SAML Authentication Setup (v4.11 and below)

SAML Authentication Setup in Innoslate

Innoslate v4.11 and below supports SAML-based single sign-on (SSO) authentication through two methods: using a public certificate or a private certificate. This section outlines the configuration process for both approaches, including certificate conversion and settings configuration.

Overview of SAML Authentication Methods

1. Public Certificate Method
   - Utilizes a public certificate to verify the authenticity of the SAML response.  
   - Ensures the response originates from a trusted Identity Provider (IdP), the signature is valid, and the data remains untampered during transit.

2. Private Certificate Method
   - Employs an artifact-based response mechanism.  
   - Innoslate requests user access from the IdP, receiving an `artifactId` in return.  
   - The `artifactId` is sent to the IdP’s artifact resolution service with a signature signed by the private certificate, which then returns the user information.

Converting a Certificate to a Java Keystore (*.pem to *.jks)

To use SAML authentication, a Java Keystore (JKS) file must be created from a certificate (e.g., `*.pem`). Follow these steps:

1. Install OpenSSL  
   - Download and install OpenSSL if not already present on your system.

2. Open Command Prompt as Administrator
   - Launch `cmd` with administrative privileges.

3. Convert PEM to DER Format
   - Execute the following command:  

openssl.exe x509 -outform der -in cert.pem -out cert.der

     
Note: Provide the full file path for `openssl.exe` and/or `cert.pem` if running the command from a directory other than their location.  

- This generates a `cert.der` file in the current working directory.

4. Locate the Java `keytool`
   - Find `keytool.exe` in your Java installation directory, e.g.:  

     C:\Program Files\Java\jre1.8.0_211\bin\keytool.exe
     

5. Import DER Certificate into a Java Keystore   

- Run the following command:  

keytool.exe -import -alias InnoslateSP -keystore SPKeystore.jks -file cert.der

Parameters:  

• `-alias InnoslateSP`: The alias for the certificate (must match `KEY_ENTRY_ID` in                      `settings.properties`).
• `-keystore SPKeystore.jks`: The output keystore file.
• `-file cert.der`: The input DER certificate file. 

- You will be prompted to set a keystore password.  
- The `SPKeystore.jks` file will be created in the current working directory.

6. Deploy the Keystore
   - Copy the generated `SPKeystore.jks` file to the Innoslate `WEB-INF\classes` directory, typically located at:  

     C:\Innoslate4\apache-tomcat-8.5.37\webapps\innoslate4\WEB-INF\classes
   

Configuring `settings.properties`

The `settings.properties` file must be updated to enable SAML authentication. Below are the required properties for each method.

General SAML Configuration

'AUTHENTICATION_TYPE`

Specifies the authentication method for Innoslate.  

Example:

AUTHENTICATION_TYPE = SAML

Please note, this 'Authentication Type' is required as above for both private and public certificates.

Public Certificate Configuration

`KEY_ENTRY_ID`
The alias of the certificate stored in the Java Keystore (e.g., `InnoslateSP`).  

Example:  

KEY_ENTRY_ID = InnoslateSP

`KEY_STORE_PASSWORD'
The password set during keystore creation.  

Example:

 KEY_STORE_PASSWORD = password

`SAML_RESPONSE`
The parameter name pointing to the Base64-encoded SAML response payload from the IdP.  

Example:   

SAML_RESPONSE = SAMLResponse

`SP_ENTITY_ID`
A globally unique identifier for the Service Provider (SP) in SAML.  

Example:

SP_ENTITY_ID = https://accounts.google.com/o/saml2?idpid=Br2ertd0v45

`SSO_SERVICE` 
The URL of the IdP’s Single Sign-On service, which authenticates the user and returns user information.

Example:  

SSO_SERVICE = https://accounts.google.com/o/saml2/idp?idpid=C2t2be0v66

Private Certificate Configuration

`KEY_ENTRY_ID` 
The alias of the certificate stored in the Java Keystore (e.g., `InnoslateSP`).  

Example:

KEY_ENTRY_ID = InnoslateSP

`KEY_STORE_PASSWORD`
The password set during keystore creation.  

Example:  

KEY_STORE_PASSWORD = password

`SAML_PRIVATE_CERT`
A boolean flag to enable private certificate mode (default is public certificate mode).  

Example:  

SAML_PRIVATE_CERT = true

`SAML_ARTIFACT`  
The parameter name pointing to the `artifactId` returned by the IdP.  

Example:  

SAML_ARTIFACT = SAMLart

`ARTIFACT_RESOLUTION_SERVICE` 
The URL of the IdP’s artifact resolution service, which processes the `artifactId` and returns user information.  

Example:

ARTIFACT_RESOLUTION_SERVICE = http://localhost:8282/idp/artifactResolutionService

`SSO_SERVICE` 
The URL of the IdP’s Single Sign-On service, which authenticates the user and returns the `artifactId`.   

Example:  

SSO_SERVICE = http://localhost:8282/idp/singleSignOnService

Optional Configuration

`WITH_SIGNING_CREDENTIAL'  
Enables signing of SAML requests with the certificate.  

Example:  

WITH_SIGNING_CREDENTIAL = true

`SERVER_ADDRESS`
Overrides the default server address (e.g., if not `localhost`).  

Example:  

SERVER_ADDRESS = https://innoslate.example.com

Summary of Key Properties