Configuring SAML SSO connection

About this task

Log in to the foundational services admin console with the credentials obtained in the procedure to retrieve login credentials for foundational services.

Procedure

  1. Run step 5 from Retrieving login credentials for foundational services
  2. Enable SAML and obtain the data from foundational service.
    1. Enable SAML
      cloudctl iam saml-enable

      Expected output:

      Enabling SAML. This may take a few minutes...
      SAML enabled
      OK
    2. Export and store the metadata file from foundational services.
      cloudctl iam saml-export-metadata --file <filepath>.xml
      For example:
      cloudctl iam saml-export-metadata --file /data/saml/metadata.xml

      Expected output:

      SAML configuration content exported to /data/saml/metadata.xml
      OK
    3. Create two files called signer.pem and encryption.pem and add the following two lines in each file.
      For example:
      cd /data/saml
      ls
      encryption.pem metadata.xml signer.pem
      
    4. From the XML file that you obtained in step 2b, extract the certificate base64 text that Verify requires to connect with foundational services. Place the certificate text between the lines in each of the files that you created.
      cat metadata.xml
      <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/defaultSP"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
      GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw
      GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
      AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx
      mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+
      VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ
      neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe
      US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg
      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn
      ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m
      eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts
      QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS
      HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn
      OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG
      bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX
      NIM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
      GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw
      GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
      AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx
      mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+
      VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ
      neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe
      US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg
      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn
      ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m
      eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts
      QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS
      HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn
      OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG
      bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX
      NIM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/defaultSP/slo"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cp-console.apps.sys-gi-svl03.cp.fyre.ibm.com/ibm/saml20/default
      

      Copy the relevant content into the signer.pem and encryption.pem files

      cat signer.pem 
      -----BEGIN CERTIFICATE-----
      MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
      GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw
      GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
      AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx
      mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+
      VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ
      neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe
      US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg
      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn
      ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m
      eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts
      QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS
      HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn
      OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG
      bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX
      NIM=
      -----END CERTIFICATE-----
      
      cat encryption.pem
      -----BEGIN CERTIFICATE-----
      MIIDVTCCAj2gAwIBAgIRANAvwT/VStBZ8DHue/PNKCwwDQYJKoZIhvcNAQELBQAwHDEaMBgGA1UE
      GUwHhcNMjIwOTIxMDA1MDQxWhcNMjMwOTIxMDA1MDQxWjAdMRsw
      GQYDVQQDExJtYW5hZ2VtZW50LWluZ3Jlc3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
      AQCkn+aciMw3xeJZ4srJC3deJ2XjeQDolN/qF1HxJoJAG88wgyQPMiHq2hI8QoipwyNUBwrGg0sx
      mMb3x+31GeV3FPX8nWepNJlAF0wCvVDL46NL1fImTDrHChDE+F2COZx0h8XMptuUh5zKOEeksha+
      VsaFi4oP3y5ZcyFD06zSXMK4kccfrdVpW+rZqSDdha8lzGemENZfmsLp9qikkAJM3tkX1kw8YKdQ
      neJvAiUtJiualJjwrtE86IgPyQUx8VOjWg1uaHLCAMrLcNash6ZCeUuGS2qV5c/b4XcpvCqQwGhe
      US7Ebe+m8ER6MPrJ5Pz+rY/vcrHdeB7FNl/SH53dAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgWg
      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUXsYDZepXjlSn
      ogdN4DK/UW03qZ0wNwYDVR0RBDAwLoIsY3AtY29uc29sZS5hcHBzLnN5cy1naS1zdmwwMy5jcC5m
      eXJlLmlibS5jb20wDQYJKoZIhvcNAQELBQADggEBALxGQIWvG4xf31ZIV44XtDUJFnRV781+IMts
      QZ1tyPNRrPYSjLUTuKSl4nJfgjx49Fmhxb/8WhYZy6ZX9e3iN+2yGdIf6W8tfUOhILlBtk8s8AcS
      HckxNMcQjxlubO9AtG2sskIa83iFwIpZIThXOZn7UL+7UjXrQwD9GgegB4HFwtmC1xomN/7kZKjn
      OUhv0XMrLmHskotGUtgKbCmcYGcifxl2/M2g0EcAla4ygacGPD9t2A0XSTimYQS9BGIN6zR1etpG
      bdj1+OVgdMsPPP11lMERCcoEjaw8ALst5CFsDIOurdD8Y6pJ+REk2NABWKYBirBC7b1706BhBYJX
      NIM=
      -----END CERTIFICATE-----
      
  3. Create an application in Verify and obtain the data that is required to complete the SAML SSO configuration in foundational services.
    1. Login to Verify administration console.

