Salesforce is one of the well known applications in the Corporate world and also one of the best applications suited for federation, For all the people who want to learn Federation based SSO, the first example application that you can use to test federation based sso is Salesforce.
Salesforce has one of the best and easy way to configure SAML based SSO functionality.
As a test of ISAM 9 federation capability, i got the chance to integrate salesforce with ISAM 9 VA.
To be honest there were a few issues and being new to the federation capability on VA had to overcome some pretty long hurdles.
After some exploring it feels that IBM has done some pretty good stuff, though it might not have that much flexibilty as TFIM had but overall a good interface to begin with.
and frankly speaking 90% of people dont read the stuff completely, Dont know if anyone is reading this as well ...... :-)
So these are the things that you need to do for configuring SSO to salesforce:
1. Configure TFIM Runtime in ISAM
In the software version, we have to configure runtime manually which creates a application in Websphere. In the VA the runtime comes preconfigured and running as localhost which means its basically using management server ip address.
So first configure a new ip address from interfaces in VA to be specifically used for Runtime,
then go to Secure Federation>> Runtime Parameters,
and in the runtime listening interfaces select the rows with localhost and delete them and configure the same with the new IP which you have configured in interfaces, makes ure to configure with 80 and 443 ports.
2. Create a Mapping Rule using javascript in ISAM mapping rules
This step might seem a little confusing for all the people who were using XSL files for mapping, as the new VA has the support of javascript and not an xsl.
But not to worry as usual if you have the previous version of TFIM installed somewhere make sure to copy the examples folder in it, as it has a lot of information and examples which can help you a lot.
So for the current configuration we will be using your isam userid same as the salesforce userid/emailadress
Go to secure federation>> globalsettings >> mapping rules and add a new rule.
make sure to give the category as SAML2.0
The below image shows the java script that was used for this configuration.
mapping rule image ....
3. Create Federation with the newly created mappping rule.
Go to secure federation >> manage >> federations.
click on ADD button and provide a new name for federation and check the box beside saml 2.0
In Template tab make sure the SAML2.0 checkbox is checked.
Now give a proper name for the company name and also give the provider as https://<websealip>/isam/sps and select the option as identity provider.
Give the point of contact as https://<websealip>/isam
In profile selection, select Web Browser Single sign on.
Single Sign on Settings select the options as shown in the below figure.
In Signature options select as below.
Make sure to select the same certificates as the previous screen.
Keep the settings as shown below.
For Identity Mapping, select the option of javascript transformation for identity mapping.
Select the Identity Mapping which was created previously.
Recheck all your previous selected options in the Summary.
4. verify the TFIM Runtime and get the federation ID.
Now that the Federation is configured we need to confirm the details of the Federation.
Go to Secure Federation >> Global Settings >> user registry.
make sure a user other than admin is created in this example easuser is created.
Now Access the URL in the Browser.
https://<Webseal IP>/Info/InfoServiceXML
For credentials provide easuser and password as passw0rd
This should show you the details of your federation, make sure to note down all the details like federation name, federation ID as well.
5. Configuring Federation(TFIM) with ISAM:
There are multple ways to do this,
We can do the configurations manually(you will learn a lot in this but basically one wrong move can lead to a lot of headache)
Personally i believe the best option to use is to call the webservice(REST), most people get very afraid of the name webservice but trust me its one of the easiest and most interesting options.
If you have TDI you can use that or curl command or if you have SOAP UI you can use that as well.
The easy option is SOAP UI, which we will be using in this configuration.
So create a REST Project in SOAP UI and provide the details as given in the screenshot.
6. Export the certificate which was used while creating federation for encryption.
In this example we have used the certificate database called rt_profile_keys with a label called server.
Now export this certificate and import it to signer certificates of webseal certificate database in my case it is pdsrv
7. Configure SSO settings in Salesforce and export the metadata.
Login to the sales force application and navigate to Administration Setup -> Security Controls -> Single Sign-On Settings:
and create the SAML 2.0 setup with the below details
8. Use the metadata to create the partner in ISAM.
Now download the metadata from salesforce after configuring sso settings in it.
Now login to ISAM and browse to Secure Federation>> Manage>> Federations.
Then select the federation and click on partners and add a partner.
Now upload the metadata file to ISAM
In the General information tab provide the name as https://saml.salesforce.com as select the check box enabled and click on next.
Give the provider ID as https://saml.salesforce.com and make sure the partner role is selected as service provider and click on next.
select web browser single sign on and click on next.
Keep the settings as default and select next.
In ssl certificates make sure you are using the same certificate as the one that you used in federation and click on Next.
Make sure to have the settings as shown in the below image.
In encryption options select the certificates and click on Next.
In Identity Mapping select the option use Identity Mapping that is configured for this federation.
In summary verify all the options again and click on OK.
This will create your partner and then you are done..
