Automic Workload Automation

Expand all | Collapse all

Single Signon w/ SAML

Jump to Best Answer
  • 1.  Single Signon w/ SAML

    Posted 02-04-2020 11:24 AM
    Hi.  Is there anyone out there who has configured single signon with SAML (vs. Kerebos?)  I'm reading anything I can find on single signon, but it mainly seems to be Kerebos.  From what I can tell this is only recently supported with 12.3.  I'm also trying to figure out how OKTA fits into this.  This is what my company wants to start using.

    TIA.
    Laura Albrecht

    ------------------------------
    Enterprise Scheduling Lead
    Takeda
    ------------------------------


  • 2.  RE: Single Signon w/ SAML

    Posted 02-04-2020 01:32 PM
    We are using SAML sso on AWA 12.3.1 here at Oregon State University.  We have our own SAML server on premises, however. 

    Were you intending on using OKTA, or just wondering why that is called out in the documentation?


  • 3.  RE: Single Signon w/ SAML

    Posted 02-06-2020 08:39 AM
    Yes, that's what it sounds like - they plan to use OKTA as the Identity Provider.

    ------------------------------
    Enterprise Scheduling Lead
    Takeda
    ------------------------------



  • 4.  RE: Single Signon w/ SAML

    Posted 02-05-2020 03:18 PM
    We are using SAML on 12.3 here at the University of Hawaii. Set up was very easy. Basically set up a few objects and we were done. We have our own Identity Provider. My guess is that OKTA would be your Identity Provider.


  • 5.  RE: Single Signon w/ SAML

    Posted 02-06-2020 08:42 AM
    As far as setup goes, from what I've read it seems like it's just a matter of:

    - Update UC_SYSTEM_SETTINGS so SAML = Y.
    - That will generate / populate a variable called UC_SAML_SETTINGS.
    - Update the Entity ID (not sure what this is - is this what I get from OKTA?) and the destination URL of the Automic AWI in the various keyword entries in UC_SAML_SETTINGS.
    - Update configuration.properties in the AWI to set sso.saml.enabled to true

    That's really it?  I hate to be looking for more complexity where there is none, but this seems too simple.  :-)

    ------------------------------
    Enterprise Scheduling Lead
    Takeda
    ------------------------------



  • 6.  RE: Single Signon w/ SAML
    Best Answer

    Posted 02-06-2020 08:57 AM
    Hi Laura,
    - Update the Entity ID (not sure what this is - is this what I get from OKTA?) and the destination URL of the Automic AWI in the various keyword entries in UC_SAML_SETTINGS.

    Client 0 - UC_SAML_SETTINGS

    in the key *SP change the value for

    entityID - this can be any string, but default seems to be "AWIHOSTNMAE/SAML2"
    (e.g.: Location="https://<your_server>/SAML2"

    and

    Location - AWIURL e.g.: Location="https://<your_server>/awi"



    ------------------------------
    Thx & rgds
    Christian
    ------------------------------



  • 7.  RE: Single Signon w/ SAML

    Posted 05-07-2020 11:53 AM

    OK.  So, I updated UC_SYSTEM_SETTINGS and this populated the SP key in UC_SAML_SETTINGS.

    I updated the code in the SP key so that Location="_INSERT" was replaced with Location="https://ourwebservername:8443/awi/".

    I sent the OKTA team the entire contents then of the SP key.

    They have now sent me back an XML file.  Am I supposed to take the ENTIRE contents of that XML file and replace entityID="_INSERT_" with what is in that file?  Or just a portion of what is in the XML file?  Or something else entirely?

    Thanks.



    ------------------------------
    ------------------------------
    Laura Albrecht
    Enterprise Scheduling Lead
    Takeda Pharmaceuticals LLC
    ------------------------------
    ------------------------------



  • 8.  RE: Single Signon w/ SAML

    Posted 05-12-2020 04:05 PM
    Hey guys - @Jonathan Roster, @STEPHEN ODO.

