Versions Compared

Old Version 3

changes.mady.by.user IT Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...


Panel
Table of Contents
maxlevel2

...

Field

Value

User Password

random, 32-characters

Password Requires Reset

true

Login Method

Single Sign-On

Web Browser Access


html

-

bobswift

-

-

System

Default

-

-

Command Line Access

html-bobswift

-

-

System

Default

-

-

 
Applies only to users designated to use the Standard login method.

Web Service Access

html

-

bobswift-

-

System

Default

-

-

 
Applies only to users designated to use the Standard login method.

...

To create the JKS keystore file, with the default private key, assuming your Identity Provider does not require keys be signed by a specific certification authority, you can use the Java utility keytool command to generate a self-signed key, entering the distinguished name information when prompted.
 

html-bobswift
Panel
<pre> 
keytool -genkeypair -keyalg RSA -sigalg SHA256withRSA -alias ucsaml -keypass ucsaml -keystore samlKeystore.jks -storepass ucsaml -storetype JKS
</pre>

To import a key signed by a certification authority, which are typically provided in .p12/.pfx format (or can be converted to .p12/.pfx format using OpenSSL), you can use the following keytool command.
<pre>

keytool -importkeystore -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass 
<i>password</i>
password -alias 
<i>alias</i>
alias -destkeystore samlKeystore.jks -destalias ucsaml -destkeypass ucsaml

</pre>
 Panel
 Html bobswift

To determine the alias available in the p12 file, you can use the following command.
html-bobswift
 Panel
<pre>

keytool -list -keystore key.p12 -storetype pkcs12

</pre>

If your Identity Provider metadata is signed, to verify trust of the signature, Universal Controller will use all keys found in the configured keystore. To import the public certificate of the metadata signature, you can use the following keytool command.
<pre>

keytool -importcert -alias 
<i>alias</i>
alias -keystore samlKeystore.jks -file signature.cer

</pre>
 Panel
 Html bobswift

The location of the KeyStore File can be specified from the Single Sign-On Settings in the user interface. However, by default, Universal Controller automatically populates the KeyStore File setting with a value of ${catalina.base}/conf/saml/samlKeystore.jks on initial start-up.
...
If your Identity Provider requires that you upload the public key certificate for the SAML Single Logout profile, you can export the certificate from the JKS keystore as follows.
 
<pre>

keytool -exportcert -alias ucsaml -file ucsaml.cer -keystore samlKeystore.jks -storepass ucsaml -storetype JKS

</pre>
 Panel
 Html bobswift
Java Cryptography Extension (JCE)
...
An administrator can turn on/off and configure SAML Single Sign-On through the user interface.
 Note
titleNote
Each Universal Controller cluster node maintains its own Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes.
The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node.

Step 1
From the Administration navigation pane, select Configuration > Single Sign-On Settings. The Single Sign-On Settings page displays.
 
Step 2
Enter / select your Single Sign-On Settings, using the field descriptions below as a guide.
  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.
Step 3
Click the button.
...
Universal Controller Uninitialized
While the Universal Controller web application is initializing, the user login flow cannot proceed. Any users attempting to authenticate with SAML at this time receive the following error:
 
Universal Controller is being initialized. Please try again later.
User Account Not Found
Any SAML-authenticated user who cannot be linked to a user account in the Universal Controller database is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' not synchronized with a Universal Controller account.
User Account Not Active
Any SAML-authenticated user linked to a Universal Controller user account that is not Active is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' is synchronized with an inactive Universal Controller account.
Login Method
Any SAML authenticated user linked to a Universal Controller user account that is not designated to use Single Sign-On login method is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' is not permitted to use Single Sign-On login method.
User Account Locked
Any SAML-authenticated user linked to a Universal Controller user account that is locked is prohibited from accessing the application and receives the following error:
 
User account 'username' is locked. Please check with your administrator.
No Web Browser Access
Any SAML-authenticated user linked to a Universal Controller user account designated with the Single Sign-On login method, but without Web Browser Access, is prohibited from accessing the application and receives the following error:
 
User 'username' not permitted to login through the web browser. Please check with your administrator.
Authentication Statement Too Old
If users already are authenticated with their Identity Provider, depending on how long their Identify Provider allows them to stay authenticated, they could experience an "Error validating SAML message" authentication error when signing into the Universal Controller through single sign-on.
  
If users are experiencing this error, search the uc.log for the following message:
 
html-bobswift
 Panel
<pre>

Authentication statement is too old to be used with value 2019-08-15T19:22:56.312Z

</pre>
  
Upon confirming the presence of the above message, review property saml.maxAuthenticationAge and adjust accordingly.
  
This property allows you to set the maximum time between a user's authentication and processing of an authentication statement, which by default is 7200 seconds.
...