IdP Connector Configuration Examples

In the configuration examples below we assume the following settings:

•ESA installation URL: https://esa.test.local:44322/

•Path Name configured in the ESA Identity Provider Connector (ESA IdP Connector>): test

Links to configuration examples below: Open AM, Okta, Azure AD, AD FS, Shibboleth, Dropbox, Confluence

Identity Providers

OpenAM

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to

<OpenAM_FQDN> must be replaced with the domain name you specified when creating the hosted IdP in the OpenAM console.

3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, the OpenAM signing certificate must be configured trusted on the machine where ESA IdP Connector is installed (for example, by adding them to Trusted People).

Configure OpenAM

1.Log in to OpenAM.

2.In Realms, select a realm, then select Create SAML v2 Providers.

3.Click Register Remote Service Provider.

4.Type the metadata URL gained from ESA:

a.In ESA Web Console navigate to Components > Identity Provider Connector > select the configured IdP Connector > Original Identity Provider > Configuration to the original Identity Provider > Metadata URL. In our example: https://esa.test.local:44322/test/metadata/ToIdentityProvider

5.In Circle of Trust:

a.Select Add to existing.

b.Select the Existing Circle of Trust where your Hosted Identity Provider belongs.

6.Navigate to Federation > Entity Providers > select the identity provider being used > Name ID Format.

7.Assign a value to Name ID Value Map if there is none.

8.Import ESA IdP Connector sertificates to OpenAM using the Command Line tool.

In the code above the <openam_keystore.jks>, <esa_signing_ceritificate> and <esa_decryption_ceritificate> have to be replaced with the corresponding path leading to their location.

---

Okta

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to the URL you will retrieve from Okta when its configuration is complete:

a.Log in to the created Okta application as an administrator.

b.Select the Sign On tab, right-click the Identity Provider metadata in the Settings section and copy its link address (link location).

3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Okta signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding them to Trusted People).

Configure Okta

1.Log in to Okta Admin account.

2.Navigate to Applications > Applications.

3.Click Add Application, then click Create New App.

4.Select Web as the Platform and SAML 2.0 as the Sign on method.

5.Click Create.

6.When configuring the App:

a. Single sing on URL—retrieve the URL from ESA Web Console when configuring ESA IdP Connector:

i. Original Identity Provider > Configuration to the Original Identity Provider > Sign-on URL. In our example:
https://esa.test.local:44322/test/Auth/LoginResponse
 

b.Audience URI (SP Entity ID)—retreive the corresponding value from ESA Web Console when configuring ESA IdP Connector:

i.Original Identity Provider > Configuration to the Original Identity Provider > Identifier. In our example:
https://esa.test.local:44322/test/

c.In SAML Settings, select Email for Application username.

---

Azure AD

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to the URL you will retrieve from Azure when its configuration is complete:

a.In the Azure portal, navigate to Azure Active Directory > Enterprise applications and select the application from the list.

b.Click Single sing-on, and copy the URL from the App Federation Metadat Url field in the SAML Singing Certificate section.

3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate andCheck original Identity Provider Certificate revocation options are selected, Azure signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People). You can download the Azure signing certificate from the Azure portal:

a.Navigate to Azure Active Directory > Enterprise applications > select the application you configured for single sign-on > Single sing-on.

b.In the SAMLE Signing Certificate section, click Download next to Certificate (Raw).

Configure Azure AD

1.Log in to Azure portal.

2.Navigate to Azure Active Directory > Enterprise applications > New Application.

3.Click Non-gallery application.

4.In the Single sing-on section configure the following fields based on information retrieved from ESA IdP Connector configuration:

a.Identifier (Entity ID)—use the value from Original Identity Provider > Configuration to the Original Identity Provider > Identifier. In our example:
https://esa.test.local:44322/test

b.Reply URL (Assertion Consumer Service URL), Sign on URL—use the value from Original Identity Provider > Configuration to the Original Identity Provider > Sign-on URL. In our example:
https://esa.test.local:44322/test/Auth/LoginResponse

c.Logout Url—use the value from Original Identity Provider > Configuration to the Original Identity Provider > Logout URL. In our example:
https://esa.test.local:44322/test/Auth/LogoutResponse

---

AD FS

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to

where <AD FS_FQDN> has to be replaced with the domain name of your AD FS server.

3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, AD FS signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).

Configure AD FS

1.Open AD FS Management.

2.Click Trust Relationships > Relying Party Trusts > Add relying Party Trust.

3.Select Claims Aware, click Start.

4.Select Import data about the relying party published online or on a local network, and type into the Federation metadata address (host name URL) field the metadata URL provided in ESA IdP Connector:

a.Original Identity Provider > Configuration to the Original Identity Provider > Metadata URL

5.Complete the configuration.

6.When you click Close in the Finish page, the Edit Claim Rules dialog box opens automatically.

7.Select Issuance Transform Rules tab, click Add Rule.

8.From Claim rule template, select Send LDAP Attributes as Claims, click Next.

