How to add Applications for SSO?

By: Prabhu R user 02 Jun 2015 at 4:54 a.m. CDT

23 Responses
Prabhu R gravatar
We tried to add an application in UMA --> Resources --> Added Application. How to access the added application for SSO feature? From Where could I able to login into that application ?
None
closed

Answers

By Mohib Zico staff 02 Jun 2015 at 6:02 a.m. CDT

Copy
Mohib Zico gravatar
Prabhu, Can you please clarify a bit? The hostname of the application which you added in Gluu Server, is only known to you...

By Prabhu R user 02 Jun 2015 at 6:47 a.m. CDT

Copy
Prabhu R gravatar
Yes, The application which we added is a normal web application deployed in tomcat web container. After adding the application in UMA - > Resources. How it works to get authenticated as SSO? Do I need to configure any in that web application?

By Prabhu R user 02 Jun 2015 at 8:18 a.m. CDT

Copy
Prabhu R gravatar
Basically, In SAML application integration, does gluu works as Service Provider or Identity Provider or both?

By William Lowe user 02 Jun 2015 at 9:49 a.m. CDT

Copy
William Lowe gravatar
Gluu functions as the identity provider.

By Prabhu R user 03 Jun 2015 at 12:33 a.m. CDT

Copy
Prabhu R gravatar
Thanks William. So, how can we configure Identity Provider in gluu console? How could we add/configure LDAP/AD in it?

By Mohib Zico staff 03 Jun 2015 at 1:29 a.m. CDT

Copy
Mohib Zico gravatar
>> So, how can we configure Identity Provider in gluu console? What do you mean by 'Configure Identity Provider'? Which configuration you want? >> How could we add/configure LDAP/AD in it? Docs are all available here: http://www.gluu.org/docs/ Go through the doc and let us know which you don't understand.

By Mohib Zico staff 03 Jun 2015 at 1:31 a.m. CDT

Copy
Mohib Zico gravatar
Also... Here are quick articles: http://www.gluu.org/resources/documents/ This will help you to understand what IDP / SP are and how Gluu Server works.

By Mohib Zico staff 04 Jun 2015 at 5:50 a.m. CDT

Copy
Mohib Zico gravatar
Hi Prabhu, Do you have any question or confusion? Please feel free to ask...

By Prabhu R user 04 Jun 2015 at 8:09 a.m. CDT

Copy
Prabhu R gravatar
For our internal applications, we want to give SSO, we selected Gluu as IDM & AM, for that we done following, 1. The Gluu server is successfully installed and configured properly to make it up & running. 2. Configured Gluu to work on SAML based request & response. 3. To test the deployment setup, we wanted to add an application and try to access the same using SSO. 4. The internal applications of our organization is added in the Gluu server with SAML relation 5. Generated SP metadata from intranet application. We generated SP metadata for our internal application using "Generate" option in Adding "Trust Relationships" in Gluu. On completion of the above mentioned process, tried accessing the internal application from browser, the application opens up directly instead of directing the request to Gluu and gets response from it. We understand our internal application as Service Provider (SP) and gluu server ad Identity Provider(IdP). we tried to have SP initiated SSO, by generating metadata of SP and adding SP into IdP (gluu). How to proceed further?

By Mohib Zico staff 04 Jun 2015 at 9:20 a.m. CDT

Copy
Mohib Zico gravatar
>> the application opens up directly instead of directing the request to Gluu This is the most important part. That means, your SP wasn't properly configured as it can do SSO. As for example, one test SP is `sptest2.gluu.org/secure`. If you try to see the page which is under '/secure', you need to do the SSO with one IDP named "idp.courseload.com". In your case, you need to 'protect' your SP on same way we protected '/secure' link of 'sptest2.gluu.org'. It's all about apache/httpd/IIS+shibboleth SP configuration.

By Prabhu R user 05 Jun 2015 at 12:44 a.m. CDT

Copy
Prabhu R gravatar
>> In your case, you need to 'protect' your SP on same way we protected '/secure' link of 'sptest2.gluu.org'. << This means that every SP which communicates with Gluu IdP should be as with some 'protection' like "/secure"? >> It's all about apache/httpd/IIS+shibboleth SP configuration. << For SP configuration, we need "apache/httpd/IIS+shibboleth SP configuration" this combination on every internal application servers within our organization, is it right? Without this combination and placing SP metadata on internal application servers, cant we able to proceed only with Gluu IdP?