    How can you tell if you are going through SAML / OKTA and/or using LDAP?  Is there anything in the logs to key off of?

    I entered in the values in the SP key, but is there anything else that happens?  Or that I need to do?  Do I need to change UC_SYSTEM_SETTINGS to LDAP = N?  How can I tell (different login screen?) that I am going through SAML now?  Is any kind of restart of the system needed?

    TIA.​

    ------------------------------
    ------------------------------
    Laura Albrecht
    Enterprise Scheduling Lead
    Takeda Pharmaceuticals LLC
    ------------------------------
    ------------------------------



  • 9.  RE: Single Signon w/ SAML

    Posted 05-12-2020 04:57 PM

    Laura,

    Here is what I see in my JWP logs on a successful SAML login.

    20200130/100251.773 - 38 U00045271 Checking SAML token for Single sign-on.
    20200130/100251.920 - 38 U00045325 Received SAML token as '<samlp:Response>'
    20200130/100251.951 - 38 U00045322 Assertion validation was successful. Starting with signature validation now.
    20200130/100251.958 - 38 U00045323 Validation of the SAML response for the bansecr / ONID was successful!

    We never messed with LDAP, so I can't advise on that setting.

    As far as setup goes, we had to enter the values into the *SP key, but also create another key with the same name as a department that would do SAML login (ONID in our case).  The contents of this key were the values we got from our IDP folks, it looked like this:

    <?xml version="1.0" encoding="WINDOWS-1252"?>
    <EntityDescriptor
    entityID="https://HOST/idp/shibboleth"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
         <Extensions>
             <shibmd:Scope regexp="false">oregonstate.edu</shibmd:Scope>
         </Extensions>
         <KeyDescriptor>
           <ds:KeyInfo>
             <ds:X509Data>
                 <ds:X509Certificate>
                      xxxxxxxxx
                </ds:X509Certificate>
             </ds:X509Data>
           </ds:KeyInfo>
         </KeyDescriptor>
         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://HOST/idp/profile/SAML2/POST/SSO"/>
         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://HOST/idp/profile/SAML2/POST-SimpleSign/SSO"/>
    </IDPSSODescriptor>
    </EntityDescriptor>

    We are providing our users a link that looks like this: https://<HOST>/awi?system=awaprod&client=1000&department=ONID&logintype=SAML&autologin=true.  When a user hits that link, they see the default login screen for a split second before they are redirected to our IDP, which they then log into and are redirected back and end up at the default dashboard in AWI. 

    We had to set parameter_login.enabled to make that link work.  Otherwise users will have to choose SAML in the login screen and enter their department in order login via SAML. 

    Make sure that sso.saml.enabled is set to true in the AWI config.properties as well.

    No restart needed for changing the settings internal to the Automation Engine.  You will need to restart AWI to have it pick up the changes to config.properties.

    Hope this helps.



    ------------------------------
    Jonathan Roster
    Analyst Programmer, Enterprise Computing Svcs.
    Information Services | Oregon State University
    541-737-4578 | is.oregonstate.edu
    ------------------------------



  • 10.  RE: Single Signon w/ SAML

    Posted 05-12-2020 06:28 PM
    That really helped a lot @Jonathan Roster!!  Thank you.

    My system name has a space in it, which seems to be causing a problem - for example

    SANDBOX (TEST_1)

    I've tried using %20 or a + to replace the space, but still not working / populating when the login screen comes up.  Any ideas?

    Not the end of the world I suppose - I can change the system name I suppose to not have a space, but just wondering if you know.


    ------------------------------
    ------------------------------
    Laura Albrecht
    Enterprise Scheduling Lead
    Takeda Pharmaceuticals LLC
    ------------------------------
    ------------------------------



  • 11.  RE: Single Signon w/ SAML

    Posted 05-12-2020 07:09 PM

    I would think that replacing the space with a %20 should have worked. 

    We haven't encountered that as our system names are all single-word names, sorry.



