Configuring SAML SSO connection
About this task
Log in to the foundational services admin console with the credentials obtained in the procedure to retrieve login credentials for foundational services.
Procedure
- Run step 5 from Retrieving login credentials for foundational services
- Enable SAML and obtain the data from foundational service.
- Enable SAML
cloudctl iam saml-enable
Expected output:
Enabling SAML. This may take a few minutes...
SAML enabled
OK
- Export and store the metadata file from foundational services.
cloudctl iam saml-export-metadata --file <filepath>.xml
For example:cloudctl iam saml-export-metadata --file /data/saml/metadata.xml
Expected output:
SAML configuration content exported to /data/saml/metadata.xml
OK
- Create two files called signer.pem and encryption.pem and add the following two lines
in each file. For example:
cd /data/saml ls encryption.pem metadata.xml signer.pem
- From the XML file that you obtained in step 2b, extract the certificate base64 text
that Verify requires to connect with foundational services. Place the certificate text between the
lines in each of the files that you created.
cat metadata.xml <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/defaultSP"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+ VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX NIM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+ VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX NIM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/defaultSP/slo"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/default
Copy the relevant content into the signer.pem and encryption.pem files
cat signer.pem -----BEGIN CERTIFICATE----- MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+ VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX NIM= -----END CERTIFICATE-----
cat encryption.pem -----BEGIN CERTIFICATE----- MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+ VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX NIM= -----END CERTIFICATE-----
- Enable SAML
- Create an application in Verify and obtain the data that is required to complete the SAML
SSO configuration in foundational services.
- Login to Verify administration console.
For example: https://sysqa-gi.verify.ibm.com Click profile settings on the top right and click "switch to admin".
- Upload the signer.pem and encryption.pem certificate files by using the Add signer certificate option under Security > Certificates
- Create an application in Verify. Click Add application in the
Applications page then click Create a custom
application. The following sample data goes over how to create an application.
- Provider ID: https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/defaultSP
- Assertion consumer service URL (HTTP-POST):
- Target URL: https://demo.apps.sys-gi-svl03.cp.fyre.ibm.com
- Service provider SSO URL: https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com
- Single logout URL (HTTP-POST): https://sysqa-gi.verify.ibm.com/idaas/mtfim/sps/idaas/logout
- Export the identity provider federation metadata from Verify. Select your application name from Applications and click the settings icon, and then click the Sign-on tab. Download the metadata XML by clicking the link in step 4 in the right column as seen in the picture below:
- Obtain a client_id and client_secret from your Verify instance by clicking Security on the left side menu and clicking into API access. If you don't have one, create one. Sample API access configuration details found in the images below.
- Login to Verify administration console.
- Register the Verify instance to connect with IBM foundational services.
- Switch back to your Cloud Pak for Security cluster.
- Upload the Verify federation metadata XML file that you
downloaded.
cloudctl iam saml-upload-metadata --file <filepath>
For example:cloudctl iam saml-upload-metadata --file /data/saml/federation_metadata.xml
Expected output:
Uploading SAML metadata.
This may take a few moments...
SAML metadata uploaded
OK
- Assign the values for USER, PASSWORD, and FOUNDATIONAL_SERVICES_URL by running the
following commands in your cluster.
USER=$(oc get secret platform-auth-idp-credentials -o json | jq -r .data.admin_username | base64 -d)
PASSWORD=$(oc get secret platform-auth-idp-credentials -o json | jq -r .data.admin_password | base64 -d)
FOUNDATIONAL_SERVICES_URL=$(oc get route cp-console -n ibm-common-services -o jsonpath='{.spec.host}')
- Obtain a foundational services access token by running the following cURL request with
your Cloud Pak for Security cluster URL.
ACCESS_TOKEN=$(curl -s -k -X POST \ --url "https://${FOUNDATIONAL_SERVICES_URL}/idprovider/v1/auth/identitytoken" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=${USER}" \ --data-urlencode "password=${PASSWORD}" \ --data-urlencode "scope=openid" \ | jq -r .access_token)
For example:ACCESS_TOKEN=$(curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&&username=admin&password= xxxicspasswordxxx&&scope=openid" --url = https://cp- console.apps.sys-gi- svl03.cp.fyre.ibm.com:443/idprovider/v1/auth/identitytoken | jq -r .access_token)
- Edit the following command to replace the variables with values and run the command to
assign those values.
