BSM SAML2 / OneLogin

Hi,

We would like to integrate BSM 9.26 with OneLogin's SAML authentication solution (https://www.onelogin.com/)
Administrator of OneLogin (of my customer) provided me with:
- the OneLogin server signing certificate to import
- Trustes Hosts / Domain to configure

And in return he wanted me to give him the XML metadata file that would contain the ACS URL, EntityID ...


I integrate the OneLogin .pem certificate into the file: C: \ HPBSM \ conf \ settings \ SingleSignOn \ SAMLKeyStore
Then configure the SSO with the following infos :

- Single Sign-On Mode  : Lightweight

- JMX to get/set Token Creation Key (initString)  : http://<gateway server>:29000/mbean?objectname=Topaz:service=LW-SSO Configuration

- HP Business Service Management Domain :  Parse automatically
Trusted Hosts/Domains  [airbusstaging.onelogin.com]

- Enable SAML2 authentication schema  : true

- SAML2 Creation Look for keystore in classpath  : false

- SAML2 Creation Keystore filename  : C:\HPBSM//conf//settings//SingleSignOn//SAMLKeyStore

- SAML2 Creation Private key alias  hpsamlkey

- SAML2 Validation Look for keystore in classpath  : true

- SAML2 Validation Keystore filename  : C:\HPBSM//conf//settings//SingleSignOn//SAMLKeyStore

I sent the C: \ HPBSM \ conf \ settings \ SingleSignOn \ lwssofmconf XML file to the OneLogin administrator
And he replied:
"I looked at XML and it does not look like what I'm used to seeing. However it speaks well of SAML!
I have not seen including EntityID info and ACS URL."

Can you tell me if it's the correct XML file that I had to send it to. And if not can you tell me the file that I have to send to him to find EntityID and ACS URL ?

Regards,
Nordine

  • I don't know exact syntax : EntityIDor EntidyID

    ACS URL  = AssertionConsumerServiceURL

  • Hi nsebbar,

    while the documentation (for example the BSM 9.26 Platform Guide) mentions
    ..
    SAML2 Configuration Dialog Box

    This dialog box page enables you to modify the SAML authentication parameters for your Lightweight Single Sign-On configuration.
    ..

    I found the following CR
     QCCR1I89456 doc for configuring Single Sign-On (SSO) authentication between BSM and other systems using SAML2
    where the statement is
    ..
     We can not provide this documentation, because BSM does not support SAML2.authentication.
     This option is part of LW-SSO we are using but this feature was not implemented in BSM.
    ..

    I didn't find anything about OneLogin and BSM (with the exception of what I believe is your case, SD02020367),
    but enhancement requests to add support for SAML2 in general or OneLogin in particular for various other products.

    All in all I think that you cannot use OneLogin with SAML2 as authentication solution.

    Greetings
    Siggi

  • Hi Siggi,

    Are you saying that the documentation describes a feature which in fact is totally wrong?! And since at least BSM 9.24?!

  • Hi SylvainP31,

    what I say is that even the manual uses the words "SAML2", it appears that BSM (9.24 and on) doesn't support SAML2 authentication, so using OneLogin wouldn't work.

    That's my understanding from reading the one service request.

    I might be totally wrong and all this has been implemented in the meantime (although I don't think so),
    I can only recommend that nsebbar asks the engineer she/he works with via a support case to check this with R&D and post the results here, then we know for sure.

    Greetings
    Siggi