Applies to Infiniti v9.3.0 or later
 

SAML 2.0 Configuration

Infiniti supports SAML 2.0 allowing a nominated identity provider enabling Single sign-on (SSO) between Infiniti Manage and Produce and other service providers. Common SAML 2.0 implementations implement Infiniti forms within another application.

When configured correctly, when navigating to Infiniti a request is sent to the identity provider via HTTP-POST. The identity provider will determine whether the user has already been authenticated or requires login. Regardless after a successful login has occurred a response is sent to Infiniti containing the user’s username (referred to as NameId) and optionally other user profile information (name, email, address, group memberships, etc.). The response must be signed so that Infiniti knows it is from a trustworthy source.

 

Prerequisites

  • A SAML 2.0 provider with
    • An Identity Provider configured to
      • Return a group memberships as an assertion attribute (e.g. IsMemberOf) (mandatory to ensure at least one user can be added to an Infiniti Administrator Role after the switch to SAML) within the SAML assertion
      • Return profile information such as first and last name (optional)
    • Service Providers for both Infiniti Manage and Infiniti Produce whereby:
      • The response is configured to be sent via HTTP-POST to:
        http://yourserver/Manage/SamlAuthenticate.aspx or http://yourserver/Produce/SamlAuthenticate.aspx respectively
      • The above post response is signed (see Appendix A for an example Response)
      • A meaningful name is given to the Service Providers (usually Produce and Manage)
  • A certificate either installed on the Infiniti web server or as a file that can be used to check the SAML response signature.
  • A user configured in the SAML 2.0 provider for testing that is a member of at least one known group.
  • An existing Infiniti environment installed with default forms authentication.
  • An external group added to Infiniti Manage with global administrator access that the test user is a member of (e.g Infiniti_Administrator).

    See screenshot below:

  •  

 

How to configure SAML 2.0

  1. Navigate to Manage and login as an Administrator
  2. Click Settings from the LHS Menu
  3. Select the SAML 2.0 tab
  4. Check the SAML 2.0 checkbox

    See screenshot below:

 

  1. Provide the settings as per the table below

    Setting Description Example
    Create Users An option if to actually create a user in the Infiniti platform. Necessary for any form that involves workflow and is useful for tracking and auditing Usually checked
    Issuer The Issuer ID of the Identity Provider http://openam.example.com:8080/openam
    Manage Entity Id The Entity Id of the Manage Service Provider Manage, ManageTest, ManageProd Etc.
    Produce Entity Id The Entity Id of the Produce Service Provider Produce, ProduceTest, ProduceProd Etc.
    Identity Provider Login URL The URL of the Single Sign on Service URL that Infiniti will make the HTTP-Post Request to. http://openam.example.com:8080/openam/SSOPOST/metaAlias/idp
    Certificate

    The certificate Infiniti will use to check the signature received in the HTTP-POST Response.

    A certificate can be installed on the server and referenced by a thumpprint or uploaded directly to the application.

    N/A
  2. Navigate to the User Profile Mapping Tab.

    As attributes specified in a SAML response are arbitrary it is necessary to specify where to locate particular user profile fields in the SAML response.

    Provide at least the name of the attribute where the user’s Group Memberships are specified.

  3. Optionally specify any other user fields. See Appendix B for a complete list of available Mapping fields

    See screenshot below:

    li>
  4. Click the Save button. At this point Your SAML settings are saved though your session is still the one created at Step 1.
  5. Click Logout. Infiniti will attempt to create a SAML session as per the settings configured above. You should either be redirected to the Manage Home Page or the Identify Provider’s Login screen should you not already have an existing session.
 

Troubleshooting

When attempting SAML 2.0 authentication Infiniti makes a HTTP-POST request to the identity provider and awaits a response. If both the request and response are successfully made and received Infiniti will log any errors occurred whilst processing the response in the database (for example a failure when checking).

The error can be viewed by rolling back the SAML 2.0 cutover, re-authenticate via forms authentication, viewing and correcting the error and trying again.

See screenshot below:

SAML 2.0 authentication can be rolled back via the database.

UPDATE Business_Unit
SET SamlEnabled = 0
WHERE Business_Unit_Guid = '0CC2007E-3344-4059-B368-9BAD2B9BD42B'
 
Note: the above business unit GUID is the default tenant, modify where required.

Appendix A Example SAML Request and Response

Request

<?xml version=1.0 encoding=UTF-8?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_fd6b794b-3f77-4529-bc70-b4839fb82f86" Version="2.0" IssueInstant="2016-02-26T03:46:13.057Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Manage</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>
 

Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ix10-simonp/ManageV9_3/SamlAuthenticate.aspx" ID="s20ba81f0f7d8dac0a377109c03787e2ea585297c7" InResponseTo="_f9a49ee4-143b-4d15-a2fe-0d431a3d09c7" IssueInstant="2016-02-26T03:52:00Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://openam.example.com:8080/openam</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="#s20ba81f0f7d8dac0a377109c03787e2ea585297c7">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>LYUM7JsNmj4ds9wvdypXjJ4tOJM=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
      UJFiE3TyM82NjCi6QOUQjdTZQiaVcKkpwyxKah0PXQe/i/ZWl+vKduLFVDXDPGP5gVrZoKKtEDWr
      xDoGCE6UUNruQD85zWdVNO0D0LIHLM/j6+1+myvWP7uTv1/BPlYcQ2Owb34diPmOwN/jeBd/AX3f
      1F4faB55Qo9JGiLCANU=
    </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>
          MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
          bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
          ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
          CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
          BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
          AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
          RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
          Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
          QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
          cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
          /FfwWigmrW0Y0Q==
        </ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s27b4cdc935aa3d98c0d727fa2079d9bb0103bd732" IssueInstant="2016-02-26T03:52:00Z" Version="2.0">
    <saml:Issuer>http://openam.example.com:8080/openam</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference URI="#s27b4cdc935aa3d98c0d727fa2079d9bb0103bd732">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
          <ds:DigestValue>fnw+2iscOwNy7rTSX8767kMCi6g=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
        f4f+iFzRvc5/VSMQLS16xD9vrZeSgDR+GvR7gICnGFK5ZHLa2sYb1l5GiTJJb7VqAvaYA701fbod
        otbjVmqmsbf+IZVwictbYj0swWmH1WQ63acRHCHg04LLfIBs0nMfsdQ/lWiO2PO82UaAM2XPbpKO
        a1/9DsY2Habpp5qONjE=
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
            MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
            bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
            ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
            CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
            BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
            AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
            RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
            Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
            QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
            cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
            /FfwWigmrW0Y0Q==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="http://openam.example.com:8080/openam" SPNameQualifier="Manage">sampleuser</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData InResponseTo="_f9a49ee4-143b-4d15-a2fe-0d431a3d09c7" NotOnOrAfter="2016-02-26T04:02:00Z" Recipient="http://ix10-simonp/ManageV9_3/SamlAuthenticate.aspx" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2016-02-26T03:42:00Z" NotOnOrAfter="2016-02-26T04:02:00Z">
      <saml:AudienceRestriction>
        <saml:Audience>Manage</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2016-02-26T03:52:00Z" SessionIndex="s2ae61fa7dd0d09dcc262fabac9c6e7d29fcd0d401">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="givenName">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Sample</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="IsMemberOf">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=Sales,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=Infiniti_Administrator,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
        <saml:AttributeValue="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=IT,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=HR,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
 

User Profile Mapping Fields

Setting Description
User Name

A field to use for the Infiniti Username if the default SAML ‘NameID’ element does not contain a meaningful value.

For example use the email address.

Groups The element to look for the user’s group Memberships
Prefix, Job Title,Organization,
Last Name,Phone Number, Full Name
, Fax Number, Email, Address Line 1,
Address Line 2, Suburb/Town/City,
State/Province/Region, Postal/Zip Code,
Country
Regular address fields
Culture A culture code to use for example en-AU, zh-CN, es, etc
Language

A language to use, must be support by Infiniti. Possible values:

ar
zh-cn
zh-tw
nl
en
en-us
fr
fr-ca
de
ko
pt
es
th
Time Zone

An appropriate user time zone. Possible Values:

Dateline Standard Time
UTC-11
Samoa Standard Time
Hawaiian Standard Time
Alaskan Standard Time
Pacific Standard Time (Mexico)
Pacific Standard Time
US Mountain Standard Time
Mountain Standard Time (Mexico)
Mountain Standard Time
Central America Standard Time
Central Standard Time
Central Standard Time (Mexico)
Canada Central Standard Time
SA Pacific Standard Time
Eastern Standard Time
US Eastern Standard Time
Venezuela Standard Time
Paraguay Standard Time
Atlantic Standard Time
Central Brazilian Standard Time
SA Western Standard Time
Pacific SA Standard Time
Newfoundland Standard Time
E. South America Standard Time
Argentina Standard Time
SA Eastern Standard Time
Greenland Standard Time
Montevideo Standard Time
UTC-02
Mid-Atlantic Standard Time
Azores Standard Time
Cape Verde Standard Time
Morocco Standard Time
UTC
GMT Standard Time
Greenwich Standard Time
W. Europe Standard Time
Central Europe Standard Time
Romance Standard Time
Central European Standard Time
W. Central Africa Standard Time
Namibia Standard Time
Jordan Standard Time
GTB Standard Time
Middle East Standard Time
Egypt Standard Time
Syria Standard Time
South Africa Standard Time
FLE Standard Time
Israel Standard Time
E. Europe Standard Time
Arabic Standard Time
Arab Standard Time
Russian Standard Time
E. Africa Standard Time
Iran Standard Time
Arabian Standard Time
Azerbaijan Standard Time
Mauritius Standard Time
Georgian Standard Time
Caucasus Standard Time
Afghanistan Standard Time
Ekaterinburg Standard Time
Pakistan Standard Time
West Asia Standard Time
India Standard Time
Sri Lanka Standard Time
Nepal Standard Time
Central Asia Standard Time
Bangladesh Standard Time
N. Central Asia Standard Time
Myanmar Standard Time
SE Asia Standard Time
North Asia Standard Time
China Standard Time
North Asia East Standard Time
Singapore Standard Time
W. Australia Standard Time
Taipei Standard Time
Ulaanbaatar Standard Time
Tokyo Standard Time
Korea Standard Time
Yakutsk Standard Time
Cen. Australia Standard Time
AUS Central Standard Time
E. Australia Standard Time
AUS Eastern Standard Time
West Pacific Standard Time
Tasmania Standard Time
Vladivostok Standard Time
Central Pacific Standard Time
New Zealand Standard Time
UTC+12
Fiji Standard Time
Kamchatka Standard Time
Tonga Standard Time
 

Related Articles

 

Keywords

SAML configuration authentication usergroup