    ------------------------------
    Jonathan Roster
    Analyst Programmer, Enterprise Computing Svcs.
    Information Services | Oregon State University
    541-737-4578 | is.oregonstate.edu
    ------------------------------



  • 12.  RE: Single Signon w/ SAML

    Posted 05-15-2020 09:23 AM
    Thanks.

    We're making progress here.  I actually was able to login via SAML, which was great news.  However, currently we use LDAP authentication and we use our network ID to login (i.e. LAURAA), however, I ended up having to create a new userid with the first part of my email address - LAURA.ALBRECHT.  THEN it logged me in.

    In the HELP "Setting up Single Sign-On - SAML", I'm a bit confused on step 3.  It talks about mapping the AE to the attributes of the SAML response.  I am not really understanding what it wants me to do here.  I really do not want to have to create new userids for everyone.  Is there any way to switch things so that it uses the network ID instead of the first part of the email address?

    TIA.

    ------------------------------
    ------------------------------
    Laura Albrecht
    Enterprise Scheduling Lead
    Takeda Pharmaceuticals LLC
    ------------------------------
    ------------------------------



  • 13.  RE: Single Signon w/ SAML

    Posted 05-18-2020 02:35 PM
    Laura,

    This is wading more into the realm of identity management, which I'm no expert on.  We had to have our IDM folks map our usernames to the 'aename' attribute and return that as part of the saml response.  I'm guessing you will have to do something similar, though how that would work with OKTA as the IDP I'm not sure.


    ------------------------------
    Jonathan Roster
    Analyst Programmer, Enterprise Computing Svcs.
    Information Services | Oregon State University
    541-737-4578 | is.oregonstate.edu
    ------------------------------



  • 14.  RE: Single Signon w/ SAML

    Posted 05-19-2020 03:24 PM
    Thanks to everyone who responded / helped me out here.  We have single sign on using SAML working now!  @Jonathan Roster - you were right.  They OKTA team had to do something on their side and then we were able to use the network ID (vs. email).

    I'll be posting a final update shortly with the instructions that I used on how to do this.  Hopefully it'll help someone else doing this later on.


    ------------------------------
    ------------------------------
    Laura Albrecht
    Enterprise Scheduling Lead
    Takeda Pharmaceuticals LLC
    ------------------------------
    ------------------------------



  • 15.  RE: Single Signon w/ SAML

    Broadcom Employee
    Posted 06-19-2020 09:15 AM
    Edited by Ronald Dsouza 06-19-2020 09:29 AM
    Hi There we are testing a use case for SAML integration with CA API gateway where there user is redirected to a SAML page hosted on the Gateway.
    I managed to get the Routing redirected to as HTTP POST to CA API gateway and then I do a post response to HTTP://<awaHost>:8080/AWILAB (I move the JAR file to AWILAB) But I still get authentication failed. I matched the SAMLResponse as it is provided in the document 
    Sample Below

