IdP Connector Configuration Examples
In the configuration examples below we assume the following settings:
•ESA installation URL: https://esa.test.local:44322/
•Path Name configured in the ESA Identity Provider Connector (ESA IdP Connector>): test
Links to configuration examples below: Open AM, Okta, Azure AD, AD FS, Shibboleth, Dropbox, Confluence
Identity Providers
OpenAM
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to
https://<OpenAM_FQDN>/openam/saml2/jsp/exportmetadata.jsp?entityid=https://<OpenAM_FQDN>/openam&realm=/ |
<OpenAM_FQDN> must be replaced with the domain name you specified when creating the hosted IdP in the OpenAM console.
3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, the OpenAM signing certificate must be configured trusted on the machine where ESA IdP Connector is installed (for example, by adding them to Trusted People).
Configure OpenAM
1.Log in to OpenAM.
2.In Realms, select a realm, then select Create SAML v2 Providers.
3.Click Register Remote Service Provider.
4.Type the metadata URL gained from ESA:
a.In ESA Web Console navigate to Components > Identity Provider Connector > select the configured IdP Connector > Original Identity Provider > Configuration to the original Identity Provider > Metadata URL. In our example: https://esa.test.local:44322/test/metadata/ToIdentityProvider
5.In Circle of Trust:
a.Select Add to existing.
b.Select the Existing Circle of Trust where your Hosted Identity Provider belongs.
6.Navigate to Federation > Entity Providers > select the identity provider being used > Name ID Format.
7.Assign a value to Name ID Value Map if there is none.
8.Import ESA IdP Connector sertificates to OpenAM using the Command Line tool.
keytool -importcert -alias esa_signing -keystore <openam_keystore.jks> -file <esa_signing_certificate> keytool -importcert -alias esa_decryption -keystore <openam_keystore.jks> -file <esa_decryption_certificate> |
In the code above the <openam_keystore.jks>, <esa_signing_ceritificate> and <esa_decryption_ceritificate> have to be replaced with the corresponding path leading to their location.
Okta
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to the URL you will retrieve from Okta when its configuration is complete:
a.Log in to the created Okta application as an administrator.
b.Select the Sign On tab, right-click the Identity Provider metadata in the Settings section and copy its link address (link location).
3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Okta signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding them to Trusted People).
Configure Okta
1.Log in to Okta Admin account.
2.Navigate to Applications > Applications.
3.Click Add Application, then click Create New App.
4.Select Web as the Platform and SAML 2.0 as the Sign on method.
5.Click Create.
6.When configuring the App:
a. Single sing on URL—retrieve the URL from ESA Web Console when configuring ESA IdP Connector:
i. Original Identity Provider > Configuration to the Original Identity Provider > Sign-on URL. In our example:
https://esa.test.local:44322/test/Auth/LoginResponse
b.Audience URI (SP Entity ID)—retreive the corresponding value from ESA Web Console when configuring ESA IdP Connector:
i.Original Identity Provider > Configuration to the Original Identity Provider > Identifier. In our example:
https://esa.test.local:44322/test/
c.In SAML Settings, select Email for Application username.
Microsoft Entra ID
Prerequisites:
•Installed ESA core with Identity Provider Connector.
•Azure account.
Configure Microsoft Entra ID
1.Log in to Azure portal.
2.Navigate to Microsoft Entra ID > Enterprise applications > New Application > Create your own application and enter your desired name of the application.
3.Click Integrate any other application you don't find in the gallery (Non-gallery) > Create.
4.In the Manage section in the left-side menu click Single sign-on > SAML:
a.In SAML Certificates window copy App Federation Metadata Url.
5.Open ESA/ESAC and navigate Components > Identity Provider Connector > Create new identity provider configuration button:
a.Fill in Configuration Name.
b.In 2FA Settings leave both check boxes selected.
c.In Original Identity Provider leave the Use metadata selected.
d.In the Metadata URL paste the App Federation Metadata Url that was copied in step 5.
6.In Azure > Microsoft Entra ID > Enterprise applications > Manage > Single sign-on > SAML in Basic SAML Configuration window click Edit:
a.Configure the following fields based on information retrieved from ESA IdP Connector configuration:
b.Identifier (Entity ID)—use the value from Original Identity Provider > Configuration to the Original Identity Provider > Identifier. In our example: https://esa.test.local:44322/test
c.Reply URL (Assertion Consumer Service URL)—use the value from Original Identity Provider > Configuration to the Original Identity Provider > Sign-on response URL. In our example: https://esa.test.local:44322/test/Auth/LoginResponse
d.Logout Url—use the value from Original Identity Provider > Configuration to the Original Identity Provider > Logout response URL. In our example: https://esa.test.local:44322/test/Auth/LogoutResponse
e.Click Save button.
f.In SAML Certificate window click Download next to Certificate (Raw).
7.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Azure signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).
8.In Azure > Microsoft Entra ID > Enterprise applications > Manage > Users and groups > Add user/group > Users and groups > None Selected:
a.Search for the user you want to add and select a check box next to him. Click Select button. Click Assign button.
b.In Azure > Microsoft Entra ID > Enterprise applications > Manage > Single sign-on > SAML > Test single sign-on window click the Test button. New tab with confirmation of the user log in appears.
AD FS
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to
https://AD FS_FQDN>/FederationMetadata/2007-06/FederationMetadata.xml |
where <AD FS_FQDN> has to be replaced with the domain name of your AD FS server.
3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, AD FS signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).
Configure AD FS
1.Open AD FS Management.
2.Click Trust Relationships > Relying Party Trusts > Add relying Party Trust.
3.Select Claims Aware, click Start.
