...
Download the Ubisecure IDP metadata from the SAML 2.0 link on the Ubisecure Management home page. Save this file into the
/WEB-INF/saml2/sp/metadata
folder of your web application.Figure 1. Click SAML 2.0 to download the IDP metadata file Copy the binary libraries from the installation package directory
ubispservlet/webapp/WEB-INF/lib
to theWEB-INF/lib
directory of the web application.Code Block language text cd ubispservlet\webapp\WEB-INF\libcopy *.jar <webapp_directory>\WEB-INF\lib\
- Configure the
WEB-INF\web.xml
file using the example providedubispservlet/webapp/WEB-INF/web.xml
or following the instructions in SAML SP application integration - SSO. For virtual hosting ProxyFilter must not be used.
Remove the following style of configuration if present in the web.xml file.Code Block language text <filter> <filter-name>ProxyFilter</filter-name> <filter-class>com.ubisecure.util.filter.ProxyFilter</filter-class> <init-param> <param-name>com.ubisecure.util.filter.proxy.front</param-name> <param-value>http://portal.example.com</param-value> </init-param> <init-param> <param-name>com.ubisecure.util.filter.proxy.remote-addr-name</param-name> <param-value>x-forwarded-for</param-value> </init-param> </filter>
SAML SP uses Java AddressTracker component for IP address matching. If a reverse proxy is used, set the netmask parameter's x-forwarded-for setting. The client address will be retrieved from this value set by the reverse proxy.
If a reverse proxy is used, add the following init-param to the ServiceProviderServlet of the web.xml file. The proxy must be configured to pass the required values in the headers.Code Block language text <servlet> <servlet-name>ServiceProviderServlet</servlet-name> <servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class> <init-param> <param-name>netmask</param-name> <param-value>enabled x-forwarded-for=x-client-address</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet>
Create a directory for each hostname:
Code Block language text cd <webapp_directory>\WEB-INF\ mkdir saml2/sp/application.host1.com mkdir saml2/sp/application.host2.com
Create the identity for Service Provider 1:
Code Block language text cd <webapp_directory>\WEB-INF java -jar lib\ubisaml2.jar Generate https://application.host1.com/webapp/spsso -o saml2\sp\ application.host1.com
Create the metadata for Service Provider 1:
Code Block language text cd <webapp_directory>\WEB-INF java -jar lib\ubisaml2.jar Metadata saml2\sp\application.host1.com -f c:\temp\sp1.xml
Disable the use of backchannel messages from the SP. All interactions with the SP will be via the user browser. To disable backchannel messages, set the LiteNoBackChannel compatibility flag in the SP's
identity.properties
file.
Openidentity.properties
file in a text editor. Add the following line to the file:Code Block language text com.ubisecure.saml2.config.compatibilitycom.ubisecure.ubilogin.uas.saml2.compatibility = LiteNoBackChannel
Create the identity for Service Provider 2:
Code Block language text cd <webapp_directory>\WEB-INF java -jar lib\ubisaml2.jar Generate https://application.host2.com/webapp/spsso -o saml2\sp\ application.host2.com
Create the metadata for Service Provider 2:
Code Block language text cd <webapp_directory>\WEB-INF java -jar lib\ubisaml2.jar Metadata saml2\sp\application.host2.com -f c:\temp\sp2.xml
Disable the use of backchannel messages from the second SP. All interactions with the SP will be via the user browser. To disable backchannel messages, set the LiteNoBackChannel compatibility flag in the SP's identity.properties file.
Openidentity.properties
file in a text editor. Add the following line to the file:Code Block language text cd <webapp_directory>\WEB-INF\saml2\sp\application.host2.com com.ubisecure.ubilogin.uas.saml2.compatibility = LiteNoBackChannel
- Create an application for SP1 using Ubisecure Management and activate the application using the metadata from
c:\temo\sp1.xml
. Configure the application's template, methods and allowed to groups as desired. Activation is described in Associate the SP identity with a Ubisecure Web Agent section of SAML SP activation - SSO. - Create an application for SP2 using Ubisecure Management and activate the application using the metadata from
c:\temo\sp2.xml
. Configure the application's template, methods and allowed to groups as desired. Activation is described in Associate the SP identity with a Ubisecure Web Agent section of SAML SP activation - SSO. - The resulting file structure should be as follows. For additional hostnames, repeat the same process for each hostname:
- create sp subdirectory using exact hostname
- create the identity using the Generate command
- create the metadata using the Metadata command
- add the compatibility LiteNoBackChannel to the
identity.properties
file - activate and configure the application using the generated metadata
...
Code Block | ||||
---|---|---|---|---|
| ||||
[servlet and filter configuration]
<webapp_directory>\WEB-INF\web.xml
[SAML SP binary libraries]
<webapp_directory>\WEB-INF\lib\*.jar
[SAML SP logger configuration]
<webapp_directory>\WEB-INF\classes\logback.xml
[SAML SP 1 identity]
<webapp_directory>\WEB-INF\saml2\sp\application.host1.com\identity.properties
[SAML SP 2 identity]
<webapp_directory>\WEB-INF\saml2\sp\application.host2.com\identity.properties
[IDP metadata]
<webapp_directory>\WEB-INF\saml2\sp\metadata\metadata.xml |
...
Code Block | ||||
---|---|---|---|---|
| ||||
[servlet and filter configuration]
<webapp_directory>\WEB-INF\web.xml
[SAML SP binary libraries]
<webapp_directory>\WEB-INF\lib\*.jar
[SAML SP logger configuration]
<webapp_directory>\WEB-INF\classes\logback.xml
[SAML SP 1 identity]
<webapp_directory>\WEB-INF\saml2\sp\application.host1.com\identity.properties
[SAML SP 2 identity]
<webapp_directory>\WEB-INF\saml2\sp\application.host2.com\identity.properties
[IDP metadata files]
<webapp_directory>\WEB-INF\saml2\sp\application.host1.com\metadata\metadata.xml
<webapp_directory>\WEB-INF\saml2\sp\application.host2.com\metadata\metadata.xml |
...