Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Download the Ubisecure IDP metadata from the SAML 2.0 link on the Ubisecure Management home page. Save this file into the /WEB-INF/saml2/sp/metadata folder of your web application.

    Figure 1. Click SAML 2.0 to download the IDP metadata file


  2. Copy the binary libraries from the installation package directory ubispservlet/webapp/WEB-INF/lib to the WEB-INF/lib directory of the web application.

    Code Block
    languagetext
    cd ubispservlet\webapp\WEB-INF\libcopy *.jar <webapp_directory>\WEB-INF\lib\


  3. Configure the WEB-INF\web.xml file using the example provided ubispservlet/webapp/WEB-INF/web.xml or following the instructions in SAML SP application integration - SSO.
  4. For virtual hosting ProxyFilter must not be used.
    Remove the following style of configuration if present in the web.xml file.

    Code Block
    languagetext
    <filter>
    <filter-name>ProxyFilter</filter-name>
    <filter-class>com.ubisecure.util.filter.ProxyFilter</filter-class>
    <init-param>
    <param-name>com.ubisecure.util.filter.proxy.front</param-name>
    <param-value>http://portal.example.com</param-value>
    </init-param>
    <init-param>
    <param-name>com.ubisecure.util.filter.proxy.remote-addr-name</param-name>
    <param-value>x-forwarded-for</param-value>
    </init-param>
    </filter>

    SAML SP uses Java AddressTracker component for IP address matching. If a reverse proxy is used, set the netmask parameter's x-forwarded-for setting. The client address will be retrieved from this value set by the reverse proxy.
    If a reverse proxy is used, add the following init-param to the ServiceProviderServlet of the web.xml file. The proxy must be configured to pass the required values in the headers.

    Code Block
    languagetext
    <servlet>
    	<servlet-name>ServiceProviderServlet</servlet-name>
    	<servlet-class>com.ubisecure.saml2.sp.servlet.ServiceProviderServlet</servlet-class>
    	<init-param>
    		<param-name>netmask</param-name>
    		<param-value>enabled x-forwarded-for=x-client-address</param-value>
    	</init-param>
       <load-on-startup>0</load-on-startup>
    </servlet>


  5. Create a directory for each hostname:

    Code Block
    languagetext
    cd <webapp_directory>\WEB-INF\
    mkdir saml2/sp/application.host1.com
    mkdir saml2/sp/application.host2.com


  6. Create the identity for Service Provider 1:

    Code Block
    languagetext
    cd <webapp_directory>\WEB-INF
    java -jar lib\ubisaml2ubispservlet\tools\metadata-generator.jar Generate https://application.host1.com/webapp/spsso -o
    saml2\sp\ application.host1.com


  7. Create the metadata for Service Provider 1:

    Code Block
    languagetext
    cd <webapp_directory>\WEB-INF
    java -jar lib\ubisaml2ubispservlet\tools\metadata-generator.jar Metadata saml2\sp\application.host1.com -f c:\temp\sp1.xml


  8. Disable the use of backchannel messages from the SP. All interactions with the SP will be via the user browser. To disable backchannel messages, set the LiteNoBackChannel compatibility flag in the SP's identity.properties file.

    Open identity.properties file in a text editor. Add the following line to the file:

    Code Block
    languagetext
    com.ubisecure.saml2.config.compatibilitycom.ubisecure.ubilogin.uas.saml2.compatibility = LiteNoBackChannel


  9. Create the identity for Service Provider 2:

    Code Block
    languagetext
    cd <webapp_directory>\WEB-INF
    java -jar lib\ubisaml2ubispservlet\tools\metadata-generator.jar Generate https://application.host2.com/webapp/spsso -o
    saml2\sp\ application.host2.com


  10. Create the metadata for Service Provider 2:

    Code Block
    languagetext
    cd <webapp_directory>\WEB-INF
    java -jar lib\ubisaml2ubispservlet\tools\metadata-generator.jar Metadata saml2\sp\application.host2.com -f c:\temp\sp2.xml


  11. Disable the use of backchannel messages from the second SP. All interactions with the SP will be via the user browser. To disable backchannel messages, set the LiteNoBackChannel compatibility flag in the SP's identity.properties file.
    Open identity.properties file in a text editor. Add the following line to the file:

    Code Block
    languagetext
    cd <webapp_directory>\WEB-INF\saml2\sp\application.host2.com
    com.ubisecure.ubilogin.uas.saml2.compatibility = LiteNoBackChannel


  12. Create an application for SP1 using Ubisecure Management and activate the application using the metadata from c:\temo\sp1.xml. Configure the application's template, methods and allowed to groups as desired. Activation is described in Associate the SP identity with a Ubisecure Web Agent section of SAML SP activation - SSO.
  13. Create an application for SP2 using Ubisecure Management and activate the application using the metadata from c:\temo\sp2.xml. Configure the application's template, methods and allowed to groups as desired. Activation is described in Associate the SP identity with a Ubisecure Web Agent section of SAML SP activation - SSO.
  14. The resulting file structure should be as follows. For additional hostnames, repeat the same process for each hostname:
    1. create sp subdirectory using exact hostname
    2. create the identity using the Generate command
    3. create the metadata using the Metadata command
    4. add the compatibility LiteNoBackChannel to the identity.properties file
    5. activate and configure the application using the generated metadata

...