Add SAML SP to OpenIAM
This section describes how to configure a SAML service provider to an OpenIAM IdP. All SAML integrations where OpenIAM is the IdP, at a high level, have the following steps:
- Generate a public and private key pair
- Configure the Service provider to point to you OpenIAM IdP instance
- Configure the OpenIAM IdP
- Define who can access these applications using the OpenIAM access control model
The steps below will describe how to implement each of the steps above.
Generate a public and private key pair
There are several methods for generating the public and private key pair. For the purpose of this documentation, we will use OpenSSL, popular opensource utility that is available on most major Linux platforms.
Install OpenSSL
Ensure that OpenSSL has already been installed on your machine
openssl version -a
If you get a response like the one below, then openssl already exists on your system.
OpenSSL 1.1.1f 31 Mar 2020built on: Mon Mar 22 11:37:17 2021 UTCplatform: debian-amd64options: bn(64,64) rc4(8x,int) des(int) blowfish(ptr)compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-Juj39H/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2OPENSSLDIR: "/usr/lib/ssl"ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"Seeding source: os-specific
If it does not exist, then use the steps provided to install OpenSSL.
Generate a public and private key pair
- Generate a PEM encoded private key as shown below. You may name the keys based on your companies naming standards.
openssl genrsa -out gsuite_privkey.pem 1024
- Generate the public key using the command below
openssl rsa -in gsuite_privkey.pem -pubout -outform DER -out gsuite_pubkey.der
- Generate a private key in a PKCS8 and DER format by running the command below
openssl pkcs8 -topk8 -inform PEM -outform DER -in gsuite_privkey.pem -out gsuite_privkey.der -nocrypt
Once you have created the key pair, create an X.509 certificate. The certificate holds the corresponding public key, along with metadata related to the organization that created the certificate. Use the command below to create a self-signed certificate from either an RSA or DSA private key
openssl req -new -x509 -days 365 -key gsuite_privkey.pem -out gsuite_cert.pem
Configure Application and OpenIAM side for the SAML integration
While SAML is a standard, there is sufficent flexibility in the specification to create minor differences in each integration. To simplify the setup process, examples of integrations with several popular SaaS solutions has been provided.
| Application Name |
|---|
| GSuite |
| Office 365 |
| Salesforce.com |
| Freshservice |
| AWS Admin console |
| Slack |
Grant access to your application
To be able to access the service provider through the IdP, we must grant access to the service provider by associating it to an entitlement object such as a group / role. While this topic is described in detail in the access control section, the section below provides a brief reference to entitle an application through a role.
- Go to the Webconsole -> Access Control -> Role
- Find an existing role which you want to update such that it is entitled to your service provider
- View the role details by click on the icon in the Actions column
- Go to the
Role Entitlementsoption from the side menu as shown below
- Right click on
Resourcefollowed by selectAddas shown below
- From the
Resource typedrop down selectAuthentication provider - From the adjacent dropdown, select the name of your authentication provider as shown below
The role has now been entitled.
Validate the integration
To test your integration, simply login to the OpenIAM Self-service portal with an account that was entitled to your service provider.
Next, go to your SSO Launch pad as shown below. If you have successfully configured your service provider, you will be signed into that service provider.
