How Can We Help?
Background
The XMPro Action Console supports four modes of authentication, namely:
- XMPro: Users are presented with an XMPro login screen
- Windows: The Action Console will attempt to log the user in automatically using the user’s active Windows credentials. The domain username must match the username of the user in XMPro.
- SAML 2: The Action Console will attempt to log the user in automatically using the user’s associated SAML credentials. The domain username must match the username of the user in XMPro.
- Mixed: A mixture of the (aforementioned) ‘XMPro’ and ‘Windows’ and ‘SAML2’ authentication modes. The XMWorkspace will first attempt to log the connecting user in using the user’s associated SAML2 credentials, should this fail Active Directory credentials.
XMPro and Windows authentication have been around for a long time in the XMPro Action Console, whereas SAML 2 authentication has been available only from XMPro v6.1. This article will focus on the configuration of SAML 2 authentication for use in the XMPro Action Console.
Windows and SAML 2 Authentication are only available in the browser at this moment in time.
How to Configure
The following settings are set from the Workflow Designer that is part of the XMPro Agile Design Studio.
- On the Settings tab click on Workspace in the General section. This will open the ApplicationSettings window. Change the value of the AuthenticationMode to ‘SAML2’ or ‘mixed’. It might be required to set the mode to ‘mixed’ to allow access when using the Workflow Designer. Click on Save or Ctrl+S to save your changes. You will be prompted to ask if you want to reload Server Settings. Click No. The server settings will be reloaded as the last step.
- On the Settings tab click on SAML2 in the Custom Settings section. Change the ‘enabled’ value to ‘true’ as shown below. The other two ‘key’ type settings will be configured in the next steps.
- On the Settings tab click ServiceProvider in the Custom Settings section. It will show the following values that needs setting. After setting the values Click on Save or Ctrl+S to save your changes.
*ServiceProviderName: The provider name. Set it to the domain name of the XMPro application, e.g. xmproapplication.com - *AssertionConsumerServiceUrl: the service provider’s assertion consumer service (ACS) URL. The assertion consumer service URL is the endpoint at which the SAML response is received.
- ServiceProviderCertificateFile: The certificate file path. The file path is either absolute or relative to the application folder
- CertificatePassword: The certificate file password.
(*) are required fields.
- On the Settings tab click ServiceProvider in the Custom Settings section. It will show the following values that needs setting. After setting the values Click on Save or Ctrl+S to save your changes.
- On the Settings tab click on PartnerIdentityProvider in the Custom Settings section. It will show the following values that needs setting. After setting the values Click on Save or Ctrl+S to save your changes.
- PartnerIdentityProviderName: The provider name that will be providing the service.
- SignAuthnRequest: A false or true value indicating whether to sign authentication requests.
- WantSAMLResponseSigned: a false or true value indicating whether SAML responses should be signed.
- WantAssertionSigned: A false or true flag indicating whether SAML assertions should be signed.
- WantAssertionEncrypted: A false or true flag indicating whether SAML assertions should be encrypted.
- SingleSignOnServiceUrl: The partner identity provider’s single sign-on service URL.
- SingleLogoutServiceUrl: The partner provider’s single sign-on service URL.
- CertificateFile: The certificate file path. The file path is either absolute or relative to the application folder.
- OverridePendingAuthnRequest: A false or true value the flag indicating whether a pending authentication request may be overridden and an IdP-initiated SAML response received. If a service provider sends an authentication request, then it expects the SAML response it receives to come from the identity provider it sent the authentication request to and that the SAML response is in response to this authentication request. If a different identity provider sends a SAML response or the expected identity provider sends a SAML response but it is not in response to this authentication request, this is treated as an error if this flag is false. If this flag is true then these restrictions do not apply. Setting this flag to true supports an SP-initiated SSO flow being supplanted by an IdP-initiated SSO.
All the fields are required.
- The last step is to apply the changes to the site. On the Home tab in the Deployment section click on the Reload Server Settings icon and click Yes when prompted. Please note that you might need to reset the XMPro application pool for the changes to take. This is normally not required.
Comments are closed.