Configurating SAML authentication
3 Tasks
1 hr 30 mins
Advanced
Pega Platform 8.3.1
Pega Platform 8.5
Pega Platform 8.6
English
Scenario
Front Stage is considering using SSO with SAML to Authenticate Operators. There are many Identity Providers available in the marketplace, and some are free services while some charge per user. Before Front Stage decides on an Identity Provider they have requested that you develop a Proof of Concept using OpenAM (Open Access Management) as the identity provider. Most Identity Providers require internet access to configure. OpenAM was selected for the Proof of Concept because it can be configured and tested in a closed system, such as a Virtual Machine, without requiring Internet connectivity. OpenAm can be downloaded from the Forgerock website here: Access Management.
The following table provides the credentials that you need to complete the challenge. This challenge requires the use of the Linux Lite VM to complete.
Role | User name | Password |
---|---|---|
Administrator | Admin@Booking | rules |
Design and implement an SSO authentication scheme using SAML as a proof of concept.
- Use OpenAM as the Identity Provider.
Detailed Tasks
1 Review solution details
Install Open AM
- Download the ZIP file attached at the bottom of this challenge. (https://backstage.forgerock.com/downloads/browse/am/latest).
- Extract the AM-eval-6.5.2.2.war file from the ZIP file.
- If necessary, you can rename the AM-eval-6.5.2.2.war file.
- Copy the AM-eval-6.5.2.2.war file into the opt\tomcat\webapps folder.
- Top copy the .war file, run the Terminal Emulator to get a command window.
- Change to the directory where the .war file is located, using the
cd
command. For example, if AM-eval-6.5.2.2.war is on your Desktop, enter:
cd Desktop
- Use the sudo cp command to copy the file to /opt/tomcat/webapps. For example, enter: sudo cp *.war /opt/tomcat/webapps
- The .war file should auto-deploy. If it does not, restart Tomcat to deploy the .war file.
- After restarting Tomcat, use the following URL to access the OpenAm homepage: http://<host name>:<port number>/AM-eval-6.5.2.2/XUI/#realm (for example, enter http://localhost:9080/AM-eval-6.5.2.2/config/options.htm).
Configure OpenAM
- Access OpenAm to be redirected to the configuration page (http://localhost:9080/AM-eval-6.5.2.2/config/options.htm).
- Create a default Configuration.
- Set the password to administrator.
- When the configuration is complete, click Proceed to login.
- Log in with user name amadmin using password administrator.
- Click New Realm to create a new Realm.
- Name the new Realm PegaSAML.
- After Creating the PegaSAML Realm, in the Realm Overview, click Configure SAML V2 Provider.
- In the Configure SAML V2 Provider dialog box, select Configure Hosted Identity Provider.
- In the Configure Hosted Identity Provider dialog box, in the Signing Key list, select test.
- In the New Circle of Trust field, enter PegaSAML.
- In the upper-right corner, click Configure.
- When you get to the Confirmation page, click Finish.
- On the Realm Overview page, click Application > Federation to see your configured Identity Provider.
- In OpenAM, click Identities to create at least one Identity.
- In the Password field, enter password.
- In the User ID field, enter CEO@Booking.
Configure a SAML 2.0 Authentication Service in Pega Platform
To allow users to log in with single sign-on (SSO) authentication, perform the following steps to define a SAML 2.0 Authentication service.
- Create a new PegaSAML Authentication Service (Dev Studio > Configure > Org & Security > Authentication > Create Authentication Service).
- Complete the Authentication Service rule form:
- In the Authentication Service Alias field, enter a name that becomes part of the URL for SSO login (for example, PegaSAML).
- Click the Import IdP metadata link.
- Select via URL.
- In the URL field, enter http://localhost:9080/AM-eval-6.5.2.2/saml2/jsp/exportmetadata.jsp?realm=/PegaSAML.
- Click Submit.
The completed Identity Provider Information should look like the following figure:
- In the Authentication Service Alias field, enter a name that becomes part of the URL for SSO login (for example, PegaSAML).
-
On the SAML 2.0 tab, in the Service Provider settings section, select the Disable request signing check box so that the authentication service can work without certificates.
-
On the History tab, in the Documentation section, provide a Description and Usage.
-
Save the PegaSAML authentication service.
Register Pega as a Remote Service Provider with OpenAM
- On the OpenAM portal, select the PegaSAML Realm.
- Select Configure SAMLv2 Provider.
- Select Configure Remote Service Provider.
- Complete the Configure a SAMLv2 Remote Service Provider form.
- Select the PegaSAML Realm.
- In the Where does the metadata file reside? section, select URL.
- Obtain the URL for the URL where the the metadata is located: field by looking at the PegaSAML Authentication Service that you configured in Pega Platform. You can find the URL in the Service Provider settings section of the SAML 2.0 tab by clicking the Download SP metadata link and then copying the URL for the page that is displayed.
- The completed form should look like the following figure:
- Select Configure to add Pega as a Remote Service Provider.
Configure External Authentication
- Open the CEO@Booking operator ID. If the CEO@Booking operator does not exist, save the mistyped COE@Booking operator ID as CEO@Booking.
- On the Security tab, select External Authentication.
2 Confirm your work
- Copy the Login URL from the PegaSAML Authentication Service: http://localhost:9080/prweb/PRAuth/PegaSAML
- Open a different browser. For example, if you are using Chrome, open Firefox.
- Paste the Login URL into the web browser to access the OpenAM Login Screen.
- Log in with the username CEO@Booking and password as the password.
You can now seamlessly log in to Pega Platform.
3 Download the Access Manager
AccessManager.zip
(171.03 MB)
Available in the following mission:
If you are having problems with your training, please review the Pega Academy Support FAQs.
Want to help us improve this content?