Add SAML SP to OpenIAM

This section describes how to configure a SAML service provider to an OpenIAM IdP. All SAML integrations where OpenIAM is the IdP, at a high level, have the following steps:

  • Generate a public and private key pair
  • Configure the Service provider to point to you OpenIAM IdP instance
  • Configure the OpenIAM IdP
  • Define who can access these applications using the OpenIAM access control model

The steps below will describe how to implement each of the steps above.

Generate a public and private key pair

There are several methods for generating the public and private key pair. For the purpose of this documentation, we will use OpenSSL, popular opensource utility that is available on most major Linux platforms.

Install OpenSSL

Ensure that OpenSSL has already been installed on your machine

openssl version -a

If you get a response like the one below, then openssl already exists on your system.

OpenSSL 1.1.1f 31 Mar 2020
built on: Mon Mar 22 11:37:17 2021 UTC
platform: debian-amd64
options: bn(64,64) rc4(8x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-Juj39H/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

If it does not exist, then use the steps provided to install OpenSSL.

Generate a public and private key pair

  • Generate a PEM encoded private key as shown below. You may name the keys based on your companies naming standards.
openssl genrsa -out gsuite_privkey.pem 1024
  • Generate the public key using the command below
openssl rsa -in gsuite_privkey.pem -pubout -outform DER -out gsuite_pubkey.der
  • Generate a private key in a PKCS8 and DER format by running the command below
openssl pkcs8 -topk8 -inform PEM -outform DER -in gsuite_privkey.pem -out gsuite_privkey.der -nocrypt

Once you have created the key pair, create an X.509 certificate. The certificate holds the corresponding public key, along with metadata related to the organization that created the certificate. Use the command below to create a self-signed certificate from either an RSA or DSA private key

openssl req -new -x509 -days 365 -key gsuite_privkey.pem -out gsuite_cert.pem

Configure Application and OpenIAM side for the SAML integration

While SAML is a standard, there is sufficent flexibility in the specification to create minor differences in each integration. To simplify the setup process, examples of integrations with several popular SaaS solutions has been provided.

Application Name
GSuite
Office 365
Salesforce.com
Freshservice
AWS Admin console
Slack

Grant access to your application

To be able to access the service provider through the IdP, we must grant access to the service provider by associating it to an entitlement object such as a group / role. While this topic is described in detail in the access control section, the section below provides a brief reference to entitle an application through a role.

  • Go to the Webconsole -> Access Control -> Role
  • Find an existing role which you want to update such that it is entitled to your service provider
  • View the role details by click on the icon in the Actions column
  • Go to the Role Entitlements option from the side menu as shown below

Role summary view

  • Right click on Resource followed by select Add as shown below

Role summary view

  • From the Resource type drop down select Authentication provider
  • From the adjacent dropdown, select the name of your authentication provider as shown below

Role summary view

The role has now been entitled.

Validate the integration

To test your integration, simply login to the OpenIAM Self-service portal with an account that was entitled to your service provider.

Next, go to your SSO Launch pad as shown below. If you have successfully configured your service provider, you will be signed into that service provider.

Role summary view