Now access the below url for SSO to salesforce.
https://<your webseal ip/hostname>/isam/sps/salesforce/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://saml.salesforce.com&NameIdFormat=email
Salesforce has one of the best and easy way to configure SAML based SSO functionality.
As a test of ISAM 9 federation capability, i got the chance to integrate salesforce with ISAM 9 VA.
To be honest there were a few issues and being new to the federation capability on VA had to overcome some pretty long hurdles.
After some exploring it feels that IBM has done some pretty good stuff, though it might not have that much flexibilty as TFIM had but overall a good interface to begin with.
and frankly speaking 90% of people dont read the stuff completely, Dont know if anyone is reading this as well ...... :-)
So these are the things that you need to do for configuring SSO to salesforce:
1. Configure TFIM Runtime in ISAM
In the software version, we have to configure runtime manually which creates a application in Websphere. In the VA the runtime comes preconfigured and running as localhost which means its basically using management server ip address.
So first configure a new ip address from interfaces in VA to be specifically used for Runtime,
then go to Secure Federation>> Runtime Parameters,
and in the runtime listening interfaces select the rows with localhost and delete them and configure the same with the new IP which you have configured in interfaces, makes ure to configure with 80 and 443 ports.
2. Create a Mapping Rule using javascript in ISAM mapping rules
This step might seem a little confusing for all the people who were using XSL files for mapping, as the new VA has the support of javascript and not an xsl.
But not to worry as usual if you have the previous version of TFIM installed somewhere make sure to copy the examples folder in it, as it has a lot of information and examples which can help you a lot.
So for the current configuration we will be using your isam userid same as the salesforce userid/emailadress
Go to secure federation>> globalsettings >> mapping rules and add a new rule.
make sure to give the category as SAML2.0
The below image shows the java script that was used for this configuration.
mapping rule image ....
3. Create Federation with the newly created mappping rule.
Go to secure federation >> manage >> federations.
click on ADD button and provide a new name for federation and check the box beside saml 2.0
In Template tab make sure the SAML2.0 checkbox is checked.
Now give a proper name for the company name and also give the provider as https://<websealip>/isam/sps and select the option as identity provider.
Give the point of contact as https://<websealip>/isam
In profile selection, select Web Browser Single sign on.
Single Sign on Settings select the options as shown in the below figure.
In Signature options select as below.
Make sure to select the same certificates as the previous screen.
Keep the settings as shown below.
For Identity Mapping, select the option of javascript transformation for identity mapping.
Select the Identity Mapping which was created previously.
Recheck all your previous selected options in the Summary.
4. verify the TFIM Runtime and get the federation ID.
Now that the Federation is configured we need to confirm the details of the Federation.
Go to Secure Federation >> Global Settings >> user registry.
make sure a user other than admin is created in this example easuser is created.
Now Access the URL in the Browser.
https://<Webseal IP>/Info/InfoServiceXML
For credentials provide easuser and password as passw0rd
This should show you the details of your federation, make sure to note down all the details like federation name, federation ID as well.
5. Configuring Federation(TFIM) with ISAM:
There are multple ways to do this,
We can do the configurations manually(you will learn a lot in this but basically one wrong move can lead to a lot of headache)
Personally i believe the best option to use is to call the webservice(REST), most people get very afraid of the name webservice but trust me its one of the easiest and most interesting options.
If you have TDI you can use that or curl command or if you have SOAP UI you can use that as well.
The easy option is SOAP UI, which we will be using in this configuration.
So create a REST Project in SOAP UI and provide the details as given in the screenshot.
6. Export the certificate which was used while creating federation for encryption.
In this example we have used the certificate database called rt_profile_keys with a label called server.
Now export this certificate and import it to signer certificates of webseal certificate database in my case it is pdsrv
7. Configure SSO settings in Salesforce and export the metadata.
Login to the sales force application and navigate to Administration Setup -> Security Controls -> Single Sign-On Settings:
and create the SAML 2.0 setup with the below details
8. Use the metadata to create the partner in ISAM.
Now download the metadata from salesforce after configuring sso settings in it.
Now login to ISAM and browse to Secure Federation>> Manage>> Federations.
Then select the federation and click on partners and add a partner.
Now upload the metadata file to ISAM
In the General information tab provide the name as https://saml.salesforce.com as select the check box enabled and click on next.
Give the provider ID as https://saml.salesforce.com and make sure the partner role is selected as service provider and click on next.
select web browser single sign on and click on next.
Keep the settings as default and select next.
In ssl certificates make sure you are using the same certificate as the one that you used in federation and click on Next.
Make sure to have the settings as shown in the below image.
In encryption options select the certificates and click on Next.
In Identity Mapping select the option use Identity Mapping that is configured for this federation.
In summary verify all the options again and click on OK.
This will create your partner and then you are done..
Now access the below url for SSO to salesforce.
https://<your webseal ip/hostname>/isam/sps/salesforce/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=https://saml.salesforce.com&NameIdFormat=email
No comments:
Post a Comment