Setup and Installation
Before You Begin
Contact your IDP Administrator to obtain the XML metadata for the IDP. Note: If you use Siteminder for your IDP, you will not be able to specify the "type" of attribute. Use NameID instead for this case.
The SAML Gateway requires a key pair to use for encryption and signing. Obtain the key pair from your administrator or use Java keytool to create a new one.
Installing the SAML gateway application
1.Replace the file named idp.xml in the WEB-INF/classes/metadata folder of the application with the metadata for your Identity Provider (IDP).
2.Import the encryption key pair into the provided keystore located at WEB-INF/classes/security/samlKeystore.jceks. You will need to provide the –storetype jceks option to Java keytool when importing. The default keystore password is teamconnect.
Alternatively, you can replace the provided keystore with your own and update saml.properties (see below) accordingly.
3.Edit the saml.properties file in the WEB-INF/classes folder of the application.
Property |
Description |
idp.tcUsernameIdentifier |
SAML response element that will contain the TeamConnect username. Supported values are NameID and Attribute. Contact your Identity Provider for this information. |
idp.nameIDFormat |
Required only when idp.tcUsernameIdentifier is NameID e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
idp.attributeName |
The name of the response Attribute containing the TeamConnect username. Required only when idp.tcUsernameIdentifier is Attribute.Contact your Identity Provider for this information. |
sp.entityID |
Service Provider entity ID. This is the value used to generate service provider metadata in Step 6. If you are using an existing metadata file, enter the value of the entityID attribute from the metadata file. |
gateway.admin.username |
Defines the credentials to access the SAML gateway administration interface. Default is admin. |
gateway.admin.password |
Defines the credentials to access the SAML gateway administration interface. Default is admin. |
gateway.supportIdpInitializedSSO |
Indicates whether IDP-initialized SSO should be supported. Supported values are true and false. |
teamconnect.loginUrl |
The login URL for the TeamConnect application. |
keystore.file |
Name of the Java keystore file containing the private key for encrypting and optionally signing SAML messages. This file must be located in the WEB-INF/classes/security folder of the application. You may use the provided sample keystore (samlKeystore.jceks) or replace it with your own. |
keystore.type |
Type of the keystore. Supported values are jceks and jks. |
keystore.password |
Keystore password |
keystore.privatekey.alias |
Keystore alias for the private key. For security reasons, the default private key should not be used in production. |
keystore.privatekey.password |
Password for the private key |
4.Deploy the SAML gateway application.
5.In a web browser, go to <SAML gateway>/saml/web/metadata/generate.
6.Log in using the credentials defined in step 3.
7.On the Metadata generation page, enter the Entity ID defined in step 3. The choices for Service Provider (SP) metadata generation depend on the environment and configuration, as agreed on by the IDP and SP admins.
8.Click the Generate metadata button. The Metadata detail page is displayed.
a.Replace the contents of the file named sp.xml in the WEB-INF/classes/metadata folder of the application with the content of the Metadata field.
b.Edit the securityContext.xml file in the WEB-INF/classes folder of the application and update the ExtendedMetadata of <bean> with id="sp" to include the property values from the Configuration field.
9.Restart the SAML gateway application.
10.Provide service provider metadata to your IDP administrator for upload to the IDP.
Installing the TeamConnect custom authentication plugin for SAML
1.Update the URLs in badCredentials.html and logout.html based on your SAML gateway deployment.
2.Create the following Document folder structures in your TeamConnect instance:
a.System/Authentication/SAML/classes
b.System/Authentication/SAML/pages
3.Upload the authenticationDescriptor.properties, SAMLAuthenticator.class and Crypto.class files to the System/Authentication/SAML/classes folder created in step 2.
4.Upload the badCredentials.html, logout.html and sessionTimeout.html files to the System/Authentication/SAML/pages folder created in step 2.
5.Restart the TeamConnect application and select SAML Single Sign-On as the Default Authentication Method under Admin Settings -> Security.
