Install the SAML Session Provider 1.13 using the standalone deployment profile
To install the SAML Session Provider 1.13 manually, you must set up a properties file containing the deployment profile configuration data.
There are many possible properties to configure for the manual SAML Session Provider deployment. Only a few of those are required. The other properties will get their default value if omitted in the properties file.
Standalone deployment can be done for on-premise or cloud.
This section contains three tables:
-
A table showing shared properties that apply to both, on-premise and cloud
-
A table showing properties that apply to on-premise only
-
A table showing properties that apply to cloud only
This table shows properties that apply to both, on-premise and cloud:
| Property | Required? | Description |
|---|---|---|
| routerFqdn | Yes | SAML-enabled grid router external FQDN. |
| routerIP | No | IP address for external access to the SAML router. |
| routerHttpsPort | Yes | SSL port to the SAML router. |
| createRouter | No | Boolean value that dictates if a new router should be created during deployment. This router will use the routerFqdn, routerIP, routerHttpsPort, and routerName properties for its configuration. The router will be configured with the saml2 web authentication method. Default value is false. |
| routerName | No | The name of the new Router created if createRouter is set to true. Default value is "SAML Router". |
| routerOnAllHosts | No |
The SAML router is created to run on all hosts in the Grid. If false, the router is created only on the SAML Session Provider host. Default value is false.
|
| restrictSystemAccess | No |
Dictate if SYSTEM should be restricted on the SAML router. This will block users logging in via the SAML router from accessing the grid management UI. The default value is false.
|
| SignAssertions | No |
Requests the IdP to sign assertions. Default is true.
|
| signatureAlgorithm | No |
The signature algorithm to be used for signed AuthnRequests and LogoutResponses. Possible values are:
See Managing the signature algorithm for the SAML Session Provider. |
| sessionTimeout | No | The idle timeout, in minutes, for grid sessions created by the SAML Session Provider. The default value is 480 minutes. |
| identityClaimName | No |
The claim containing the name for the GridPrincipal. Default value for on-premise installations: Default value for cloud installations:
|
| roleClaimName | No |
The claim to use for GridPrincipal roles. Default value is http://schemas.infor.com/claims/SecurityRole.
|
| assertionTimeout | No |
Provides the timeout in seconds for an assertion. Default is 300.
|
| preferredSPBinding | No |
The protocol binding to set for SAML authentication requests, used by the IdP for authentication responses.
The only valid values are urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST (default).
|
| enableACSUpdate | No |
Automatically create ACS URLs for all SAML enabled routers during module startup. Default value is Note that the IdP configuration always must be updated when a new ACS URL is added. |
| proxyServerAddress.x | No |
Indexed property containing FQDN:port pairs for addresses, such as load balancers or proxy servers, to be used for ACS URLs and logout endpoint. ACS URLs are created for all these addresses. A logout URL is created for the first address. The first proxy server address, if present, will be used to form the name of the SP/RPT that is registered with IFS and the IdP. |
| excludeRouterACS | No |
Do not create ACS URLs for the SAML router FQDN or IP address, only for the proxyServerAddress.x entries. The default value is false.
|
| nameidFormat | No |
Provides the NameIDFormat used for WS-Federation. Default is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
|
| adminUser.# | No |
Users that should be mapped to the grid-admin role during installation. The mapping will occur only if selfGrant is true. This property is post-fixed with #, where the # denotes an index from 0 upwards. Note that the names specified must correspond exactly to the names of the grid users after authentication, i.e. the values carried in the identity claim. |
| selfGrant | No |
Determine whether the SAML SP should be granted as the active session provider. If not granted, the admin users are not mapped. Default value is false.
|
| authLevel | No |
Set the authentication level that the SAML SP should request from the user authentication in the IdP. Possible values are (ranging from the least secure):
Default is " For information on the supported authentication methods, see Session Provider Requirements and Selection. |
| authLevelComparison | No |
Set the comparison type for the auth level. Possible values are:
Default value is " |
| cloudDeployment | No |
When set to true, IdP properties are read from the input file, SP properties are provided as a file, and other properties get the cloud default values. Default is false.
|
| ifs.version | No |
Specifies the IFS wsdl version. Possible values are IFSWSv2 (default for on-premise) and IFSWSv3CE (default for cloud).