    <samlp2:Response xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://10.3.29.132:8080/AWILAB" ID="a22acfb2d-17ba-4f40-94e1-f117d42248fc" InResponseTo="a22acfb2d-17ba-4f40-94e1-f117d42248fc" IssueInstant="2020-06-19T13:08:28.504Z" Version="2.0">
    <saml2:Issuer>654906db6eb1</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#a22acfb2d-17ba-4f40-94e1-f117d42248fc">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>XC5YTKsUkMz6iBdNtwmK+OicKWg=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>LkUEnqjPJdRWz9pxzqZNFfP5M8JcM0sv/tw+ceqPn61wxFBla9broFy+9rY64WeEvQexd+9DzYwBgLtGsDp/wqSwAfHlIFAKuFUJE6/ixpoDeri7BtR8XmU8e321oNMoP/IwKKr3TcbGyROua9PZ0CoWZpL/ex50BoQej+waqzjemBj4L1d2ckRGovQm7NC7/32xrlCHFR6FmGxGO4Ly+0yd9c/NWTPzu5OnqN+88q83aVNjgXlSXBERs95xTdzi2gqvExMUTHYg9r+ZTPoo19jvoFfk4y//JMjSYmkKBf4DJKA5DZLskt1NdHsxKVzTyUMONTpjBu8NHPkxWsEbzA==</ds:SignatureValue>
    <ds:KeyInfo>
    <ds:X509Data>
    <ds:X509Certificate>MIIC8jCCAdqgAwIBAgIIRVC5GOxhVJkwDQYJKoZIhvcNAQEMBQAwFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMB4XDTIwMDYxMTExMDA0N1oXDTMwMDYwOTExMDA0N1owFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhtZrw9pX13LT7+LmYGgZNuoanoTF2pwPTU1/k9JFhzEfv9btkTBmMySAyZAXhbx3MZxIanCzWosudjWk/FFxNURP51G9FwbKVga4vuyzSrAhM6uZtmS2olrT9K9KbJ5Sc4U5oPtAYvHJMCsydldY5mcaUHcNIP7OWXAXfPRGhss+DuhqtPvOUhoAYFJCW1gU40/4/hM+pZIR/wF8k/q3fm1XR5rQ22VBNCVk+XzhqzUP0DTmjUA1pvxb60h9CeWoz7I+71r/JpkRK/E7ncpbt3iutJVKQQot9afwZl1oPep8ziGlMC/PYmhy6Z1YCneFD6kqYuTOWqZtWxDhnz+pVQIDAQABo0IwQDAdBgNVHQ4EFgQUm33zCJQuB0bbQL/ATA1xhmepmSowHwYDVR0jBBgwFoAUm33zCJQuB0bbQL/ATA1xhmepmSowDQYJKoZIhvcNAQEMBQADggEBADqpSKfsPtcU2cGAo73uMHg2c+hWlCVyGDwUjV1XLUfgPrvLt5zu90KZvXzUclgEmbMvvN6UskoAqKMbFlBk/qw7r+47F2bgIJPB6L+ODqPEnV4lyUCb3TGoKIjdqPkRV2XLEw2nMjEGf4sk1gL3qgjBs7DZIqakclgaYMFPgamSizId7Gd++e/UJL5kPzEm1QNlTiXXC7OBqjq5PVktdkdHn5brGEJ9Eua76qa+KK0hdkYIOIqL07D4anHD9c38+/EioLxNQjGO0QzsCxLsBpIUYIFCEz+SZwLEWqg0v2h0U8NteKFBS0Jjbax1Mdu3Rd6G50WtZEU0WCTYaHt7qKo=</ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </ds:Signature>
    <samlp2:Status>
    <samlp2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp2:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="SamlAssertion-13d2297a08fec18deb0cfc8039397a23" IssueInstant="2020-06-19T13:08:28.498Z" Version="2.0">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">b4edfb69-1c70-454b-bf9b-a2c33aaaa868</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#SamlAssertion-13d2297a08fec18deb0cfc8039397a23">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>U2zQ6amPgsmHrybVjp2TCQ+MSwU=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>KEHK+IpTJkQziQ15WqEU98KeCT0F3KqpRil+HCH3WYKRg2jKfIlEguGrxrrPGz2IKcjzSU4eaD0qGFzD0VYbBRBuwkNd9q+5cboQgXhB0xViUvK1qDLPhHUqPr6qSDGja5DVuniuLTxfnq0zEH0eC72k71pq00Ca2L6wE5z1apXfrMQ0IzvP7whKmpDm3dPWgHO1Iu6/eTkYXtnq49Nr4QvPXYD8la+/LxH/OHdND/4pW/RDK7fhlXPWySF0KIkNB2ohtLM8YY9JVIyqY2+GFz7/SewWGAJJnplmi6lO18idx/M73VC2ptnD5ZsAEwGQ6ACTt5gjFofWRZZ/oAUZ3g==</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <X509Data>
    <X509SubjectName>CN=654906db6eb1</X509SubjectName>
