Panel | ||||
---|---|---|---|---|
|
...
Field | Value | ||
---|---|---|---|
User Password | random, 32-characters | ||
Password Requires Reset | true | ||
Login Method | Single Sign-On | ||
Web Browser Access |
| ||
Command Line Access |
| ||
Web Service Access |
|
...
To create the JKS keystore file, with the default private key, assuming your Identity Provider does not require keys be signed by a specific certification authority, you can use the Java utility keytool command to generate a self-signed key, entering the distinguished name information when prompted.
Panel |
---|
...
|
To import a key signed by a certification authority, which are typically provided in .p12/.pfx format (or can be converted to .p12/.pfx format using OpenSSL), you can use the following keytool command.
Panel | ||
---|---|---|
|
To determine the alias available in the p12 file, you can use the following command.
...
Panel | ||
---|---|---|
|
If your Identity Provider metadata is signed, to verify trust of the signature, Universal Controller will use all keys found in the configured keystore. To import the public certificate of the metadata signature, you can use the following keytool command.
Panel | ||
---|---|---|
|
The location of the KeyStore File can be specified from the Single Sign-On Settings in the user interface. However, by default, Universal Controller automatically populates the KeyStore File setting with a value of ${catalina.base}/conf/saml/samlKeystore.jks
on initial start-up.
...
If your Identity Provider requires that you upload the public key certificate for the SAML Single Logout profile, you can export the certificate from the JKS keystore as follows.
...
from the JKS keystore as follows.
Panel | ||
---|---|---|
|
Java Cryptography Extension (JCE)
...
An administrator can turn on/off and configure SAML Single Sign-On through the user interface.
Note | ||
---|---|---|
| ||
Each Universal Controller cluster node maintains its own Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes. The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node. |
Step 1 | From the Administration navigation pane, select Configuration > Single Sign-On Settings. The Single Sign-On Settings page displays. |
---|---|
Step 2 | Enter / select your Single Sign-On Settings, using the field descriptions below as a guide.
|
Step 3 | Click the button. |
...
Universal Controller Uninitialized | While the Universal Controller web application is initializing, the user login flow cannot proceed. Any users attempting to authenticate with SAML at this time receive the following error: | ||||
---|---|---|---|---|---|
User Account Not Found | Any SAML-authenticated user who cannot be linked to a user account in the Universal Controller database is prohibited from accessing the application and receives the following error: | ||||
User Account Not Active | Any SAML-authenticated user linked to a Universal Controller user account that is not Active is prohibited from accessing the application and receives the following error: | ||||
Login Method | Any SAML authenticated user linked to a Universal Controller user account that is not designated to use Single Sign-On login method is prohibited from accessing the application and receives the following error: | ||||
User Account Locked | Any SAML-authenticated user linked to a Universal Controller user account that is locked is prohibited from accessing the application and receives the following error: | ||||
No Web Browser Access | Any SAML-authenticated user linked to a Universal Controller user account designated with the Single Sign-On login method, but without Web Browser Access, is prohibited from accessing the application and receives the following error: | ||||
Authentication Statement Too Old | If users already are authenticated with their Identity Provider, depending on how long their Identify Provider allows them to stay authenticated, they could experience an "Error validating SAML message" authentication error when signing into the Universal Controller through single sign-on.
|