Configuring SAML Authentication

This section provides the steps to integrate SSO with an external SAML 2.0 IDP solution, such as NetIQ Advanced Authentication, Keycloak or Okta.

Fusion SSO and external SAML 2.0 IDP should be time-synchronized to the same NTP server. In the configuration UI, the session timeout must be set up with the same value that the external IDP has configured for user session timeouts.

 

Describing Information Regarding the Trusted Provider Metadata

The metadata document for a trusted SAML provider with which a SSO defined provider interacts must be obtained in a provider-specific manner. While not all providers do so, many supply their metadata documents via URL.

After the trusted provider's metadata document (or the URL-accessible location of the document) is obtained, you must configure the SSO provider that will interact with the trusted provider's metadata.

In the document, modify the <Metadata> element within the <AccessSettings> element under either the <TrustedIDP> element or the <TrustedSP> element.

For example:

com.microfocus.sso.default.login.saml2.mapping-attr = email

The email attribute refers to the email attribute name from the SAML 2.0 IDP.

 

Configuring an External SAML Provider

Use the metadata URL of Fusion SSO to derive the specific single sign-on and single log-out URLs to configure an external SAML 2.0 IDP. These URLs include the following:

A user present in the external SAML 2.0 IDP solution must also exist in Fusion to proceed with integration.

 

Integrating with an External SAML Provider

  1. On the NFS server, open the sso-configuration.properties file, located by default in the <arcsight_nfs_vol_path>/sso/default directory.

    <arcsight_nfs_vol_path> is the nfs volume used for CDF installation.

    For Example:

    /opt/NFS_volume/arcsight-volume/sso/default
  2. Open the sso-configuration.properties file and add the following properties: 
      com.microfocus.sso.default.login.method = saml2
      com.microfocus.sso.default.saml2.enabled = true

  3. To specify the address where the IDP supplies its metadata document, complete one of the following actions:

    • Add the following property to the file:
      • com.microfocus.sso.default.login.saml2.metadata-url = <IDP SAML metadata URL>
    • An example of an Okta server URL could be: 
      • https://<youraccount>.okta.com/app/<appid>/sso/saml/metadata
    • An example of a Keycloak server URL could be: 
      • https://<KeycloakServer>/auth/realms/<YourRealm>/protocol/saml/descriptor
    The IDP certificates need to be imported to the Fusion SSO keystore for HTTPS to work properly. See Step 5 for more details.
    • Alternatively, you can convert the metadata xml file to base64 string and set the following variable:
      • com.microfocus.sso.default.login.saml2.metadata = <base64 encoded metadata xml>
  1. Save the changes to the sso-configuration.properties file.

  2. (Conditional) If you specified the metadata URL in Step 3, complete the following steps to import the IDP certificate to the SSO keystore:

    1. Copy the IDP certificate to the following location.
      2. arcsight_nfs_vol_path/sso/default
    2. Get the pod information.
      3. kubectl get pods --all-namespaces | grep single-sign-on
    3. Open a terminal in the currently running pod:
      4. kubectl exec -it fusion-single-sign-on-xxxxxxxxxx-xxxxx -n arcsight-installer-xxxxx -c fusion-single-sign-on bash
    4. Import the IDP certificate:
      1. cd /usr/local/tomcat/conf/default/
      2. keytool -importcert -storepass $KEYSTORE_PASSWORD -destkeystore \ 
        sso.bcfks -alias AliasName -file CertificateFileName -storetype \
        BCFKS -providerclass \ 
        org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
        -providerpath /usr/local/openjdk-8/jre/lib/ext/bc-fips-1.0.2.jar
      • CertificateFileName represents the name of the certificate file that you copied to <arcsight_nfs_vol_path>/sso/default/, which automatically displays in your current directory:
        • /usr/local/tomcat/conf/default/
      • AliasName represents the new alias name that you want to assign to the certificate in the SSO keystore.
  1. Restart the pod:
    1. Get the pod information.
      2. kubectl get pods --all-namespaces | grep fusion-single-sign-on
    2. Delete the current running pod.
      3. kubectl delete pod fusion-single-sign-on-xxxxxxxxxx-xxxxx -n arcsight-installer-xxxxx
  2. Retrieve the Fusion SSO SAML service provider metadata from the server.
    3. https://<FQDN of ArcSight Platform Virtual IP for HA or single master node>/osp/a/default/auth/saml2/spmetadata
  1. Use the SSO SAML service provider metadata to configure your IDP. For detailed instructions, see the IDP software documentation.
  2. To establish a trust relationship between Fusion SSO and your IDP software, create certificates for your IDP software. For detailed instructions on how to create and import certificates in your IDP software, see the IDP software documentation.