Online Help

SafeNet Trusted Access for ForgeRock OpenAM

Overview

Configuring SafeNet Trusted Access for ForgeRock OpenAM is a three-step process:

1.ForgeRock OpenAM setup

2.SafeNet Trusted Access setup

3.Verify authentication

ForgeRock OpenAM Setup

As a prerequisite, download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps given below.

Configuring SafeNet Trusted Access as your Identity Provider in ForgeRock OpenAM requires:

Creating a circle of trust

Creating a hosted service provider

Registering a remote identity provider

Configuring the hosted service provider

Configuring the remote identity provider

Configuring modules

Configuring an authentication chain

Creating a Circle of Trust

Perform the following steps to create a circle of trust:

1.Login to ForgeRock OpenAM as an administrator using the URL, http://<Domain Name>:8080/<OpenAM Application Name>/console URL.

Where,

<Domain Name> is the domain name of the client machine.

<OpenAM Application Name> is the name of the ForgeRock OpenAM application deployed on the Apache server.

2.On the ForgeRock OpenAM home page, click the FEDERATION tab.

3.Under Circle of Trust, click New.

4.On the Create Circle of Trust window, in the Name field, enter a name for the circle of trust (for example, SafeNet IDP), and click OK.

Creating a Hosted Service Provider

Perform the following steps to create a hosted service provider:

1. On the ForgeRock OpenAM home page, on the REALMS tab, click on the Top Level Realm tile.

2.In the right pane, under Realm Overview, click on the Create SAMLv2 Providers tile.

3.Under Create SAMLv2 Providers, click on the Create Hosted Service Provider tile.

4.Under Create a SAMLv2 Service Provider on this Server, perform the following steps:

a.In the Do you have metadata for this provider? field, ensure that No is selected.

b.Under metadata, in the Name field, ensure that http://<Domain Name>:8080/<OpenAM Application Name> is entered.

Where,

<Domain Name> is the domain name of the client machine.

<OpenAM Application Name> is the name of the ForgeRock OpenAM application deployed on the Apache server.

For example, http://openam.test.com:8080/openam

c.Under Circle of Trust, in the Existing Circle of Trust field, ensure that your circle of trust (for example, SafeNet IDP) is selected that you entered in step 4 of Creating Circle of Trust.

Note:  SP and IDP both should be in the same Circle of Trust for all SAML communications.

d.Under Attribute Mapping, ensure that Use default attribute mapping from Identity Provider check box is selected.

e.On the top right-hand side corner of the window, click Configure.

5. A window is displayed. Click No.

Registering a Remote Identity Provider

Perform the following steps to register an identity provider:

1.On the ForgeRock OpenAM home page, on the REALMS tab, click on the Top Level Realm tile.

2.Under Realm Overview, click on the Create SAMLv2 Providers tile.

3.Under Create SAMLv2 Providers, click on the Register Remote Identity Provider tile.

4.Under Create a SAMLv2 Remote Identity Provider, perform the following steps:

a.In the Where does the metadata file reside? field, select the File option.

b.Click Upload to upload the identity provider metadata that you downloaded earlier from the SafeNet Trusted Access console.

5.Under Circle of Trust, in Existing Circle of Trust field, ensure that your circle of trust name (for example SafeNet IDP) is selected.

Note:  SP and IDP should be in a same Circle of Trust for all SAML communications.

6.On the top right-hand side corner of the window, click Configure.

7.A window is displayed. Click OK.

Configuring the Hosted Service Provider

Perform the following steps to configure a hosted service provider:

1.On the ForgeRock OpenAM home page, click the FEDERATION tab.

2.Under Entity Providers, in the Name column, click the service provider that you created earlier in step 4 of Creating a Hosted Service Provider, (for example, http://openam.test.com:8080/openam).

3.On the SP window, perform the following steps:

a.On the Assertion Content tab, scroll down to the NameID Format section.

b.In the Current Values field, except the following entries, remove rest of the entries:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

c.Scroll down to the Authentication Context section. In the Default Authentication Context field, select unspecified.

d.In the Authentication Context table, ensure that only the unspecified option is selected.

e.Click Save.

f.Click the Assertion Processing tab.

g.Scroll down to the Account Mapper section and select the Use Name ID as User ID checkbox.

h.Click Save.

i.Click the Services tab.

j.Scroll down to the SP Service Attributes section.

k.Under Assertion Consumer Service, in the table, ensure that only HTTP-POST type is selected and change its Location to http://openam.test.com:8080/openam/AuthConsumer/metaAlias/sp.

l.Click Save.

Configuring the Remote Identity Provider

1.On the ForgeRock OpenAM home page, click the FEDERATION tab.

2.Under Entity Providers, in the Name column, click the identity provider that you registered earlier in the Registering a Remote Identity Provider section.

