SAML2 Authentication in DX NetOps Spectrum

From 10.4.1, you can authenticate users with SAML 2.0 through your organization's Identity Provider (IdP).
DX NetOps Spectrum
now supports Security Assertion Markup Language (SAML) 2 authentication as a single sign-on login standard for this purpose. SAML is a standard for logging users into applications based on their sessions in another context.
DX NetOps Spectrum
SAML2 supports both SP-initiated or lDP-initiated configurations. The
DX NetOps Spectrum
configuration steps are the same for both configuration type.
SAML2 authentication in
CA Spectrum
supports the following IdPs:
  • Auth0
  • Okta
  • Onelogin
  • Microsoft Azure Active Directory (Azure AD)
  • Any Other SAML2.0 IdP
Enable Single Sign-On
The following procedure lists the steps to integrate
DX NetOps Spectrum
with the identity provider server.
Follow these steps:
  1. Configure the IDP server - Create
    DX NetOps Spectrum
    app in Identity Provider (IdP) Server.
  2. Create
    DX NetOps Spectrum
    users for Single Sign-On
    .
    The
    IdP usernames
    and
    DX NetOps Spectrum
    usernames
    must match, else the authentication fails.
  3. Configure the fediz_config.xml file.
    1. Open the
      fediz_config.xml
      file located in the
      <SPECROOT>/tomcat/conf
      directory.
    2. Update the following fields:
      • audienceItem
        Specifies the Audience URI. For example, https://spectum_host/spectrum/
        Audience URI: The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.
      • Issuer
        Specifies the IdP Single Sign-On URL. For example, https://oneclickhostname.broadcom.net:8443/spectrum/
        Single Sign-On URL: https://oneclickhostname.broadcom.net:8443/spectrum/ The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
      • realm
        Specifies the IdP Audience URI. For example, https://spectum_host/spectrum/
        The
        audienceItem
        and
        realm
        parameters must have the same value.
      • (Optional) reply
        Single Sign-On URL: https://oneclickhostname.broadcom.net:8443/spectrum/ The location where the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.
    3. Update the Keystore file location in the following parameters values:
      • certificateStores
      • signingKey
      • tokenDecryptionKey
    4. Retain the default values for all other parameters.
    5. Save and close the file.
  4. Configure Basic Authentication for other product integrations.
    DX NetOps Spectrum
    SAML Authentication supports web browser single sign-on. Some integration clients like the ones listed below are not browser-based applications:
    • Spectrumgtw probe - UIM Integration
    • DX NetOps Spectrum
      - DX OI Connector
    • Other clients which use Rest API's to communicate with
      DX NetOps Spectrum
      .
    For such clients,
    DX NetOps Spectrum
    allows the user to communicate using the basic authentication.
    To configure basic authentication, follow the below steps:
    1. Open the
      non-saml-config.xml
      file from the
      <SPECROOT>/tomcat/conf
      directory.
    2. Set the
      allowBasicAuthentication
      parameter to true.
      <allowBasicAuthentication>true</allowBasicAuthentication>
    3. Specify the spectrum user name which is used for integrations. You can use only the listed users in this configuration.
      <userName>spectrumUser1</userName> <userName>spectrumUser2</userName>
    4. Save and close the file.
  5. Enable SAML Authentication.
    1. In the OneClick Web interface, click the
      Administration
      tab.
    2. Click the
      Single Sign-On Configuration
      link.
    3. Select SAML as SSO option.
    4. In case the tomcat does not restart automatically, manually restart the tomcat.
    5. Stop the tomcat and start the tomcat.
      The changes are applied after the tomcat server restarts.
Disable Single Sign-On
You can disable the SAML authentication when it is not required. You can use the
DX NetOps Spectrum
administration UI to disable SAML. In case, you did not create the IdP user in
DX NetOps Spectrum
and enabled SAML, you can disable SAML using the command line.
Disable SAML using GUI
Follow these steps:
  1. In the
    DX NetOps Spectrum
    , navigate to Administrator, Single Sign-On Configuration.
  2. Select
    No Single Sign-On.
  3. Save and confirm save at the prompt.
  4. Restart the Tomcat server.
Disable SAML using Command Line
Follow these steps:
  1. Open the
    context.xml
    file from the
    <SPECROOT>/tomcat/conf/
    directory.
  2. Change the value from
    com.aprisma.tomcat.authenticator.Saml2FederationAuthenticator
    to
    org.apache.catalina.authenticator.BasicAuthenticator
    .
  3. Save and close the file.
  4. Open the
    web.xml
    file from the
    <SPECROOT>/tomcat/webapps/spectrum/WEB-INF/
    directory.
  5. Change the value of the
    <auth-method></auth-method>
    parameter from WSFED to BASIC.
  6. Save and close the file.
  7. Restart the Tomcat server.