Installing and configuring the SAML Session Provider 1.14 using LifeCycle Manager

Use this procedure to install the SAML Session Provider 1.14 using LifeCycle Manager.

SAML Session Provider 1.14 is not used for cloud scenarios where PingFederate is used.

SAML Session Provider has two installation profiles called "ADFS" and "InforSTS". The only difference between them is the default URI filled in on the "Metadata URI" property on the "Session Provider Properties" wizard step.

If you want to use the SAML Session Provider 1.14, your system must meet these requirements:

  • The ION Grid installation runs on Java 8.

  • AD FS or InforSTS is used as the Identity Provider (IdP).

  • InforOS is installed.

  • You have a domain account with the security roles IFSApplicationAdmin and AttributeServiceCaller.

    This should be a service user with a password that does not expire - otherwise, the password must be kept up-to-date. This user is used for authenticating IFS web service calls, during installation and at runtime.

  • In AD FS the Endpoint "/adfs/services/trust/13/usernamemixed" for WS-Trust 1.3 is both Enabled and Proxy Enabled.

Install using LCM

  1. In LifeCycle Manager, select Actions > Install Product.
  2. From the list, select the product Infor SAML Session Provider <version>. Click Next.
  3. On the Host selection window, select the grid host you want to deploy the SAML Session Provider to. Select if SAML Session Provider should authenticate users against InforSTS or ADFS.
  4. If a SAML router already exists, you will be asked if you want to reuse that router. If no SAML router exists, specify these fields on the Router properties window and click Next:
    External Router Address

    The external address for the router.

    Router IP Address

    The external IP address of the router.

    Router HTTPS port

    The HTTPS port for the router.

    Restrict SYSTEM access

    Select this check box to publish all applications except the Grid Management Pages via the SAML Router. Select this option if management of the grid is authenticated with a client certificate.

    Additional ACS endpoints

    If load balancers or proxies are placed in front of the Grid, the SAML Session Provider needs to publish endpoints for those addresses. Write one entry per row in the format fqdn:port.

    The first entry will be configured as the Logout Endpoint, and will be used to form the Entity ID for the SAML Session Provider, which will be used in IFS and AD FS. If nothing is added, all login and logout endpoints will be based on the previously specified SAML router properties.

    Exclude Router ACS

    Select this check box to create Assertion Consumer Services only for the Additional ACS endpoints. No ACS value will be created based on the SAML Router properties. Select this option if all SAML authentication should pass via the load balancer, without direct access to grid routers by end users.

  5. On the Session Provider Properties window, specify these properties and click Next:
    IdP FQDN

    The fully qualified domain name of the AD FS server.

    IdP http port

    The HTTP port of the AD FS endpoint.

    IdP https port

    The SSL port of the AD FS endpoint.

    Metadata URI

    Provide the URI to the federation metadata.

    The default AD FS value is /FederationMetadata/2007-06/FederationMetadata.xml.

    The URI can found in the AD FS management console: expand "Service" > "Endpoints". In the Metadata section, find the URL Path for the Federation Metadata.

    Default InforSTS value is /inforsts/rest/metadata/00000000000000000000000000000000/idp.

    After clicking Next, the connection to the IdP is validated and the metadata is retrieved. You will be prompted to approve that the IdP https certificates are added to the SAML Session Provider https trust store.

  6. On the IFS Properties window, specify these properties and click Next:
    IFS FQDN

    Specify the FQDN for IFS.

    IFS HTTPS port

    Specify the HTTPS port for reaching IFS.

    IFS admin user

    Provide the name for a domain user that has the IFSApplicationAdmin and AttributeServiceCaller IFS Security Roles. The username must be in the domain\uid format. This should be a service user with a password that does not expire; otherwise, the password must be kept up-to-date. This user is used for authenticating IFS web service calls, during installation and at runtime.

    IFS admin password

    Provide the password for the domain user from the previous field.

    OAuth 1.0a Consumer Key

    If OAuth 1.0a is used to authenticate to IFS, provide the consumer key here. If both OAuth credentials and IFS admin credentials are provided, the OAuth credentials will be used.

    OAuth 1.0a Secret Key

    If OAuth 1.0a is used to authenticate to IFS, provide the secret key here.

    Farm name

    The name of the farm for the used InforOS installation.

    Platform ID

    The platform ID of the farm for the used InforOS installation.

    Purpose

    A short description of the purpose of the setup. This will be part of the application name in IFS and the Relying Party Trust in AD FS for easier identification.

    After you click Next, the connection to IFS web services is validated and the credentials are tested.

  7. Review the fields on the SAML Properties window. Specify these properties:
    Identity Claim name

    Change the value to http://schemas.infor.com/claims/Person.

    Note: This value should be used for M3. For non-M3 installations, see http://schemas.infor.com/claims/Identity.
    Requested Authn Context

    Define the preferred method of authenticating to AD FS. For further information regarding this property, see SAML Authentication Request approved authentication methods.

    Authn Context Comparison

    Define the way to interpret the Requested Authn Context scope. For further information regarding this property, see SAML Authentication Request approved authentication methods.

    Note: These properties are used by the SAML Session Provider when communicating with AD FS. These properties also define the endpoints that the SAML Session Provider will provide for logging in and logging out.

    The suggested values are based on the AD FS metadata provided in previous steps.

  8. Review the values on the Summary window and click Finish to start the installation.
  9. After the installation and if AD FS is used, activate the application manually in InforOSManager. See "Completing claims-based authentication configuration" in InforOS Installation Guide.
    1. Open InforOSManager for the correct farm.
    2. Select Applications.
    3. Identify the application corresponding to your SAML Session Provider installation.
    4. Click Download for this application to save a powershell script.
    5. Run the script on the AD FS server.

    See "AD FS server configuration" in the InforOS Installation Guide. Follow the steps described in Add Assertion Consumer Service endpoint to AD FS.

  10. If InforSTS is used, continue with the procedure Add Assertion Consumer Service endpoint to InforSTS.