Install the SAML Session Provider 1.14 using the standalone deployment profile

To install the SAML Session Provider 1.14 manually, you must set up a properties file containing the deployment profile configuration data.

There are many possible properties to configure for the manual SAML Session Provider deployment. Only a few of those are required. The other properties will get their default value if omitted in the properties file.

Property Required? Description
routerFqdn Yes SAML-enabled grid router external FQDN.
routerIP No IP address for external access to the SAML router.
routerHttpsPort Yes SSL port to the SAML router.
createRouter No

Boolean value that dictates if a new router should be created during deployment.

This router uses routerFqdn, routerIP, routerHttpsPort, and routerName propertiesfor its configuration.

The router is configured with the saml2 web authentication method.

Default value is false.
routerName No The name of the new router created if createRouter is set to true. Default value is "SAML Router".
restrictSystemAccess No

Dictates if SYSTEM should be restricted on the SAML router.

This blocks users logging in via the SAML router from accessing the grid management UI.

Default value is false.
SignAssertions No

Requests the IdP to sign assertions.

Default value is true.
sessionTimeout No

The idle timeout in minutes, for grid sessions created by the SAML Session Provider.

Default value is 960 minutes.
identityClaimName No

The claim containing the name for the GridPrincipal.

Default value is http://schemas.infor.com/claims/Identity
assertionTimeout No

Provides the timeout in seconds for an assertion.

Default value is 300 seconds.
preferredSPBinding No

The protocol binding to set for SAML authentication requests, used by the IdP for authentication responses.

These are the only valid values:

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTPRedirect

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST (default)

If InforSTS is used as IdP, only urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST is supported. By default, only assertion consumer services are created for HTTP-POST. If HTTP-Redirect is required, see Configuring login and logout endpoints for instructions.
proxyServerAddress.x No

Indexed property containing FQDN:port pairs for addresses, such as load balancers or proxy servers, to be used for ACS URLs and logout endpoint.

ACS URLs are created for all these addresses.

A logout URL is created for the first address.
excludeRouterACS No

Excludes creation of ACS URLs for the SAML router FQDN or IP address, only for the proxyServerAddress.x entries.

Default value is false.
nameidFormat No

Provides the NameIDFormat used for WS-Federation.

Default value is urn:names:tc:SAML:2.0:nameidformat:transient.
adminuser.# No

Users that should be mapped to the grid-admin role during installation.

The mapping will occur only if selfGrant value is true.

This property post-fixed with #, where # denotes an index from 0 upwards. Note that the names specified must correspond exactly to the names of the grid users after authentication, for example, the values carried in the identity claim.
selfGrant No

Determines whether the SAML SP should be granted as the active session provider. If not granted, the admin users are not mapped.

Default value is false.
authLevel No

Sets the authentication level that the SAML SP should request from the user authentication in the IdP.

These are the possible values, ranging from the least secure:

  • "Username/Password"

  • "Password Protected Transport"

  • "Transport Layer Security (TLS) Client"

  • "X.509 Certificate"

  • "Integrated Windows Authentication"

  • "Kerberos"

Default value is "Password Protected Transport".

For information on the supported authentication methods, see Session Provider Requirements and Selection.
authLevelComparison No

Sets the comparison type for the auth level

These are the possible values:

  • "exact" - Only the provided auth level is approved

  • "better" - Must be stronger than the provided auth level

  • "minimum" - At least as strong as the provided auth level

  • "maximum" - Not stronger than the provided auth level

Default value is "minimum".
disable.role.cache No

Configuration for the security role cache which is used when listing groups for the role mapping UI.

Cache is cleaned every 15 minutes.

Default value is false.
disable.user.cache No

Configuration for the user cache which is used when searching for user information but not for authentication.

Default value is false.
cache.clean.interval No

User cache cleaning interval in minutes.

Default value is 60.
idpFqdn Yes ADFS/IFS server FQDN.
idpHttps Yes SSL port to ADFS/IFS.
idpUri No

The URI to the Federation metadata xml file of ADFS.

