- Update the Entity ID (not sure what this is - is this what I get from OKTA?) and the destination URL of the Automic AWI in the various keyword entries in UC_SAML_SETTINGS.
Client 0 - UC_SAML_SETTINGSin the key *SP change the value forentityID - this can be any string, but default seems to be "AWIHOSTNMAE/SAML2"(e.g.: Location="https://<your_server>/SAML2"andLocation - AWIURL e.g.: Location="https://<your_server>/awi"
OK. So, I updated UC_SYSTEM_SETTINGS and this populated the SP key in UC_SAML_SETTINGS.I updated the code in the SP key so that Location="_INSERT" was replaced with Location="https://ourwebservername:8443/awi/".I sent the OKTA team the entire contents then of the SP key.They have now sent me back an XML file. Am I supposed to take the ENTIRE contents of that XML file and replace entityID="_INSERT_" with what is in that file? Or just a portion of what is in the XML file? Or something else entirely?Thanks.
Laura,Here is what I see in my JWP logs on a successful SAML login.
20200130/100251.773 - 38 U00045271 Checking SAML token for Single sign-on.20200130/100251.920 - 38 U00045325 Received SAML token as '<samlp:Response>'20200130/100251.951 - 38 U00045322 Assertion validation was successful. Starting with signature validation now.20200130/100251.958 - 38 U00045323 Validation of the SAML response for the bansecr / ONID was successful!
We never messed with LDAP, so I can't advise on that setting.As far as setup goes, we had to enter the values into the *SP key, but also create another key with the same name as a department that would do SAML login (ONID in our case). The contents of this key were the values we got from our IDP folks, it looked like this:
<?xml version="1.0" encoding="WINDOWS-1252"?><EntityDescriptor entityID="https://HOST/idp/shibboleth" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <Extensions> <shibmd:Scope regexp="false">oregonstate.edu</shibmd:Scope> </Extensions> <KeyDescriptor> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate> xxxxxxxxx </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyDescriptor> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://HOST/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://HOST/idp/profile/SAML2/POST-SimpleSign/SSO"/> </IDPSSODescriptor></EntityDescriptor>
We are providing our users a link that looks like this: https://<HOST>/awi?system=awaprod&client=1000&department=ONID&logintype=SAML&autologin=true. When a user hits that link, they see the default login screen for a split second before they are redirected to our IDP, which they then log into and are redirected back and end up at the default dashboard in AWI.We had to set parameter_login.enabled to make that link work. Otherwise users will have to choose SAML in the login screen and enter their department in order login via SAML.Make sure that sso.saml.enabled is set to true in the AWI config.properties as well.No restart needed for changing the settings internal to the Automation Engine. You will need to restart AWI to have it pick up the changes to config.properties.Hope this helps.
I would think that replacing the space with a %20 should have worked.
We haven't encountered that as our system names are all single-word names, sorry.
------------------------------Jonathan RosterAnalyst Programmer, Enterprise Computing Svcs.Information Services | Oregon State University541-737-4578 | is.oregonstate.eduOriginal Message:Sent: 05-12-2020 04:04 PMFrom: Laura AlbrechtSubject: Single Signon w/ SAMLHey guys - @Jonathan Roster, @STEPHEN ODO.How can you tell if you are going through SAML / OKTA and/or using LDAP? Is there anything in the logs to key off of?I entered in the values in the SP key, but is there anything else that happens? Or that I need to do? Do I need to change UC_SYSTEM_SETTINGS to LDAP = N? How can I tell (different login screen?) that I am going through SAML now? Is any kind of restart of the system needed?TIA.------------------------------------------------------------Laura AlbrechtEnterprise Scheduling LeadTakeda Pharmaceuticals LLCOriginal Message:Sent: 05-07-2020 11:53 AMFrom: Laura AlbrechtSubject: Single Signon w/ SAML