests between the IdP and 
DX Platform
.
Collect this information from the IdP administrator.
_____________________________________________
Global Admin User Name
The tenant Global Administrator user name.
_____________________________________________
Global Admin Password
The password for the Global Administrator user account.
_____________________________________________
Cohort ID
_____________________________________________
Group membership or Role SAML Response Attribute (Required)
The attribute that the IdP uses to store group or role information.
You map group or role membership attributes in the IdP to role attributes in Application Performance Management.
____________________________________________
Email SAML Response Attribute (optional) Note: Some functionality may not work if email is not provided.
The attribute that the IdP uses to store email addresses.
You map the email attribute in the IdP to role attributes in Application Performance Management. 
____________________________________________
Firstname SAML Response Attribute (optional)
The attribute that the IdP uses to store user first names. 
You map the first name attribute in the IdP to role attributes in Application Performance Management. 
___________________________________________
Lastname SAML Response Attribute (optional)
The attribute that the IdP uses to store user last names.You map the last name attribute in the IdP to role attributes in Application Performance Management. 
___________________________________________
Find the Cohort ID
To configure a federated partnership, you specify a cohort id. To find the cohort ID, follow these steps: 
  1. Open the Chrome browser. 
  2. Turn on Developer Tools as follows:
    1. On the Chrome tab, click the setting menu in the header (three vertical dots in the upper right corner of the screen).
    2. Select 
      More Tools...
      Developer Tools
      .
      The Developer Tools open on the right side of the Chrome tab.
    3. Select 
      Network
      . Then, click the tenant name.
    4. Select the 
      Response
       tab.
    5. Copy the Cohort ID.
      DeveloperTools.PNG  
  3. Save the Cohort ID for use when you configure authentication in 
    DX Platform
    .
Configure a SAML Trust Relationship on the IdP
Provide the following information to the IdP administrator: 
  • Service Provider (SP) Entity ID
    Format: DXI_
    <TenantIDInUppercase>
     
  • Assertion Consumer Service (ACS) URL
    Format: https://cloud.ca.com/ess/authn/<TenantIDInUppercase
    >
     
The IdP administrator uses this information to configure the federated partnership on the IdP. The instructions for configuring a partnership differ based on the type if IdP. See the IdP documentation for more information. 
Configure Authentication in 
DX Platform
 
In this release, you create the following scripts to configure the federated partnership and authentication in 
DX Platform
  •  
    UpsertSamlConfig.sh
    : Configures the product to redirect login requests to the Identity Provider URL.  
  •  
    rawurlencode.sh
    : Encodes the bearer token provided by upSertSamlConfig.sh.
Configuring authentication in 
DX Platform
 involves the following high-level steps: 
  1. Create and run the UpsertSamlConfig.sh script.
  2. Create and run the rawurlencoding.sh script.
  3. Map attributes and roles. 
  4. Configure cache settings. 
Create and Run the UpsertSamlConfig.sh Script
Create a script that resembles the following example. Then, run the script.
#!/bin/bash -x
SERVER=$1;
AUTHTENANT=$2;
AUTHUSER=$3;
AUTHPASS=$4;
CERTFILE=$5;
COHORT1=$6;
if [ -z "$CERTFILE" ]; then
echo " missing arguments";
echo " usage: upsertSamlConfig.sh <serverhost:port> <ga_user_tenant> <ga_user_id> <ga_user_pwd> <certToUpload> <cohort>";
exit 1;
fi;
if [ ! -f "$CERTFILE" ]; then
echo "cert file $CERTFILE does not exit";
exit 1;
fi;
if [ -z "$COHORT1" ]; then
COHORT1=SAMLCOHORT;
fi;
. ./rawurlencode.sh
URL_COHORT=$( rawurlencode "${COHORT1}" )
# perform login
cohort=`echo $AUTHTENANT| openssl enc -base64 -A`
