This is great document Laura. Thanks for uploading it here. It saves lot of time. I will be starting the process this week. Hopefully I will complete it quicker.
But mine is windows and not oracle. Hence 1st step alone not needed and rest of the process should be followed. I will keep you posted. Thanks everyone in this chat who ever added the information.
Original Message:
Sent: 10-06-2020 04:49 PM
From: Laura Albrecht
Subject: Single Signon w/ SAML
Here's my final update. We ended up not being able to move forward with using OKTA. Unfortunately we use TMS (transport management solution) to do deployments. And that does not integrate with OKTA. Oh, well. However, we did get through deploying it to DEV and a very good process before we had to backout.
I hope this helps.
------------------------------
------------------------------
Laura Albrecht
Enterprise Scheduling Lead
Takeda Pharmaceuticals LLC
------------------------------
Original Message:
Sent: 05-19-2020 03:24 PM
From: Laura Albrecht
Subject: Single Signon w/ SAML
Thanks to everyone who responded / helped me out here. We have single sign on using SAML working now! @Jonathan Roster - you were right. They OKTA team had to do something on their side and then we were able to use the network ID (vs. email).
I'll be posting a final update shortly with the instructions that I used on how to do this. Hopefully it'll help someone else doing this later on.
------------------------------
------------------------------
Laura Albrecht
Enterprise Scheduling Lead
Takeda Pharmaceuticals LLC
Original Message:
Sent: 05-18-2020 02:34 PM
From: Roster
Subject: Single Signon w/ SAML
Laura,
This is wading more into the realm of identity management, which I'm no expert on. We had to have our IDM folks map our usernames to the 'aename' attribute and return that as part of the saml response. I'm guessing you will have to do something similar, though how that would work with OKTA as the IDP I'm not sure.
------------------------------
Jonathan Roster
Analyst Programmer, Enterprise Computing Svcs.
Information Services | Oregon State University
541-737-4578 | is.oregonstate.edu
Original Message:
Sent: 05-15-2020 09:23 AM
From: Laura Albrecht
Subject: Single Signon w/ SAML
Thanks.
We're making progress here. I actually was able to login via SAML, which was great news. However, currently we use LDAP authentication and we use our network ID to login (i.e. LAURAA), however, I ended up having to create a new userid with the first part of my email address - LAURA.ALBRECHT. THEN it logged me in.
In the HELP "Setting up Single Sign-On - SAML", I'm a bit confused on step 3. It talks about mapping the AE to the attributes of the SAML response. I am not really understanding what it wants me to do here. I really do not want to have to create new userids for everyone. Is there any way to switch things so that it uses the network ID instead of the first part of the email address?
TIA.
------------------------------
------------------------------
Laura Albrecht
Enterprise Scheduling Lead
Takeda Pharmaceuticals LLC
Original Message:
Sent: 05-12-2020 07:08 PM
From: Roster
Subject: Single Signon w/ SAML
I would think that replacing the space with a %20 should have worked.
We haven't encountered that as our system names are all single-word names, sorry.
------------------------------
Jonathan Roster
Analyst Programmer, Enterprise Computing Svcs.
Information Services | Oregon State University
541-737-4578 | is.oregonstate.edu
Original Message:
Sent: 05-12-2020 06:28 PM
From: Laura Albrecht
Subject: Single Signon w/ SAML
That really helped a lot @Jonathan Roster!! Thank you.
My system name has a space in it, which seems to be causing a problem - for example
SANDBOX (TEST_1)
I've tried using %20 or a + to replace the space, but still not working / populating when the login screen comes up. Any ideas?
Not the end of the world I suppose - I can change the system name I suppose to not have a space, but just wondering if you know.
------------------------------
------------------------------
Laura Albrecht
Enterprise Scheduling Lead
Takeda Pharmaceuticals LLC
Original Message:
Sent: 05-12-2020 04:56 PM
From: Roster
Subject: Single Signon w/ SAML
Laura,
Here is what I see in my JWP logs on a successful SAML login.
20200130/100251.773 - 38 U00045271 Checking SAML token for Single sign-on.
20200130/100251.920 - 38 U00045325 Received SAML token as '<samlp:Response>'
20200130/100251.951 - 38 U00045322 Assertion validation was successful. Starting with signature validation now.
20200130/100251.958 - 38 U00045323 Validation of the SAML response for the bansecr / ONID was successful!
We never messed with LDAP, so I can't advise on that setting.
