Installing the SAML Session Provider using LifeCycle Manager

  1. In LifeCycle Manager, select Actions > Install Product.
  2. From the list, select the product Infor SAML Session Provider <version>. Click Next.
  3. On the Host selection window, select the grid host you want to deploy the SAML Session Provider to. Select ADFS as the installation profile, and click Next.
  4. If a SAML router already exists, you will be asked if you want to reuse that router. If no SAML router exists, on the Router properties window, define the properties for the router to be used by the session provider and for any additional endpoint addresses and click Next:
    External Router Address

    The external address for the router.

    Router IP Address

    The external IP address of the router.

    Router HTTPS port

    The HTTPS port for the router.

    Restrict SYSTEM access

    Select this check box to publish all applications except the Grid Management Pages via the SAML Router. Select this option if management of the grid is authenticated with a client certificate.

    Additional ACS endpoints

    If load balancers or proxies are placed in front of the Grid, the SAML Session Provider needs to publish endpoints for those addresses, as described in Configuring Login and Logout Endpoints.

    Write one entry per row in the format fqdn:port. The first entry will be configured as the Logout Endpoint, and will be used to form the Entity ID for the SAML Session Provider (to be used in IFS and AD FS). If nothing is added here, all login and logout endpoints are based on the SAML router properties defined above.

    Exclude Router ACS

    Select this check box to create Assertion Consumer Services for the Additional ACS endpoints only. No ACS value will be created based on the SAML Router properties. Select this option if all SAML authentication should pass via the load balancer - that is, no direct access to grid routers by end users.

  5. On the Session Provider Properties window, specify the information and click Next:
    IdP FQDN

    The fully qualified domain name of the AD FS server.

    IdP https port

    The SSL port of the AD FS endpoint.

    Metadata URI

    Provide the URI to the federation metadata. The default AD FS value is /FederationMetadata/2007-06/FederationMetadata.xml. The URI can found in the AD FS management console:expand "Service">"Endpoints". In the Metadata section, find the URL Path for the FederationMetadata.

    The Secondary Identity Provider properties are only applicable in cloud scenarios.

    After you click Next, the installer will get the SSL certificates from the AD FS server and you will have to confirm them before continuing. The installer will retrieve the AD FS metadata and parse it for suggested values for a later installation step.

  6. On the IFS Properties window, specify the information and click Next:
    IFS FQDN
    Specify the FQDN for IFS.
    IFS HTTPS port
    Specify the HTTPS port for reaching IFS.
    IFS admin user
    Provide the name for a domain user that has the IFSApplicationAdmin and AttributeServiceCaller IFS Security Roles. The username must be in the domain\uid format. This should be a service user with a password that does not expire; otherwise, the password must be kept up-to-date. This user is used for authenticating IFS web service calls, both during installation and at runtime.
    IFS admin password
    Provide the password for the domain user from the previous field.
    OAuth 1.0a Consumer Key
    If OAuth 1.0a is used to authenticate to IFS, specify the consumer key. If both Oauth credentials and IFS admin credentials are provided, the OAuth credentials will be used.
    OAuth 1.0a Secret Key
    If OAuth 1.0a is used to authenticate to IFS, specify the secret key.
    Farm name
    The name of the farm for the used InforOS installation.
    Platform ID
    The platform ID of the farm for the used InforOS installation.
    Purpose
    A very short (4-10 characters) description of the purpose of the setup. This will be part of the application name in IFS and the Relaying Party Trust in AD FS for easier identification.

    After you click Next, the connection to IFS web services is validated and the credentials tested.

  7. In the SAML Properties window, configure Identity Claim name, and click Next.
    Identity Claim name

    Change the value to http://schemas.infor.com/claims/Person

  8. Review the values on the Summary window and click Finish to start the installation.
  9. The application must now be activated manually in the Infor OS Manager. To do this, follow these steps. For more information, see Completing claims-based authentication configuration in Infor Operating Service Installation Guide.
    1. Open Infor OS Manager for the correct farm.
    2. Select Applications.
    3. Identify the application corresponding to your SAML Session Provider installation, in the format Grid-<Purpose> where <Purpose> is the value provided for the Purpose field in the IFS properties window.
    4. Click the download link for this application to save a powershell script.
    5. Run the script on the AD FS server.
      See AD FS server configuration in Infor Operating Service Installation Guide.
  10. Continue with the procedure Adding Assertion Consumer Service endpoint to AD FS.