|
| disable.role.cache | No |
Configuration for the security role cache, used when listing groups for the role mapping UI. The cache is cleaned every 15 minutes. Default is false.
|
| disable.user.cache | No |
Configuration for the user cache, used when searching for user information (not authentication). Default is false.
|
| cache.clean.interval | No |
Number of minutes between user cache cleaning. Default is 60.
|
This table shows properties that apply to on-premise only:
| Property | Required? | Description |
|---|---|---|
| idpFqdn | Yes | ADFS/IFS server FQDN. |
| idpHttp | No |
HTTP port to ADFS/IFS. Default is 80. IFS installation guide recommends changing the port.
|
| idpHttps | No |
SSL port to ADFS/IFS. Default is 443. IFS installation guide recommends changing the port.
|
| idpUri | No |
The URI to the Federation metadata xml file of ADFS. The value can be found in the AD FS 2.0+ management tool under Service > Endpoints. At the bottom are the Metadata links. Default is /FederationMetadata/2007-06/FederationMetadata.xml.
|
| ifsFqdn | No | The FQDN of the IFS server, if it differs from the IdP FQDN. |
| ifsHttp | No | The HTTP port of IFS, if it differs from the IdP HTTP port. |
| ifsHttps | No | The HTTPS port of IFS, if it differs from the IdP HTTPS port. |
| useIFS | No |
Dictate if the SAML Session Provider should look up roles in IFS to present in the role mappping UI. Default is true.
|
| deployToIFS | No |
Dictate whether IFS setup should be performed. If set to "false" (or omitted) all IFS/ADFS configuration must be done manually. Default value is false.
|
| IFSUser | Yes, if useIFS is true or if useIFS is not defined | Username for an IFS Administrator. This user must have the IFSApplicationAdmin and the AttributeServiceCaller Security Roles in IFS. Note that a user in domain\user format must be written as "domain\\user". |
| IFSPassword | Yes, if useIFS is true or if useIFS is not defined | The password for the IFSUser. |
| serverAdminUser | No |
The local Administrator account on the IFS/AD FS server, to activate the application in IFS if UAC is turned on. Defaults to the IFSUser. Note: This property does not apply to LTR or Infor OS.
|
| serverAdminPassword | No |
The Administrator password. Defaults to the IFSPassword if serverAdminUser is not provided. Note: This property does not apply to LTR or Infor OS.
|
| ifsCfgsvcUrl | No |
The virtual directory of the IFS web application on the idpFqdn. Default is IFSServices.
|
This table shows properties that apply to cloud only:
| Property | Required? | Description |
|---|---|---|
| idp.saml.metadata.xml.base64 | Yes | A base64-encoded string representing the IdP metadata, copied from the idp.properties for the PingFederate installation. |
| displayNameClaim | No |
The claim to use for the GridPrincipal display name. The default is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
|
| spPropertyOutputFile | No | Full path and file name to the SP property output file. Ensure that the user running the installation has write permissions in this location. The file may also be retrieved using a REST call to /info/metadata/properties or through the SAML SP Management pages Metadata section. |
| idp.last.activity.cookie.name | No | The Ming.le CE property for the keep-alive cookie name. |
| idp.last.activity.domain.name | No | The Ming.le CE property for the keep-alive cookie domain name. |
| ifs.attributeservice.url | No | The URL to the IFS CE attribute service. |
| ifs.attributeservice.wsdl.url | Maybe | The URL to the IFS CE wsdl. This property is required if IFS CE is used. |
| ifs.attributeservice.client.certificate.base64 | Maybe | A client keystore as a base64-encoded string. This keystore is required to authenticate to IFS CE. |
| ifs.attributeservice.client.certificate.password | Maybe | The password needed to import the client certificate provided in the ifs.attributeservice.client.certificate.base64 property. This property is required if IFS CE is used. |
| ifs.attributeservice.service.certificate.chain.base64 | Maybe | The certificate chain of all the IFS CE server SSL certificates in a base64-encoded string. This keystore is required to be able to connect to IFS CE. This property is required if IFS CE is used. |
To install the SAML Session Provider 1.13 using the standalone deployment profile: