OFSAA can be configured as “Service Provider” using the SAML 2.0 protocol. To register OFSAA as the Service Provider, update the sp_metadata.xml file, which is located in the $FIC_HOME/conf/ directory. The following options are available:
1. SAML Service Provider Metadata Configuration with Certificate
2. SAML Service Provider Metadata Configuration without Certificate
If your OFSAA version is 8.0.7.1.0, 8.0.7.2.0, 8.0.7.3.0, 8.0.8.1.0, or 8.0.9.1.0 update the sp_metadata.xml file with the X509 Certificate, which is available on the OFSAA Configuration window. For more information, see the section Update General Details in the OFS Analytical Applications Infrastructure User Guide.
The following code snippet shows the format of the tags in the XML file:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="$ENTITYID$">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$CONSUMERSERVICEURL$" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$LOGOUTSERVICEURL$"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
NOTE |
Do not copy ----Begin Certificate---- and ----End Certificate----. It may lead to issues during authentication. |
The following code snippet is an example of the XML file with the X509 Certificate values embedded in the tags:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://example.com:3333/ofsa8081">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> <ds:X509Certificate>MITFpTCCA42gAwIBAgIJAKhGKZaNnbRxMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdhbG9yZTEPMA0GA1UECgwGT3JhY2xlMQ4wDAYDVQQLDAVGU0dCVTERMA8GA1UEAwwId2hmMDBvZnMwHhcNMTkxMTA4MDc1NzE5WhcNMjExMTA3MDc1NzE5WjBpMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDzANBgNVBAoMBk9yYWNsZTEOMAwGA1UECwwFRlNHQlUxETAPBgNVBAMMCHdoZjAwb2ZzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuctabBwiZpv0wk4fBdqXmHTNAb/3Rj+SvgVAxmL5ix09Z6bS+x26oHmxBHSY2zXlz5ArXeHzKpGgm0D/zSeSxvs9v1SqrFxjjFakYNmzP361VptOpu53njZ+3f+WMXocHSTvOFsRRfzRfNTpvmXSiVzvKUtqgT8QgPMHTR5MuLWDYiz3RLzTnN/rJ/oO4+2fQmOeo9GRkeO41SAI+SPDnOSMjycGq7rlmqnJCAfV4OVJ2wSfuQLieNkfJUWINEiF7UT+/5IlSHjlpo6YJRVMXT51KD6Rx3i31FEzJaTaWJoDA2C7YA6xs7DYfrbTenPKxwtue99stJDoeMKS8cGG8UK8N12BvlaLraaasmr/cDdBV89VRoP+6eDQEwhXHT834ruZ6oM0p+TzyHztYNur9BJKtMqGlzyX+wGMGu9FFjLu5pxwtJw1qxMv9ti35yLMVUVOYAjMSHtqj+I9d1zBLNOQMs4sPxzIZgmGMuZ0TM4kgsSNl4LuAPbFw4wDG4Q/oJYBiBMifzPC3OytYjcDTqNtl5i40iMLMbw0bLWqFW39z0GhrNoCko6DcLTRLLtB1ERw/AmGKBdP8T66kz7hEy9C/SkyP+75qJxhjEDMN2Ha+wwrrat3Yg+H+n7OM+xJJScerK3ZiiqkEGCA69gjvaCBKp/v/pEL/wepHZV6aGECAwEAAaNQME4wHQYDVR0OBBYEFEi7rT1QIjudl3jn6UTRP4sw9CzeMB8GA1UdIwQYMBaAFEi7rT1QIjudl3jn6UTRP4sw9CzeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADeHLz7k3/iOessnp8dReiGGpf+fIzib+whbUcaVMrNzGk86WQb8zNXGExcZV3RX9l35zW2hDwQUDpdl25lHpvDTo4xIvBOMi4P49rz0SMVYiXVAPY7sy+cidjmcATI4UXxeGD3g+gvzv3z9l6Mg19ivits5BFUksIHMY+rgMewj2+ovSeo8RJd8rjeG7z7JDKlOj1PUPfjpEB9nY+V6tTuqYopcJU6ln3zyN4ngcrJEahY15jeRBzkdzAQRoIRnEjFEob6lCxdkciupl2IdOz6c2kkYQnMcDjyT8jfMQffFMAV/rcE6RS+w4+Ear0/q3svukGYpZnpGpEdxhIV4uo0TwSZo6cE1cj1LGRPNYP/2Cfd6Gp1qJBUxrFKjYx1v9c0KJEnGVUuhNRKxcPfacHloJmNHS5Z2xVQrY+eBSuR+TtKTaio9FWigU3Nx6v1LkbvC7265N38Is3Gkhk5KbN+G4Xet6TX3LcRx0MDqfRfZT3Q+7elFFEunxeBaXg6OaTKbxhHtskgAi1+4z/acrYKC/yjNn8F7qJNkhsFovVHwqPItx517XZzsNjVcp3V+oFfPZdw6MQtp7zSqB+GnM52OrT77X3hGe7+B+PpTARueth2trsiNagqrumAKV8DdtS0Q4XCQ++mmKmm8n/5Epq10Sagbf1D46q+iawIgZf1E</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> <ds:X509Certificate>MITFpTCCA42gAwIBAgIJAKhGKZaNnbRxMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdhbG9yZTEPMA0GA1UECgwGT3JhY2xlMQ4wDAYDVQQLDAVGU0dCVTERMA8GA1UEAwwId2hmMDBvZnMwHhcNMTkxMTA4MDc1NzE5WhcNMjExMTA3MDc1NzE5WjBpMQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUxDzANBgNVBAoMBk9yYWNsZTEOMAwGA1UECwwFRlNHQlUxETAPBgNVBAMMCHdoZjAwb2ZzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuctabBwiZpv0wk4fBdqXmHTNAb/3Rj+SvgVAxmL5ix09Z6bS+x26oHmxBHSY2zXlz5ArXeHzKpGgm0D/zSeSxvs9v1SqrFxjjFakYNmzP361VptOpu53njZ+3f+WMXocHSTvOFsRRfzRfNTpvmXSiVzvKUtqgT8QgPMHTR5MuLWDYiz3RLzTnN/rJ/oO4+2fQmOeo9GRkeO41SAI+SPDnOSMjycGq7rlmqnJCAfV4OVJ2wSfuQLieNkfJUWINEiF7UT+/5IlSHjlpo6YJRVMXT51KD6Rx3i31FEzJaTaWJoDA2C7YA6xs7DYfrbTenPKxwtue99stJDoeMKS8cGG8UK8N12BvlaLraaasmr/cDdBV89VRoP+6eDQEwhXHT834ruZ6oM0p+TzyHztYNur9BJKtMqGlzyX+wGMGu9FFjLu5pxwtJw1qxMv9ti35yLMVUVOYAjMSHtqj+I9d1zBLNOQMs4sPxzIZgmGMuZ0TM4kgsSNl4LuAPbFw4wDG4Q/oJYBiBMifzPC3OytYjcDTqNtl5i40iMLMbw0bLWqFW39z0GhrNoCko6DcLTRLLtB1ERw/AmGKBdP8T66kz7hEy9C/SkyP+75qJxhjEDMN2Ha+wwrrat3Yg+H+n7OM+xJJScerK3ZiiqkEGCA69gjvaCBKp/v/pEL/wepHZV6aGECAwEAAaNQME4wHQYDVR0OBBYEFEi7rT1QIjudl3jn6UTRP4sw9CzeMB8GA1UdIwQYMBaAFEi7rT1QIjudl3jn6UTRP4sw9CzeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADeHLz7k3/iOessnp8dReiGGpf+fIzib+whbUcaVMrNzGk86WQb8zNXGExcZV3RX9l35zW2hDwQUDpdl25lHpvDTo4xIvBOMi4P49rz0SMVYiXVAPY7sy+cidjmcATI4UXxeGD3g+gvzv3z9l6Mg19ivits5BFUksIHMY+rgMewj2+ovSeo8RJd8rjeG7z7JDKlOj1PUPfjpEB9nY+V6tTuqYopcJU6ln3zyN4ngcrJEahY15jeRBzkdzAQRoIRnEjFEob6lCxdkciupl2IdOz6c2kkYQnMcDjyT8jfMQffFMAV/rcE6RS+w4+Ear0/q3svukGYpZnpGpEdxhIV4uo0TwSZo6cE1cj1LGRPNYP/2Cfd6Gp1qJBUxrFKjYx1v9c0KJEnGVUuhNRKxcPfacHloJmNHS5Z2xVQrY+eBSuR+TtKTaio9FWigU3Nx6v1LkbvC7265N38Is3Gkhk5KbN+G4Xet6TX3LcRx0MDqfRfZT3Q+7elFFEunxeBaXg6OaTKbxhHtskgAi1+4z/acrYKC/yjNn8F7qJNkhsFovVHwqPItx517XZzsNjVcp3V+oFfPZdw6MQtp7zSqB+GnM52OrT77X3hGe7+B+PpTARueth2trsiNagqrumAKV8DdtS0Q4XCQ++mmKmm8n/5Epq10Sagbf1D46q+iawIgZf1E</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example.com:3333/ofsa8081/login.jsp" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://example.com:3333/ofsa8081/signoff.jsp"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
After updating the file, upload it to the Trusted Providers table under Identity Federation in the Identity Manager application.
For all versions of OFSAA other than 8.0.7.1.0, 8.0.7.2.0, 8.0.7.3.0, 8.0.8.1.0, or 8.0.9.1.0, update the following information in the sp_metadata.xml file:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="$ENTITYID$">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$CONSUMERSERVICEURL$" index="0"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$LOGOUTSERVICEURL$"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
· $ENTITYID$ - OFSAAI URL till context name.
For example, http(s)://hostname:port/<context>
· $CONSUMERSERVICEURL$ - OFSAAI login URL
For example, http(s)://hostname:port/<context>/login.jsp
· $LOGOUTSERVICEURL$ - OFSAAI logout URL
For example, http(s)://hostname:port/<context>/logout.jsp
OFSAA generated SAMLRequest is unsigned and sent to “Identity Provider (IdP)” using “HTTP Redirect” method. “Identity Provider (IdP)” sends back SAMLResponse using “HTTP POST” method. Authenticated user can be sent as one of the attribute (e.g. "uid”) in SAMLResponse or in “Subject”.
If user is sent in attribute, same user attribute has to be specified in “SAML User Attribute” in OFSAA Configuration screen.
If user is sent in subject, then NameID format in SAML response should be “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.