SAML2 Authentication Memo

‣

Table of contents

‣

history modifications

1. Preamble

SAML enables users to uniquely identify themselves to the various web applications they use.

In the SAML model Project Monitor is a Service Provider.

You need an Identity Provider. In the rest of this document, IDP refers to your Identity Provider (e.g. Okta / Shibboleth / Keycloak or ADFS - Microsoft Active Directory Federation Services).

Remarks

Data expected by Virage Group :

Customer metadata file
customer authentication attribute

Data provided by Virage Group :

Metadata file to be integrated into the customer's Identity Provider

2. Activate SAML authentication in 4 steps

2.0 Technical requirements: For installed platforms only (excluding SAAS)

In the monitormaker.properties file: configure the authentication strategy: Saml2Authenticator

com.vc.mm.authenticator= com.vc.mm.modules.user.Saml2Authenticator

💡

See the Operating Manual for information on available authentication strategies.

🚩

Specific to ADFS :

Unzip the file Java Cryptography Extension jce_policy-8.zip in the %PM_HOME%\install\JDK or in your customer area http://file.viragegroup.com (public/delivery/install).
Copy files local_policy.jar and US_export_policy.jar and paste them to replace the existing ones in the %PM_HOME%\jre\lib\security.

Restart the Wildfly service to take account of the change.

2.1. Get your IDP configuration: METADATA XML file

Obtain a metadata file in xml format from your IDP. This file will enable Project Monitor know your IDP and communicate with him.

🚩

Specific to Keycloak:

The metadata file to be retrieved is that of the Realm (available from the configuration tab General)

Obtain or set the code of the user login field in your IDP

🚩

Specific to ADFS :

When adding the rule to link the Active Directory LDAP identifier to the Project Monitor please specify the following information:

In the Issuance Transform Rulesto add and configure a rule.
In the Attribute Store indicate Active Directory.
In the LDAP Attributes select SamAccountName.
In the Outgoing Claim Type select Name ID.
Addition of a second line, in the LDAP Attributes select again SamAccountName.
In the Outgoing Claim Type enter the login you provided at Project Monitor (ex : login)

🚩

Specific to Keycloak:

When configuring the client in Keycloak :

The clientID field must contain the platform access URL Project Monitor suffixed with /sp (ex : https://serveur.p-monitor.com/sp)
In the Generalthe fields Valid Redirect URIs and Assertion Consumer Service POST Binding URL must contain the address Project Monitor SAML reception (e.g: https://serveur.p-monitor.com/MonitorMakerWeb/api/auth/saml2/consume)

When creating a new mapper from the Mapper client configuration :

In the name indicate login
In the Mapper Type select User Property
In the Property indicate username
In the Friendly name indicate login
In the SAML Attribute Name indicate login

During authentication, Project Monitor and the IDP exchange information. This code is necessary for Project Monitor to find out which of this information contains the user login. For example, in Shibboleth urn:oid:0.9.2342.19200300.100.1.1 or according to the IDP, login or other "

2.2 Declaring your IDP in Project Monitor

Go to page Administration > Advanced settings >Technical configuration > SAML2 authentication
In the first field of the page, paste the XML content of the metadata file obtained in step SAML2 Authentication Memo - 2.1. Get your IDP configuration: METADATA XML file .
Enter the code for the login field. This code was obtained in step SAML2 Authentication Memo - 2.1. Get your IDP configuration: METADATA XML file.

🚩

Specific to ADFS :

Set the maximum authentication time at 8 hours.

Register

2.3 Generate configuration for Project Monitor METADATA XML file

Still on the Administration > Advanced settings >Technical configuration > SAML2 authenticationin the second part of the page
Click on Generate to display all Project Monitor that will be required for the IDP, namely :

metadata in XML format
Assertion consumer service
Service provider entity ID location
Service provider entity ID binding

🚩

This information will enable your IDP to Project Monitor as Service Provider and communicate with it.

Please note: depending on the IDP settings, not all information may be required.

Copy the contents of the metadata (xml). These metadata will enable your IDP to know Project Monitor as Service Provider and communicate with it.

2.4. Register Project Monitor in your IDP

Create Project Monitor as an application in your IDP.
Supply the metadata obtained in step SAML2 Authentication Memo - 2.3 Generate the ‣ configuration : METADATA XML file to your IDP. 2 alternatives :

Copy the xml into the appropriate field.

Or transfer values Assertion consumer service, Service provider entity ID location and Service provider entity ID binding.

3. Test configuration

Create your users in Project Monitor if you haven't already.
Create your users in your IDP if you haven't already done so.
Connect to the application to validate the configuration.

4. SAML with AzureAD

🚦

Prerequisites :

An enterprise application in Azure AD.
Users must be added in the Azure AD application: add a user / group to have access to Project Monitor.
Users must be added in Project Monitor (manually or via import).

4.1 In AzureAD

Access the AzureAD administration center.
Enable SAML authentication.

🚩

The AD group must contain users directly. Group nesting does not work in Azure AD.

Use the enterprise application Demonstrator-internal (up: adazure) present in Azure Active Directory.

Configure single sign-on in the application.

🚩

SAML details are displayed on the single sign-on page. The login mapping between

Project Monitor and Azure.

Download XML file.
Check user list.

🚩

Users who need to connect to

Project Monitor with the same login must be present in the enterprise application, in the section Users and Groups.

4.2 In Project Monitor

Click on Administration > Advanced settings >Technical configuration > SAML2 authentication
Paste the previously downloaded XML configuration.
Add the Login attribute of your Id Provider.

Click on Register.

Click on Administration > User settings > User management > Users.
Add users.

Check that they have also been added to Azure AD.

5. Connecting without SAML

Some users of Project Monitor are unknown to the IDP (external service provider, consultant). For these users, it is possible to connect to Project Monitor by login and password with the url : http://maplateforme/nex/login?local=true

6. Set exclusive connection mode

By default, users can log in using both SAML authentication and local authentication (url /neo/auth/auth.html?local=true or nex/login?local=true)

It is possible to disable this local authentication mode for all or some users, to allow them to use only the SAML authentication mode.

To disable local authentication mode, in the SAMLv2 authentication settings interface, check the box SSO access only :

This default setting can be overridden when :

Some users of the application are not listed in the organization's directory (external users).
Some technical users (interfaces) are used.

To authorize a specific user to use local authentication by override :

In the user details screen, in the Parameterscheck the box Local authentication possible