TOKEN=`curl -k -s -X POST -H "Authorization: Basic $cohort" -d "grant_type=PASSWORD&username=$AUTHUSER&password=$AUTHPASS" $SERVER/ess/security/v1/token | jq .tkn|sed -e 's/"//g'`
if [ -z "$TOKEN" ]; then
echo login failed
exit 1
fi
ENC_AUTHZ=`echo \{\"tkn\":\"$TOKEN\",\"all\":\"true\"\} | openssl enc -base64 -A`
IMGB64=`base64 -i "$CERTFILE"`;
ENC_AUTHZ=`echo \{\"tkn\":\"$TOKEN\",\"all\":\"true\"\} | openssl enc -base64 -A`
echo " Updating ${COHORT1} auth config to use SAML based authentication.";
#JTXT='{ "cohort" : "'${COHORT1}'","moduleName" : "SAML_AUTH","url" : "https://dxing.auth0.com/samlp/B-EBZbAxiwsMl2aF8oVtWnRPX9gAOakn","params" : "{\"issuer\":\"urn:dxing.auth0.com\",\"entityId\":\"dxing.ca.com\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"givenName\",\"l\":\"surname\",\"r\":\"roles\"},\"cookieDomains\":[\".ca.com\"],\"sloUrl\":\"http://patab02-i123564.ca.com:8080/affwebservices/public/saml2slo\",\"sloResponseUrl\":\"http://patab02-i123564.ca.com:8080/affwebservices/public/saml2slo\"}","paramBlob" : "'$IMGB64'"}';
# CA GIS NON PROD
#JTXT='{"cohort":"'${COHORT1}'","moduleName":"SAML_AUTH","url":"https://samlgwsm-qa.ca.com/affwebservices/public/saml2sso?SPID=urn:cagis.np.dxi.com","params":"{\"issuer\":\"samlgwsm-qa.ca.com\",\"entityId\":\"urn:cagis.np.dxi.com\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"FirstName\",\"l\":\"LastName\",\"r\":\"groups\"}}","paramBlob":"'$IMGB64'"}';
#BASIC_AUTH
#JTXT='{"cohort":"'${COHORT1}'","moduleName":"BASIC_AUTH"}';
# CAGIS
# JTXT='{"cohort":"'${COHORT1}'","moduleName":"SAML_AUTH","url":"https://samlgwsm.ca.com/affwebservices/public/saml2sso?SPID=DXI_CAGIS","params":"{\"issuer\":\"samlgwsm.ca.com\",\"entityId\":\"DXI_CAGIS\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"FirstName\",\"l\":\"LastName\",\"r\":\"groups\"}}","paramBlob":"'$IMGB64'"}';
# CAGIS-rndtools
#JTXT='{"cohort":"'${COHORT1}'","moduleName":"SAML_AUTH","url":"https://samlgwsm.ca.com/affwebservices/public/saml2sso?SPID=DXI_CAGIS-RNDTOOLS","params":"{\"issuer\":\"samlgwsm.ca.com\",\"entityId\":\"DXI_CAGIS-RNDTOOLS\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"FirstName\",\"l\":\"LastName\",\"r\":\"groups\"}}","paramBlob":"'$IMGB64'"}';
#JTXT='{ "cohort" : "'${COHORT1}'","moduleName" : "SAML_AUTH","url" : "https://dxing.auth0.com/samlp/B-EBZbAxiwsMl2aF8oVtWnRPX9gAOakn","params" : "{\"issuer\":\"urn:dxing.auth0.com\",\"entityId\":\"dxing.ca.com\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"givenName\",\"l\":\"surname\",\"r\":\"roles\"},\"cookieDomains\":[\".ca.com\"],\"sloUrl\":\"http://patab02-i123564.ca.com:8080/affwebservices/public/saml2slo\",\"sloResponseUrl\":\"http://patab02-i123564.ca.com:8080/affwebservices/public/saml2slo\"}","paramBlob" : "'$IMGB64'"}';
# Auth0
#JTXT='{ "cohort" : "'${COHORT1}'","moduleName" : "SAML_AUTH","url" : "https://demo-0307.auth0.com/samlp/PCBOpqb0ij4XNHBNghFl6JqiL6Tt1z3O","params" : "{\"issuer\":\"urn:demo-0307.auth0.com\",\"entityId\":\"DXI\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"givenName\",\"l\":\"surname\",\"r\":\"roles\"},\"cookieDomains\":[\".ca.com\"],\"sloUrl\":\"http://patab02-i123564.ca.com:8080/affwebservices/public/saml2slo\",\"sloResponseUrl\":\"http://patab02-i123564.ca.com:8080/affwebservices/public/saml2slo\"}","paramBlob" : "'$IMGB64'"}';
JTXT='{"cohort":"'${COHORT1}'","moduleName":"SAML_AUTH","url":"https://demo-0307.auth0.com/samlp/zWci75apH6n4S4zLNj1OH52ce79gaIvQ","params":"{\"issuer\":\"urn:demo-0307.auth0.com\",\"entityId\":\"DXI_NEWYORK\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"givenName\",\"l\":\"surname\",\"r\":\"role\"},\"cookieDomains\":[\".ca.com\"]}","paramBlob":"'$IMGB64'"}';
curl -k -s -w "HTTPStatus=%{http_code}\n" --header "Authorization: Bearer $ENC_AUTHZ" --header "Content-Type: application/json" -H "Accept: application/json" -X PUT -i --data "${JTXT}" "$SERVER/ess/basicauth/v1/pafconfig/${URL_COHORT}";
In the script, specify the following parameters: 
  • cohort_id
  • SAML_Protocol_URL
  • Issuer
  • DXI_TENANT_ID
  • Attributes
See the table in Collect Required Information for parameter descriptions and values. 
