Has any one enabled SSO authentication in ALM Octane?

Hi Folks, 

I am aware of links that are out there from MF. But, those links are difficult to understand in terms of process to enable SSO authentication in ALM Octane. Some of the information available in these links just confuse me. 

https://admhelp.microfocus.com/octane/en/latest/Online/Content/InstallationGuide/Configure_OtherSettings.htm#mt-item-7 and https://admhelp.microfocus.com/octane/en/latest/Online/Content/AdminGuide/SSO-federated-support.htm?Highlight=authentication#mt-item-2

So, do you know the easiest and simplest steps or if you have enabled SSO authentication in your environment, would you please help me undertsand the process and eable SSO in my ALM Octane?

I tried reaching to MF regular Support. But unfortunatly, their answer is just go and look this... As they stated, "so please note this kind of configuration is not supported by us directly , our scope is just limited to provide the respective guideline as you can see in the following guide https://admhelp.microfocus.com/octane/en/latest/PDFs/ALM_Octane_Installation_Guide.pdf on page 9 ahead."

Question I asked to MF Support was,  How do we get sso.login.saml2.idp.metadata-url?
 While going through the guide to enroll SSO authentication in ALM Octane, it is suggested to have sso.login.saml2.idp.metadata-url. How or where do we get this information?

  • Hi,

    SSO configuratoin means - Trust establishment on two sides 

    1.  Customer IdP (Identity Provider)
          installed on customer site and managed by the customer

    2. Octane SP

    part of it is exchanging metadata files beween the above two componenets.

    Octane's metadata can be aquired via the below URL:

    <protocol>://<host>:<port>/osp/a/au/auth/saml2/sp-metadata

     

    The means to aquire the IdP metadata is vendor dependent (ADFS, PingFederate, Keycloak and others) and is sometimes configurable and should be verified within the customer organization with the relevant persona within the organization that is responsible for it, or the relevant product documentation.

    this is why it is not included in Octane's documentation. 

     

    As to the minimal steps required for SSO configuration in Octane, pls find the below:

     

    Key items we require as prerequisite for SSO configuration:  Trust establishment on both sides (customer IdP & Octane SP)

    • Octane SP
      This requires the below information prepared:
      1. Key pair (private and public keys)
      2. Key pair should be stored in a keystore
        (default type p12 but jks is also supported)
      1. Customer IdP’s metadata
        (either file itself or accessible link to it)
      2. Keystore

    Should Meet the below requirements:

    1. Keystore should be accessible from Octane file system (not by url)
    2. We should know keystore password
    3. We should know key pair alias name inside keystore
    4. We should know key pair password inside keystore

             3. SAML attributes
                  the important one is:

                  user name:

                 Valid values are: 

                  '{$id}'. Mapping is to the NameID in the SAML response's subject. Default.

                   or

                   userName. Mapping is to the username in the SAML attribute statement.

                   for the other fields we have defaults as specified here:     https://admhelp.microfocus.com/octane/en/latest/Online/Content/InstallationGuide/Configure_OtherSettings.htm#SP-Settings

                     customer should go over them and verify it should be modified

     

    The next should be done once Octane is up configured with SSO

    • Customer IdP – this should be solely done by customer on his IdP
      Trust Configuration on IdP side:
      Share ALM Octane’s metadata with the IdP

    To obtain ALM Octane’s metadata, navigate to:

    <protocol>://<host>:<port>/osp/a/au/auth/saml2/sp-metadata

  • Im stil confused. I might be wrong and sorry. But, to me, its still vague. 

    This is a new tool and also new method of authentication. So, I guess its been difficulties for everyone to implement SSO auth in their environment.

     I was  reading some of your ideas and items about SSO authentication implementation in your environment. Would you be able to help me out to walk throuh the process to implement SSO auth in my environment?

  • Hi,

    I suggest that you open a ticket to MF support and they can provide you with the guidelines how to configure ALM Octane to support SSO.

    Regards,

    Sigal

     

  • In fact, I opend a case. If im not wrong that case is with L1 support. Annd Support Er. mentioned that this type of items should be accomplished on our own as IDP is on customer side. 

    I totally get IDP is on our side but, there are still multiple things that are not clear on guide and unavailable a a reference.

    Unfortunatly, below is a message from Support Er. on my case.

    "so please note this kind of configuration is not supported by us directly , our scope is just limited to provide the respective guideline as you can see in the following guide https://admhelp.microfocus.com/octane/en/latest/PDFs/ALM_Octane_Installation_Guide.pdf on page 9 ahead"

  • Hi,

    Can you tell what exactly is not clear?

    What vendor of IdP are you using?

    Have you started with the SSO configuration and a particualr step is not clear?

  • ....and please also be aware Octane synch will not work, when SSO i enabled:(

    I guess this is not mentioned in documentation anywhere...

    br jesper

  •  Is it because Sync Admin created in Sync server is not associated with SSO profile?

  • Not sure why - seems to me like "someone" forgot it. We were told the following from MF support

    ----------------------------

    Hi Everyone,

    After the internal discussion R&D have stated that they will be able to create SSO working Synchronizer no sooner than CP11. For the time being you have to revert back the SSO.

    I’m sorry for the inconvenience. If you have anything that you wish to share to them you can let me know.

    Best Regards,

    --------------------------------------