3.On the IDP window, perform the following steps:

a.Under Assertion Content tab, under Signing and Encryption, clear the Authentication Request checkbox.

b.Scroll down to the NameID Format section. In the Current Values field, except the following entries, remove rest of the entries:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

c.Click Save.

Configuring Modules

Perform the following steps to configure modules:

1.On the ForgeRock OpenAM home page, on the REALMS tab, click on the Top Level Realm tile.

2.In the left pane, click Authentication > Modules.

3.In the right pane, under Authentication Modules, click Add Module.

4.On the Create new Module window, perform the following steps:

a.In the Module Name field, enter a name for the module (For example, SAMLModule)

b.In the Type field, select SAML2.

c.Click Create.

5.Under <Module Name>, where <Module Name> is the name of the module that you created in the previous step, perform the following steps:

a.In the IdP Entity ID field, enter the IdP entity ID.

The IdP Entity ID value is available in the EntityDescriptor tag present in the Identity Provider metadata that you downloaded earlier from the SafeNet Trusted Access console.

b.In the Request Binding field, select HTTP-POST.

c.In the Response Binding field, select HTTP-POST.

d.In the Single Logout Enabled field, select true.

e.In the Single Logout URL field, enter the URL,http://<Domain Name>:8080/<OpenAM Application Name>/XUI/#logout/.

Where,

<Domain Name> is the domain name of the client machine

<OpenAM Application Name> is the name of the OpenAM application specified when deploying it on the Apache server.

For example, http://openam.test.com:8080/openam/XUI/#logout

f.Click Save Changes.

Configure an Authentication Chain

Perform the following steps to configure an authentication chain:

1.On the ForgeRock OpenAM home page, on the REALMS tab, click on the Top Level realm tile.

2.In the left pane, click Authentication > Chains.

3.In the right pane, under Authentication Chains, click +Add Chain.

4.On the Create new chain window, in the Chain Name field, enter a name for the authentication chain (for example, SAMLChain), and click Create.

5.Under <Chain Name>, where <Chain Name> is the name of the chain you created in the previous step, on the Edit Chain tab, and click +Add Module.

6.On the New Module window, perform the following steps:

a.In the Select Module field, select the SAML module (for example, SAMLModule).

b.In the Select Criteria field, select Required.

c.Click OK.

7.Click Save Changes.

8.In the left pane, click Authentication > Settings.

9.In the right pane, under Authentication Settings, perform the following steps:

a.On the Core tab, in the Organization Authentication Configuration field, select the authentication chain that you created earlier in step 4 (for example, SAMLChain).

b.Click Save Changes.

c.Click the Post Authentication Processing tab, in the Authentication Post Processing Classes field, enter the following string:

org.forgerock.openam.authentication.modules.saml2.SAML2PostAuthenticationPlugin

d.Click Save Changes.

Obtaining ForgeRock OpenAM Metadata

Perform the following steps to download the ForgeRock OpenAM metatada:

1.In a web browser, open the following URL:

http://<Domain Name>:8080/<OpenAM Application Name>/saml2/jsp/exportmetadata.jsp

Where,

<Domain Name> is the domain name of the client machine.

<OpenAM Application Name> is the name of the OpenAM application specified when deploying on the Apache server.

For example, http://openam.test.com:8080/openam/saml2/jsp/exportmetadata.jsp

2.The metadata is displayed. In a text editor, copy and paste the metadata and save it as a .xml file on your local machine.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in ForgeRock OpenAM, the second step is to activate the ForgeRock OpenAM application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the ForgeRock OpenAM application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, ForgeRock OpenAM) and proceed to the next step.

2.Under STA Setup, click Upload ForgeRock OpenAM Metadata.

3.On the Metadata upload window, click Browse to search and select the ForgeRock OpenAM metadata that you obtained earlier in the Obtaining ForgeRock OpenAM Metadata section.

Under Account details, the service provider metadata information is displayed.

4.Under User Portal Settings, in the SERVICE LOGIN URL field, enter the URL of the ForgeRock OpenAM application. For example: http://openam.test.com:8080/openam

5.Click Save Configuration to save the details and activate the ForgeRock OpenAM application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the ForgeRock OpenAM login URL, http://<Domain Name>:8080/<OpenAM Application Name>/XUI/#login/&module=<Module Name>.

Where,

<Domain Name> is the domain name of the client machine.

<OpenAM Application Name> is the name of the OpenAM application specified when deploying on the Apache server.

<Module Name> is the name of the module that you created earlier in step 4 of Configuring Modules.

For example: http://openam.test.com:8080/openam/XUI/#login/&module=SAMLModule.

You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the ForgeRock OpenAM application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the ForgeRock OpenAM application icon, you should be redirected to the ForgeRock OpenAM application after authentication.

 

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.