9.From Attribute store, select Active Directory.

10.Select User-Principal-Name for LDAP Attribute, and Name ID for Outgoing Claim.

11.Click Finish, then click OK in the Edit Claim Rules dialog box.

12.Apply the following configuration through PowerShell:

In the code above replace <relying_party_name> with the name of Relying Party Trust you configured in previous steps.

13.Download certificates from ESA IdP Connector, section Original Identity Provider > Configuration from the original Identity Provider, and import them to the Windows certificate store to make them trusted.

---

Shibboleth

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to

if ESA IdP Connector is installed on the same machine as Shibboleth. Otherwise, copy the idp-metadata.xml file of Shibboleth to the computer where ESA IdP Connector is installed and refer to that path.

3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Shibboleth signing certificate (located at C:\Program Files (x86)\Shibboleth\IdP\credentials\idp-signing.crt by default) has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).

Configure Shibboleth

1.Download the ESA IdP Connector metadata file from the URL provided in ESA IdP Connector:

a.Original Identity Provider > Configuration to the Original Identity Provider > Metadata URL

b.Save it on the computer where Shibboleth is installed and refer to its location in "C:\Program Files (x86)\Shibboleth\IdP\conf\metadata-providers.xml":

In the code above <metadata_xml_file_from_esa> refers to the path of downloaded ESA IdP Connector metadata file.

2.Make Shibboleth to send some data, that identifies the user, in email format as the value of NameID parameter. For example, mail LDAP attribute:

a.Define for shibboleth.SAML2NameIDGenerators in "C:\Program Files (x86)\Shibboleth\IdP\conf\saml-nameid.xml":

b.Add to "C:\Program Files (x86)\Shibboleth\IdP\conf\saml-nameid.properties":

---

Keycloak

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.In section Original Identity Provider > Configuration from the original Identity Provider, set the Metadata URL to

while in the URL above replace <keycloak> with the domain name (and port) of your Keycloak instance, and <realm> with the corresponding realm name.

3.If in the Advanced Settings of ESA IdP Connector configuration, the Validate original Identity Provider certificate and Check original Identity Provider Certificate revocation options are selected, Keycloak signing certificate has to be configured trusted on the machine where ESA IdP Connector is installed (for example by adding it to Trusted People).

Configure Keycloak

1.Download the ESA IdP Connector metadata as an XML file from ESA Web Console:

a.Open the metadata URL found at Components > Identity Provider Connector > select the configured IdP Connector > Original Identity Provider > Configuration to the Original Identity Provider > Metadata URL in a browser.

b.Press CTRL + S, select "XML" for Save as type if available, click Save.

2.Log in to Keycloak admin console.

3.Click Clients > Create.

4.Next to Import, click Select file, browse for the metadata .xml file downloaded in step 1.

5.From Client Protocol, select SAML.

6.Complete the rest of the fields and click Save.

7.In the Settings tab of the created client, turn off Sign Assertions.

8.From Name ID Format, select email.

---

Service Providers

Dropbox

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.When you add a service provider, select Configure manually in the Configuration from the Service Provider section.

3.For Issuer, type http://Dropbox.

4.Set the Single Sign-on Destination to https://www.dropbox.com/saml_login.

5.Copy the Sign-on URL, Logout URL to a text file, and export the Singing Certificate for a later use when configuring your Service Provider.

6.In Advanced Security Settings, deselect Check signature of requests from the Service Provider.

Configure Dropbox

1.Log in to Dropbox as administrator.

2.Navigate to Settings > Single sing-on.

3.Type into the Sing-in URL field the Sign-on URL you copied from the configured ESA IdP Connector.

4.Type into the Sign-out URL field the Logout URL you copied from the configured ESA IdP Connector.

5.For X.509 Certificate, import the Signing Certificate you exported previously from the configured ESA IdP Connector.

---

Confluence

Configure ESA IdP Connector

1.Follow the generic instruction on configuring IdP Connector in ESA Web Console.

2.When you add a service provider, select Configure manually in the Configuration from the Service Provider section.

3.For Issuer, copy and paste the URL address found in Confluence admin console at SAML Authentication > Audience URL (Entity ID).

4.For Single Sign-on Destination, copy and paste the URL address found in Confluence admin console at SAML Authentication > Assertion Consumer Service URL.

5.Copy the Identifier, Sign-on URL to a text file, and export the Singing Certificate for a later use when configuring your Service Provider.

6.In Advanced Security Settings, deselect Check signature of requests from the Service Provider.

Configure Confluence

1.Log in to Confluence as administrator.

2.Click SAML Authentication.

3.In the SAML SSO 2.0 settings section:

a.Type into the Single sing-on Issuer field the Identifier you copied from the ESA IdP Connector.

b.Type into the Identity provider single sign-on URL field the Sign-on URL you copied from ESA IdP Connector.

c.Copy and paste into X.509 Certificate field the content of Signing Certificate you exported from ESA IdP Connector.

˄˅