The value is found in the AD FS 2.0+ management tool under Service > Endpoints. You can also find the Metadata links at the bottom.

Default value is /FederationMetadata/2007-06/FederationMetadata.xml.
ifsFqdn No The FQDN of the IFS server if it differs from the IdP FQDN.
ifsHttps No The HTTPS port of IFS if it differs from the IdP HTTPS port.
useIFS No

Dictates if the SAML Session Provider should look up roles in IFS to present in the role mapping UI.

Default value is true.
deployToIFS No

Dictates whether IFS setup should be performed.

If set to "false" (or omitted), all IFS/ADFS configuration must be done manually.

Default value is false.
IFSUser Yes, if useIFS is true, or if useIFS is not defined. Username for an IFS Administrator. This user must have the IFSApplicationAdmin and the ApplicationServiceCaller Security Roles in IFS. Note that a user in domain\user format must be written as "domain\\user".
IFSPassword Yes, if useIFS is true, or if useIFS is not defined. The password for the IFSUser.
secondaryIdpFqdn No In some deployment scenarios, the user accounts are not defined in the AD FS server where the SAML Session Provider is connected. In such cases, a secondary IdP is used. This property should contain the FQDN of that server.
secondaryIdpHttps No The https port of the secondary IdP server.
secondaryIdpUri No The URI to the Federation metadata xml file of the secondary AD FS server. See the idpUri property for more information.
secondaryIdpDomain No A list of domains that the secondary IdP serves.
XiPlatformFarmName Yes The Farm name of the InforOS installation against the SAML Session Provider.
XiPlatformID Yes The ID of the InforOS installation against the SAML Session Provider.
gridPurpose Yes A short description of the purpose of the setup. This will be part of the application name in IFS and the Relaying Party Trust in AD FS for easier identification.

To install the SAML Session Provider 1.14 using the standalone deployment profile:

  1. Access the Configuration Manager for the grid and log in as grid-admin.
  2. Click Communication, and select Routers.
  3. If there is a SAML router available, note the FQDN, HTTPS port, and external IP address. Specify them in the configuration data file. Ensure that the SAML router supports the saml2 authentication method for both HTTP and HTTPS. Note the host it is running on. You will need this information later in this procedure.

    If there is no SAML router, set the createRouter property to true in the configuration file.

  4. Specify the router properties in the configuration file.
  5. Prepare the rest of the configuration data in the file to be used during deployment. See the previous tables for information about the properties.
  6. Return to the Configuration Manager home page.
  7. Click Applications.
  8. Click New Application.
  9. On the Select Application tab, select the SAML Session Provider from the list, and click Next. If the SAML Session Provider is not available in the list, click Upload.
  10. On the Install Options tab, ensure that the name is SAMLSessionProvider and that the selected deployment profile is StandaloneDeploymentProfile. Browse for the configuration data file and select which host it will be deployed. Click Finish.
  11. After the deployment is done, the SAML Session Provider will start and its status will be set to "Starting" for up to two minutes. The actual IFS configuration occurred the first time the SAML Session Provider started, and not during deployment.

    When the IFS setup is finished, the SAML Session Provider status should be set to "OK".

  12. If AD FS is used as IdP, the SAML Session Provider application entry in IFS must be manually activated in the InforOS Manager.

    See "Completing claims-based authentication configuration" in InforOS.

    1. Open InforOS Manager for the correct farm.
    2. Select Applications.
    3. Identify the application corresponding to your SAML Session Provider installation.
    4. Click Download for the application to save a powershell script.
    5. Run the script on the AD FS server.

      See "AD FS server configuration" in the InforOS Installation Guide.

    6. Configure the IdP according to the steps described in Add Assertion Consumer Service endpoint to AD FS.
  13. If InforSTS is used as IdP, configure the IdP according to the steps described in Add Assertion Consumer Service endpoint to InforSTS.