      For example: https://sysqa-gi.verify.ibm.com Click profile settings on the top right and click "switch to admin".

    2. Upload the signer.pem and encryption.pem certificate files by using the Add signer certificate option under Security > Certificates
    3. Create an application in Verify. Click Add application in the Applications page then click Create a custom application.
    4. Export the identity provider federation metadata from Verify.
      Select your application name from Applications and click the settings icon, and then click the Sign-on tab. Download the metadata XML by clicking the link in step 4 in the right column as seen in the picture below:
    5. Obtain a client_id and client_secret from your Verify instance by clicking Security on the left side menu and clicking into API access. If you don't have one, create one. Sample API access configuration details found in the images below.
  4. Register the Verify instance to connect with IBM foundational services.
    1. Switch back to your Cloud Pak for Security cluster.
    2. Upload the Verify federation metadata XML file that you downloaded.
      cloudctl iam saml-upload-metadata --file <filepath>
      For example:
      cloudctl iam saml-upload-metadata --file /data/saml/federation_metadata.xml

      Expected output:

      Uploading SAML metadata.
      This may take a few moments...
      SAML metadata uploaded
      OK
    3. Assign the values for USER, PASSWORD, and FOUNDATIONAL_SERVICES_URL by running the following commands in your cluster.
      USER=$(oc get secret platform-auth-idp-credentials -o json | jq -r .data.admin_username | base64 -d)
      PASSWORD=$(oc get secret platform-auth-idp-credentials -o json | jq -r .data.admin_password | base64 -d)
      FOUNDATIONAL_SERVICES_URL=$(oc get route cp-console -n ibm-common-services -o jsonpath='{.spec.host}')
    4. Obtain a foundational services access token by running the following cURL request with your Cloud Pak for Security cluster URL.
      ACCESS_TOKEN=$(curl -s -k -X POST \
      --url "https://${FOUNDATIONAL_SERVICES_URL}/idprovider/v1/auth/identitytoken" \
      --header "Content-Type: application/x-www-form-urlencoded" \
      --data-urlencode "grant_type=password" \
      --data-urlencode "username=${USER}" \
      --data-urlencode "password=${PASSWORD}" \
      --data-urlencode "scope=openid" \
      | jq -r .access_token)
      
      For example:
      ACCESS_TOKEN=$(curl -k -s -X POST -H "Content-Type:
      application/x-www-form-urlencoded" -d 
      "grant_type=password&&username=admin&password=
      xxxicspasswordxxx&&scope=openid" --url = https://cp-
      console.apps.sys-gi-
      svl03.cp.fyre.ibm.com:443/idprovider/v1/auth/identitytoken 
      | jq -r .access_token)
      
    5. Edit the following command to replace the variables with values and run the command to assign those values.
      VERIFY_INSTANCE_URL=<verify_instance_url>
      VERIFY_INSTANCE_NAME=<verify_instance_name>
      VERIFY_INSTANCE_DESCRIPTION=<verify_instance_description>
      VERIFY_CLIENT_ID=<verify_client_id>
      VERIFY_CLIENT_SECRET=<verify_client_secret>
      For example:
      
      VERIFY_INSTANCE_URL=https://sysqa-gi.verify.ibm.com
      
      VERIFY_INSTANCE_NAME=GIsaml
      
      VERIFY_INSTANCE_DESCRIPTION="The custom template to access any type of application."
      