    <X509Certificate>MIIC8jCCAdqgAwIBAgIIRVC5GOxhVJkwDQYJKoZIhvcNAQEMBQAwFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMB4XDTIwMDYxMTExMDA0N1oXDTMwMDYwOTExMDA0N1owFzEVMBMGA1UEAxMMNjU0OTA2ZGI2ZWIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhtZrw9pX13LT7+LmYGgZNuoanoTF2pwPTU1/k9JFhzEfv9btkTBmMySAyZAXhbx3MZxIanCzWosudjWk/FFxNURP51G9FwbKVga4vuyzSrAhM6uZtmS2olrT9K9KbJ5Sc4U5oPtAYvHJMCsydldY5mcaUHcNIP7OWXAXfPRGhss+DuhqtPvOUhoAYFJCW1gU40/4/hM+pZIR/wF8k/q3fm1XR5rQ22VBNCVk+XzhqzUP0DTmjUA1pvxb60h9CeWoz7I+71r/JpkRK/E7ncpbt3iutJVKQQot9afwZl1oPep8ziGlMC/PYmhy6Z1YCneFD6kqYuTOWqZtWxDhnz+pVQIDAQABo0IwQDAdBgNVHQ4EFgQUm33zCJQuB0bbQL/ATA1xhmepmSowHwYDVR0jBBgwFoAUm33zCJQuB0bbQL/ATA1xhmepmSowDQYJKoZIhvcNAQEMBQADggEBADqpSKfsPtcU2cGAo73uMHg2c+hWlCVyGDwUjV1XLUfgPrvLt5zu90KZvXzUclgEmbMvvN6UskoAqKMbFlBk/qw7r+47F2bgIJPB6L+ODqPEnV4lyUCb3TGoKIjdqPkRV2XLEw2nMjEGf4sk1gL3qgjBs7DZIqakclgaYMFPgamSizId7Gd++e/UJL5kPzEm1QNlTiXXC7OBqjq5PVktdkdHn5brGEJ9Eua76qa+KK0hdkYIOIqL07D4anHD9c38+/EioLxNQjGO0QzsCxLsBpIUYIFCEz+SZwLEWqg0v2h0U8NteKFBS0Jjbax1Mdu3Rd6G50WtZEU0WCTYaHt7qKo=</X509Certificate>
    </X509Data>
    </KeyInfo>
    </ds:Signature>
    <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="aename">ronald.dsouza</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData Address="https://api.eohcorp.net:8443/saml2/websso/identityprovider" InResponseTo="a22acfb2d-17ba-4f40-94e1-f117d42248fc" NotOnOrAfter="2020-06-19T13:08:58.499Z" Recipient="http://10.3.29.132:8080/AWILAB"/>
    </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2020-06-19T13:03:28.499Z" NotOnOrAfter="2020-06-19T13:18:28.499Z">
    <saml2:AudienceRestriction>
    <saml2:Audience>http://10.3.29.132:8080/AWILAB/saml/metadata.xml</saml2:Audience>
    </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2020-06-19T13:08:28.498Z">
    <saml2:SubjectLocality Address="10.12.240.130"/>
    <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
    </saml2:AuthnContext>
    </saml2:AuthnStatement>
    </saml2:Assertion>
    </samlp2:Response>



    ---

    Setup already done
    1. UPDATE *SP
    2. Created DEPARTMENT IDP SSO metadata file

    Only thing I have not done is SAML over SSL So althought the SAML page is SSL but the Automic page run on NON-SSL. Could this be causing the problem





    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 16.  RE: Single Signon w/ SAML

    Posted 19 days ago
      |   view attached
    Here's my final update.  We ended up not being able to move forward with using OKTA.  Unfortunately we use TMS (transport management solution) to do deployments.  And that does not integrate with OKTA.  Oh, well.  However, we did get through deploying it to DEV and a very good process before we had to backout.

    I hope this helps.

    ------------------------------
    ------------------------------
    Laura Albrecht
    Enterprise Scheduling Lead
    Takeda Pharmaceuticals LLC
    ------------------------------
    ------------------------------

    Attachment(s)

    docx
    OKTA Integration.docx   30K 1 version