VERIFY_INSTANCE_URL=<verify_instance_url> VERIFY_INSTANCE_NAME=<verify_instance_name> VERIFY_INSTANCE_DESCRIPTION=<verify_instance_description> VERIFY_CLIENT_ID=<verify_client_id> VERIFY_CLIENT_SECRET=<verify_client_secret>
For example:VERIFY_INSTANCE_URL=https://sysqa-gi.verify.ibm.com VERIFY_INSTANCE_NAME=GIsaml VERIFY_INSTANCE_DESCRIPTION="The custom template to access any type of application." VERIFY_CLIENT_ID=xx-clientID-xx VERIFY_CLIENT_SECRET=xxclientSecxx
- To register the Verify instance with foundational services, run the following cURL
request.
curl -k -X POST "https://${FOUNDATIONAL_SERVICES_URL}/idprovider/v2/auth/idsource/registration" \ --header "Authorization: Bearer ${ACCESS_TOKEN}" \ --header 'Content-Type: application/json' \ --data @<(cat << EOF { "name": "${VERIFY_INSTANCE_NAME}", "description": "${VERIFY_INSTANCE_DESCRIPTION}", "protocol": "saml", "idp_type": "isv", "scim": "yes", "scim_base_path": "${VERIFY_INSTANCE_URL}/v2.0/", "token_attribute_mappings": { "uid":"uid", "first_name":"given_name", "last_name":"family_name", "groups": "groupIds", "email":"email" }, "jit": "no", "scim_attribute_mappings":{ "user":{ "email": "email", "principalName":"userName", "givenName":"name.givenName", "firstName":"first_name", "middleName":"name.middleName", "familyName":"name.familyName", "formatted":"name.formatted", "displayName": "name.formatted" }, "group":{ "principalName":"displayName", "created":"meta.created", "lastModified":"meta.lastModified" } }, "config": { "grant_type": "client_credentials", "token_url": "${VERIFY_INSTANCE_URL}/v1.0/endpoint/default/token", "client_id": "${VERIFY_CLIENT_ID}", "client_secret":"${VERIFY_CLIENT_SECRET}" }, "status": "enabled" } EOF )
For example:curl -k -X POST https://${FOUNDATIONAL_SERVICES_URL}/idprovider/v2/auth/i idsource/registration -H "Authorization: Bearer 4a051bbb92a2ee9b715db8a55b016f731a46ab44c6cd050c41f63387e 6dd1c99ee74bb84919a5e8f11faa163af780b6b2118473fe914a1b4bf 60b85bf2141c44c23a7500285c89426821a6f9b48e439cfbe62e70054 8c1f1d2b0b3950ff681d3bf498e125b006d15d30114dcb6f2e0f3e81a 61d85c32887329e916403b4f6cf3044c765968234f99f6e6b8d328c32 389f6ba0932d377988de2c8a0b58d2e2f2bf5a1e0383d88402cce345b d5281ce1aa28e2e9a2e6563008b573309a2c563229847b3f8ec2e1459 6d0a765f08f436533f8c767c0f134ad02c845f2803e144f5cb2806c54 3ea1ceb9cb454082cdd4c3847e21079a939bd6b53245857fc4de7b760 187160fa258390a9182193999833321f1826595c8ad9dc083e8c62a15 12d1c1ff93b6bccefcf476304bded3e651549abed38f68ee704229a2e 1404247849ee99797ecf89136b08a59142f9d82c33afbd157515d3002 e4778645274d55fdbcd61a1298e1f2936d6040dee557d7f68852c297c ac81a1db5779cd43ba612b36c80d8a33c57b015decf2211524f520eb6 a9e4b362dcdf4eb6b35f80848fe32b7c694ebc143ea5297ceb1ccc939 d274c727e72dcf4fc4e45b55086ac11cd83ef170620cd00ffdbd24295 c402937948090aaa51520e802de5b0b89e4e884ee59651c0d7c3daedf 99f689d74e1ce6fc1b4a5d024c91" -H 'Content-Type: application/json' -d '{ "name": "GISaml", "description": "The custom template to access any type of application.", "protocol": "saml", "idp_type": "isv", "scim": "yes", "scim_base_path": "https://sysqa-gi.verify.ibm.com/v2.0/", "token_attribute_mappings": { "uid":"uid", "first_name":"given_name", "last_name":"family_name", "groups": "groupIds", "email":"email" }, "jit": "no", "scim_attribute_mappings":{ "user":{ "email": "email", "principalName":"userName", "givenName":"name.givenName", "firstName":"first_name", "middleName":"name.middleName", "familyName":"name.familyName", "formatted":"name.formatted", "displayName": "name.formatted" }, "group":{ "principalName":"displayName", "created":"meta.created", "lastModified":"meta.lastModified" } }, "config": { "grant_type": "client_credentials", "token_url": "https://sysqa-gi.verify.ibm.com/v1.0/endpoint/default/token", "client_id": "xx-clientID-xx", "client_secret":"xxclientSecxx" }, "status": "enabled" }'
Expected output:
{"status":"Client Successfully registered."}