ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
875 views

BSM SAML2 / OneLogin

Hi,

We would like to integrate BSM 9.26 with OneLogin's SAML authentication solution (https://www.onelogin.com/)
Administrator of OneLogin (of my customer) provided me with:
- the OneLogin server signing certificate to import
- Trustes Hosts / Domain to configure

And in return he wanted me to give him the XML metadata file that would contain the ACS URL, EntityID ...


I integrate the OneLogin .pem certificate into the file: C: \ HPBSM \ conf \ settings \ SingleSignOn \ SAMLKeyStore
Then configure the SSO with the following infos :

- Single Sign-On Mode  : Lightweight

- JMX to get/set Token Creation Key (initString)  : http://<gateway server>:29000/mbean?objectname=Topaz%3Aservice%3DLW-SSO+Configuration

- HP Business Service Management Domain :  Parse automatically
Trusted Hosts/Domains  [airbusstaging.onelogin.com]

- Enable SAML2 authentication schema  : true

- SAML2 Creation Look for keystore in classpath  : false

- SAML2 Creation Keystore filename  : C:\HPBSM//conf//settings//SingleSignOn//SAMLKeyStore

- SAML2 Creation Private key alias  hpsamlkey

- SAML2 Validation Look for keystore in classpath  : true

- SAML2 Validation Keystore filename  : C:\HPBSM//conf//settings//SingleSignOn//SAMLKeyStore

I sent the C: \ HPBSM \ conf \ settings \ SingleSignOn \ lwssofmconf XML file to the OneLogin administrator
And he replied:
"I looked at XML and it does not look like what I'm used to seeing. However it speaks well of SAML!
I have not seen including EntityID info and ACS URL."

Can you tell me if it's the correct XML file that I had to send it to. And if not can you tell me the file that I have to send to him to find EntityID and ACS URL ?

Regards,
Nordine

Labels (1)
0 Likes
5 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I don't know exact syntax : EntityIDor EntidyID

ACS URL  = AssertionConsumerServiceURL

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

EntityID or EntidyID

0 Likes
Micro Focus Expert
Micro Focus Expert

Hi nsebbar,

while the documentation (for example the BSM 9.26 Platform Guide) mentions
..
SAML2 Configuration Dialog Box

This dialog box page enables you to modify the SAML authentication parameters for your Lightweight Single Sign-On configuration.
..

I found the following CR
 QCCR1I89456 doc for configuring Single Sign-On (SSO) authentication between BSM and other systems using SAML2
where the statement is
..
 We can not provide this documentation, because BSM does not support SAML2.authentication.
 This option is part of LW-SSO we are using but this feature was not implemented in BSM.
..

I didn't find anything about OneLogin and BSM (with the exception of what I believe is your case, SD02020367),
but enhancement requests to add support for SAML2 in general or OneLogin in particular for various other products.

All in all I think that you cannot use OneLogin with SAML2 as authentication solution.

Greetings
Siggi

Customer Support
Micro Focus

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
Commodore Commodore
Commodore

Hi Siggi,

Are you saying that the documentation describes a feature which in fact is totally wrong?! And since at least BSM 9.24?!

0 Likes
Micro Focus Expert
Micro Focus Expert

Hi SylvainP31,

what I say is that even the manual uses the words "SAML2", it appears that BSM (9.24 and on) doesn't support SAML2 authentication, so using OneLogin wouldn't work.

That's my understanding from reading the one service request.

I might be totally wrong and all this has been implemented in the meantime (although I don't think so),
I can only recommend that nsebbar asks the engineer she/he works with via a support case to check this with R&D and post the results here, then we know for sure.

Greetings
Siggi

Customer Support
Micro Focus

If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.