By Mohib Zico staff 05 Jun 2015 at 1:39 a.m. CDT

Copy
Mohib Zico gravatar
>> This means that every SP which communicates with Gluu IdP should be as with some 'protection' like "/secure"? Correct. >> For SP configuration, we need "apache/httpd/IIS+shibboleth SP configuration" this combination on every internal application servers within our organization, is it right? Yes. That's how you can protect any link / whole website with Single Sign On. >> Without this combination and placing SP metadata on internal application servers, cant we able to proceed only with Gluu IdP? That is another part of configuring SSO but you must have to configure your apache / httpd2 / IIS to protect your desired path. You can check this out: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall

By Mohib Zico staff 05 Jun 2015 at 8:40 a.m. CDT

Copy
Mohib Zico gravatar
Prabhu, Just to inform you... we published the doc on how to configure Gluu Server for Salesforce.com: http://www.gluu.org/docs/articles/salesforce-sso/

By Prabhu R user 05 Jun 2015 at 8:44 a.m. CDT

Copy
Prabhu R gravatar
Finally we integrated Shibboleth with our internal application and configured it. Also, added our internal application in Gluu as SAML --&gt; Trust Relationships. And got "Validation Success". But From SP, while accessing the https://{our internal application}/protected-area/Shibboleth.sso/login we get error as, opensaml::saml2md::MetadataException at (https://{our internal application}/protected-area) Unable to locate metadata for identity provider (https://{our internal IDP server}/idp/shibboleth) What is missing in SP Shibboleth configuration?

By Mohib Zico staff 05 Jun 2015 at 8:45 a.m. CDT

Copy
Mohib Zico gravatar
Please check your SP's log for these.

By Prabhu R user 08 Jun 2015 at 4:01 a.m. CDT

Copy
Prabhu R gravatar
How to generate public self-signed certificate to use it in gluu and access it as https?? We from SP try to access IdP(Gluu) metadata and also for SAML Request, we require SSL certificate embedded in the request.. How to generate it and add in gluu? Where to add self-signed certs?

By Mohib Zico staff 08 Jun 2015 at 4:05 a.m. CDT

Copy
Mohib Zico gravatar
Search our docs ( www.gluu.org/docs ) Information on certs are written there.

By Prabhu R user 08 Jun 2015 at 4:25 a.m. CDT

Copy
Prabhu R gravatar
As per your docs, http://www.gluu.org/docs/admin-guide/certificates/https/ there should be option to Manage Certificates in Gluu GUI. But we dont find the option in the gluu-server which we installed..

By Mohib Zico staff 08 Jun 2015 at 5:03 a.m. CDT

Copy
Mohib Zico gravatar
You don't have that option available in Community Edition which you installed. Check this: http://www.gluu.org/docs/admin-guide/certificates/ Section 'Updating Certs'

By Prabhu R user 08 Jun 2015 at 5:21 a.m. CDT

Copy
Prabhu R gravatar
Do we need to place this certs in SP server for communication between SP and IdP(gluu)? Also, was this the X.509 certificate to be added in the SAML request??

By Mohib Zico staff 08 Jun 2015 at 7:37 a.m. CDT

Copy
Mohib Zico gravatar
For SAML transactions, you need shibIDP.crt.

By Prabhu R user 08 Jun 2015 at 7:40 a.m. CDT

Copy
Prabhu R gravatar
Do I need to place this shibIDP.crt in SP server / SAML request?

By Mohib Zico staff 08 Jun 2015 at 8:25 a.m. CDT

Copy
Mohib Zico gravatar
This is not simple Yes/No answer, Prabhu. It will be helpful for you if you understand how SAML works first. Whenever you setup a bridge between a website ( SP ) and a IDP ( Gluu Server ), you need to introduce both parties with 'something'. This 'something' is metadata. You need to put SP's metadata inside IDP and IDP's metadata inside SP as they can talk to each other. Every metadata contains it's own SAML certificate. As for example, Gluu Server's metadata is available in `https://<hostname_of_idp>/idp/shibboleth` and a general Shibboleth SP's metadata is available in `https://<hostname_of_sp>/Shibboleth.sso/Metadata` So basically you don't need to worry about certificate specifically but you need to release sufficient metadata to each other ( SP and IDP ). Check this link: http://www.gluu.org/resources/documents/articles/how-does-saml-work-idps-sps/

Post an answer