      VERIFY_CLIENT_ID=xx-clientID-xx
      
      VERIFY_CLIENT_SECRET=xxclientSecxx
      
    6. To register the Verify instance with foundational services, run the following cURL request.
      curl -k -X POST "https://${FOUNDATIONAL_SERVICES_URL}/idprovider/v2/auth/idsource/registration" \
          --header "Authorization: Bearer ${ACCESS_TOKEN}" \
          --header 'Content-Type: application/json' \
          --data @<(cat << EOF
          { 
              "name": "${VERIFY_INSTANCE_NAME}", 
              "description": "${VERIFY_INSTANCE_DESCRIPTION}", 
              "protocol": "saml", 
              "idp_type": "isv", 
              "scim": "yes", 
              "scim_base_path": "${VERIFY_INSTANCE_URL}/v2.0/", 
              "token_attribute_mappings": { 
                  "uid":"uid", 
                  "first_name":"given_name", 
                  "last_name":"family_name",  
                  "groups": "groupIds",  
                  "email":"email" 
              }, 
              "jit": "no", 
              "scim_attribute_mappings":{ 
                  "user":{ 
                      "email": "email", 
                      "principalName":"userName", 
                      "givenName":"name.givenName", 
                      "firstName":"first_name", 
                      "middleName":"name.middleName", 
                      "familyName":"name.familyName", 
                      "formatted":"name.formatted", 
                      "displayName": "name.formatted" 
                  }, 
                  "group":{ 
                      "principalName":"displayName", 
                      "created":"meta.created", 
                      "lastModified":"meta.lastModified" 
                  } 
              }, 
              "config": { 
                  "grant_type": "client_credentials", 
                  "token_url": "${VERIFY_INSTANCE_URL}/v1.0/endpoint/default/token", 
                  "client_id": "${VERIFY_CLIENT_ID}", 
                  "client_secret":"${VERIFY_CLIENT_SECRET}" 
              }, 
              "status": "enabled" 
          }
      EOF
      )
      
      For example:
      curl -k -X POST 
      https://${FOUNDATIONAL_SERVICES_URL}/idprovider/v2/auth/i
      idsource/registration -H "Authorization: Bearer 
      4a051bbb92a2ee9b715db8a55b016f731a46ab44c6cd050c41f63387e
      6dd1c99ee74bb84919a5e8f11faa163af780b6b2118473fe914a1b4bf
      60b85bf2141c44c23a7500285c89426821a6f9b48e439cfbe62e70054
      8c1f1d2b0b3950ff681d3bf498e125b006d15d30114dcb6f2e0f3e81a
      61d85c32887329e916403b4f6cf3044c765968234f99f6e6b8d328c32
      389f6ba0932d377988de2c8a0b58d2e2f2bf5a1e0383d88402cce345b
      d5281ce1aa28e2e9a2e6563008b573309a2c563229847b3f8ec2e1459
      6d0a765f08f436533f8c767c0f134ad02c845f2803e144f5cb2806c54
      3ea1ceb9cb454082cdd4c3847e21079a939bd6b53245857fc4de7b760
      187160fa258390a9182193999833321f1826595c8ad9dc083e8c62a15
      12d1c1ff93b6bccefcf476304bded3e651549abed38f68ee704229a2e
      1404247849ee99797ecf89136b08a59142f9d82c33afbd157515d3002
      e4778645274d55fdbcd61a1298e1f2936d6040dee557d7f68852c297c
      ac81a1db5779cd43ba612b36c80d8a33c57b015decf2211524f520eb6
      a9e4b362dcdf4eb6b35f80848fe32b7c694ebc143ea5297ceb1ccc939
      d274c727e72dcf4fc4e45b55086ac11cd83ef170620cd00ffdbd24295
      c402937948090aaa51520e802de5b0b89e4e884ee59651c0d7c3daedf
      99f689d74e1ce6fc1b4a5d024c91" -H 'Content-Type: 
      application/json' -d '{ "name": "GISaml", "description": 
      "The custom template to access any type of application.", 
      "protocol": "saml", "idp_type": "isv", "scim": "yes", 
      "scim_base_path": "https://sysqa-gi.verify.ibm.com/v2.0/", 
      "token_attribute_mappings": { "uid":"uid", "first_name":"given_name", 
      "last_name":"family_name", "groups": "groupIds", "email":"email" }, "jit": "no", 
      "scim_attribute_mappings":{ "user":{ "email": "email", 
      "principalName":"userName", "givenName":"name.givenName", 
      "firstName":"first_name", "middleName":"name.middleName", 
      "familyName":"name.familyName", 
      "formatted":"name.formatted", "displayName": 
      "name.formatted" }, "group":{ 
      "principalName":"displayName", "created":"meta.created", 
      "lastModified":"meta.lastModified" } }, "config": { "grant_type": "client_credentials", 
      "token_url": "https://sysqa-gi.verify.ibm.com/v1.0/endpoint/default/token", 
      "client_id": "xx-clientID-xx", "client_secret":"xxclientSecxx" }, "status": "enabled" }'

      Expected output:

      {"status":"Client Successfully registered."}