4.Select Import data about the relying party published online or on a local network, and type into the Federation metadata address (host name URL) field the metadata URL provided in ESA IdP Connector:
a.Original Identity Provider > Configuration to the Original Identity Provider > Metadata URL
5.Complete the configuration.
6.When you click Close in the Finish page, the Edit Claim Rules dialog box opens automatically.
7.Select Issuance Transform Rules tab, click Add Rule.
8.From Claim rule template, select Send LDAP Attributes as Claims, click Next.
9.From Attribute store, select Active Directory.
10.Select User-Principal-Name for LDAP Attribute, and Name ID for Outgoing Claim.
11.Click Finish, then click OK in the Edit Claim Rules dialog box.
12.Apply the following configuration through PowerShell:
Set-ADFSRelyingPartyTrust -Targetname "<relying_party_name>" -SigningCertificateRevocationCheck "none" Set-ADFSRelyingPartyTrust -Targetname "<relying_party_name>" -EncryptionCertificateRevocationCheck "none" |
In the code above replace <relying_party_name> with the name of Relying Party Trust you configured in previous steps.
13.Download certificates from ESA IdP Connector, section Original Identity Provider > Configuration from the original Identity Provider, and import them to the Windows certificate store to make them trusted.
Shibboleth
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to
file://C:\Program Files (x86)\Shibboleth\IdP\metadata\idp-metadata.xml |
if ESA IdP Connector is installed on the same machine as Shibboleth. Otherwise, copy the idp-metadata.xml file of Shibboleth to the computer where ESA IdP Connector is installed and refer to that path.
3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Shibboleth signing certificate (located at C:\Program Files (x86)\Shibboleth\IdP\credentials\idp-signing.crt by default) has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).
Configure Shibboleth
1.Download the ESA IdP Connector metadata file from the URL provided in ESA IdP Connector:
a.Original Identity Provider > Configuration to the Original Identity Provider > Metadata URL
b.Save it on the computer where Shibboleth is installed and refer to its location in "C:\Program Files (x86)\Shibboleth\IdP\conf\metadata-providers.xml":
<MetadataProvider id="sp-metadata" xsi:type="FilesystemMetadataProvider" metadataFile="<metadata_xml_file_from_esa>"/> |
In the code above <metadata_xml_file_from_esa> refers to the path of downloaded ESA IdP Connector metadata file.
2.Make Shibboleth to send some data, that identifies the user, in email format as the value of NameID parameter. For example, mail LDAP attribute:
a.Define for shibboleth.SAML2NameIDGenerators in "C:\Program Files (x86)\Shibboleth\IdP\conf\saml-nameid.xml":
<bean parent="shibboleth.SAML2AttributeSourcedGenerator" p:omitQualifiers="true" p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:attributeSourceIds="#{ {'mail'} }" /> |
b.Add to "C:\Program Files (x86)\Shibboleth\IdP\conf\saml-nameid.properties":
idp.nameid.saml2.default = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Keycloak
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to
https://<keycloak>/auth/realms/<realm>/protocol/saml/descriptor |
while in the URL above replace <keycloak> with the domain name (and port) of your Keycloak instance, and <realm> with the corresponding realm name.
3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Keycloak signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).
Configure Keycloak
1.Download the ESA IdP Connector metadata as an XML file from ESA Web Console:
a.Open the metadata URL found at Components > Identity Provider Connector > select the configured IdP Connector > Original Identity Provider > Configuration to the Original Identity Provider > Metadata URL in a browser.
b.Press CTRL + S, select "XML" for Save as type if available, click Save.
2.Log in to Keycloak admin console.
3.Click Clients > Create.
4.Next to Import, click Select file, browse for the metadata .xml file downloaded in step 1.
5.From Client Protocol, select SAML.
6.Complete the rest of the fields and click Save.
7.In the Settings tab of the created client, turn off Sign Assertions.
8.From Name ID Format, select email.
Service Providers
Dropbox
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.When you add a service provider, select Configure manually in the Configuration from the Service Provider section.
3.For Issuer, type http://Dropbox.
4.Set the Single Sign-on Destination to https://www.dropbox.com/saml_login.
5.Copy the Sign-on URL, Logout URL to a text file, and export the Singing Certificate for a later use when configuring your Service Provider.
6.In Advanced Security Settings, deselect Check signature of requests from the Service Provider.
Configure Dropbox
1.Log in to Dropbox as administrator.
2.Navigate to Settings > Single sing-on.
3.Type into the Sing-in URL field the Sign-on URL you copied from the configured ESA IdP Connector.
4.Type into the Sign-out URL field the Logout URL you copied from the configured ESA IdP Connector.
5.For X.509 Certificate, import the Signing Certificate you exported previously from the configured ESA IdP Connector.
Confluence
Configure ESA IdP Connector
1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.
2.When you add a service provider, select Configure manually in the Configuration from the Service Provider section.
3.For Issuer, copy and paste the URL address found in Confluence admin console at SAML Authentication > Audience URL (Entity ID).
4.For Single Sign-on Destination, copy and paste the URL address found in Confluence admin console at SAML Authentication > Assertion Consumer Service URL.
5.Copy the Identifier, Sign-on URL to a text file, and export the Singing Certificate for a later use when configuring your Service Provider.
6.In Advanced Security Settings, deselect Check signature of requests from the Service Provider.
Configure Confluence
1.Log in to Confluence as administrator.
2.Click SAML Authentication.
3.In the SAML SSO 2.0 settings section:
a.Type into the Single sing-on Issuer field the Identifier you copied from the ESA IdP Connector.
b.Type into the Identity provider single sign-on URL field the Sign-on URL you copied from ESA IdP Connector.
c.Copy and paste into X.509 Certificate field the content of Signing Certificate you exported from ESA IdP Connector.