As far as setup goes, we had to enter the values into the *SP key, but also create another key with the same name as a department that would do SAML login (ONID in our case). The contents of this key were the values we got from our IDP folks, it looked like this:
<?xml version="1.0" encoding="WINDOWS-1252"?>
<EntityDescriptor
entityID="https://HOST/idp/shibboleth"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">oregonstate.edu</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
xxxxxxxxx
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://HOST/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://HOST/idp/profile/SAML2/POST-SimpleSign/SSO"/>
</IDPSSODescriptor>
</EntityDescriptor>
We are providing our users a link that looks like this: https://<HOST>/awi?system=awaprod&client=1000&department=ONID&logintype=SAML&autologin=true. When a user hits that link, they see the default login screen for a split second before they are redirected to our IDP, which they then log into and are redirected back and end up at the default dashboard in AWI.
We had to set parameter_login.enabled to make that link work. Otherwise users will have to choose SAML in the login screen and enter their department in order login via SAML.
Make sure that sso.saml.enabled is set to true in the AWI config.properties as well.
No restart needed for changing the settings internal to the Automation Engine. You will need to restart AWI to have it pick up the changes to config.properties.
Hope this helps.
------------------------------
Jonathan Roster
Analyst Programmer, Enterprise Computing Svcs.
Information Services | Oregon State University
541-737-4578 | is.oregonstate.edu
Original Message:
Sent: 05-12-2020 04:04 PM
From: Laura Albrecht
Subject: Single Signon w/ SAML
Hey guys - @Jonathan Roster, @STEPHEN ODO.
How can you tell if you are going through SAML / OKTA and/or using LDAP? Is there anything in the logs to key off of?
I entered in the values in the SP key, but is there anything else that happens? Or that I need to do? Do I need to change UC_SYSTEM_SETTINGS to LDAP = N? How can I tell (different login screen?) that I am going through SAML now? Is any kind of restart of the system needed?
TIA.
------------------------------
------------------------------
Laura Albrecht
Enterprise Scheduling Lead
Takeda Pharmaceuticals LLC
Original Message:
Sent: 05-07-2020 11:53 AM
From: Laura Albrecht
Subject: Single Signon w/ SAML
OK. So, I updated UC_SYSTEM_SETTINGS and this populated the SP key in UC_SAML_SETTINGS.
I updated the code in the SP key so that Location="_INSERT" was replaced with Location="https://ourwebservername:8443/awi/".
I sent the OKTA team the entire contents then of the SP key.
They have now sent me back an XML file. Am I supposed to take the ENTIRE contents of that XML file and replace entityID="_INSERT_" with what is in that file? Or just a portion of what is in the XML file? Or something else entirely?
Thanks.
------------------------------
------------------------------
Laura Albrecht
Enterprise Scheduling Lead
Takeda Pharmaceuticals LLC
Original Message:
Sent: 02-06-2020 08:56 AM
From: Christian Böck
Subject: Single Signon w/ SAML
Hi Laura,
- Update the Entity ID (not sure what this is - is this what I get from OKTA?) and the destination URL of the Automic AWI in the various keyword entries in UC_SAML_SETTINGS.
Client 0 - UC_SAML_SETTINGS
in the key *SP change the value for
entityID - this can be any string, but default seems to be "AWIHOSTNMAE/SAML2"
(e.g.: Location="https://<your_server>/SAML2"
and
Location - AWIURL e.g.: Location="https://<your_server>/awi"
------------------------------
Thx & rgds
Christian
Original Message:
Sent: 02-06-2020 08:41 AM
From: Albrecht
Subject: Single Signon w/ SAML
As far as setup goes, from what I've read it seems like it's just a matter of:
- Update UC_SYSTEM_SETTINGS so SAML = Y.
- That will generate / populate a variable called UC_SAML_SETTINGS.
- Update the Entity ID (not sure what this is - is this what I get from OKTA?) and the destination URL of the Automic AWI in the various keyword entries in UC_SAML_SETTINGS.
- Update configuration.properties in the AWI to set sso.saml.enabled to true
That's really it? I hate to be looking for more complexity where there is none, but this seems too simple. :-)
------------------------------
Enterprise Scheduling Lead
Takeda
Original Message:
Sent: 02-05-2020 03:18 PM
From: STEPHEN ODO
Subject: Single Signon w/ SAML
We are using SAML on 12.3 here at the University of Hawaii. Set up was very easy. Basically set up a few objects and we were done. We have our own Identity Provider. My guess is that OKTA would be your Identity Provider.
Original Message:
Sent: 02-04-2020 11:24 AM
From: Albrecht
Subject: Single Signon w/ SAML
Hi. Is there anyone out there who has configured single signon with SAML (vs. Kerebos?) I'm reading anything I can find on single signon, but it mainly seems to be Kerebos. From what I can tell this is only recently supported with 12.3. I'm also trying to figure out how OKTA fits into this. This is what my company wants to start using.
TIA.
Laura Albrecht
------------------------------
Enterprise Scheduling Lead
Takeda
------------------------------