Use the following code in the script to configure these parameters:
JTXT='{"cohort":"'
<cohert_id>
'","moduleName":"SAML_AUTH","url":"
<SAML_Protocol_URL>
","params":"{\"issuer\":\"
<xxxxx>
\",\"entityId\":\"<
DXI_tenant_ID>
\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"givenName\",\"l\":\"surname\",\"r\":\"role\"},\"cookieDomains\":[\".ca.com\"]}","paramBlob":"'$IMGB64'"}';
The following example shows a completed entry: 
JTXT='{"cohort":"'${COHORT1}'","moduleName":"SAML_AUTH","url":"https://demo-0307.auth0.com/samlp/zWci75apH6n4S4zLNj1OH52ce79gaIvQ","params":"{\"issuer\":\"urn:demo-0307.auth0.com\",\"entityId\":\"DXI_NEWYORK\",\"skewTime\":500,\"autoCreateUser\":true,\"attrMap\":{\"e\":\"email\",\"f\":\"givenName\",\"l\":\"surname\",\"r\":\"role\"},\"cookieDomains\":[\".ca.com\"]}","paramBlob":"'$IMGB64'"}';
Create and Run the rawurlencode.sh Script
Create a script called rawurlencode.sh using the following example. Once you create the script, run it to encode the bearer token.
rawurlencode() {
local string="${1}"
local strlen=${#string}
local encoded=""
for (( pos=0 ; pos<strlen ; pos++ )); do
c=${string:$pos:1}
case "$c" in
[-_.~a-zA-Z0-9] ) o="${c}" ;;
* ) printf -v o '%%%02x' "'$c"
esac
encoded+="${o}"
done
echo "${encoded}" # You can either set a return variable (FASTER)
# REPLY="${encoded}" #+or echo the result (EASIER)... or both... :p
}
Map Attributes and Roles
You can map the following attributes and roles from an IdP to 
DX Platform
:
  • Group or Role Membership
    You can map groups or roles in the IdP to the following Application Performance Management roles: 
    Role
    Description
    Tenant Administrator
    A tenant administrator can perform administrative tasks only in the scope of the tenant account to which they belong.
    Power User
    A power user can view and update alerts and application settings.
    If you do not map roles to IdP roles or groups, all IdP users have the Power User role by default.
  • Email
  • First Name 
  • Last Name
To map attributes and roles, use the Upsert Role Mappings API. 
  1.  
    Method:
     PUT
  2.  
    URI:
     
    <FQDN>
    /ess/roles/v1/group/mappings \
  3.  
    Authorization:
     Bearer 
    <BearerToken>
    Specify the bearer token that you generated in the script. 
  4. Parameters: 
    Parameter
    Description
    cohort
    rolename
    The name of the Application Performance Management role. Specify TA for the tenant administrator role. Specify PU for the power user role.
    anyGroups
    Specify the role or group at the IdP. Use the name and distinguishedName attributes to specify the role and group. See the following code for an example.
The curl command for this call resembles the following example: 
curl -X PUT \
https://cloud.ca.com/ess/roles/v1/group/mappings \
-H 'authorization: Bearer eyJ0a24iOiJkY2FmNDc2OC1mNjQ4LTRhMTEtYTEwOC0yZjQ2ZmEyMDNlMjkiLCJhbGwiOnRydWUsInQiOiJkZWZhdWx0b3JnIn0=' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"cohort": "CAGIS-NONPROD-USERSTORE",
"roleMappings": [
{
"rolename": "TA",
"anyGroups": [
{
"name": "Team - GIS - GISLA-Admins",
"distinguishedName": "CN=Team - GIS - GISLA-Admins,OU=Self Service Groups,OU=Groups,DC=ca,DC=com"
},
{
"name": "Team-GIS-AXAAdmins",
"distinguishedName": "CN=Team-GIS-AXAAdmins,OU=Groups,OU=ITC Hyderabad,DC=ca,DC=com"
}
]
},
{
"rolename": "PU",
"anyGroups": [
{
"name": "Team-GIS-AXAPUser",
"distinguishedName": "CN=Team-GIS-AXAPUser,OU=Self Service Groups,OU=Groups,DC=ca,DC=com"
}
]
}
]
}'
Configure Cache Settings
Use the Global Refresh Cache API to apply the role mappings that you configured in Map Attributes and Roles
You can also restart the server to apply the role mappings.
The following commands illustrate how to refresh the cache to apply role mappings.
Specify the Global Admin token as the Bearer token. 
curl -X PUT \
http://localhost:8080/ess/tenants/v1/cache \
-H 'authorization: Bearer eyJ0a24iOiJhMjIyZjY2OC0xZWNjLTRiMGQtYWY3Ni1kZjQ1ZGZiYTE3MzIiLCJhbGwiOnRydWUsInQiOiJkZWZhdWx0b3JnIn0' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{}'