Supporting OSP with third party products can be tricky, and changing its default configurations that don’t work too well with IDPs can be trickier. It may come as a surprise (it was to me) that these configurations can be changed. And changing these is not a very difficult proposition as well.

OSP bundles its default configuration in jars called as osp-edir-conf.jar and osp-ad-conf.jar. These are present in the osp/lib directory. Of these, osp uses the osp-edir-conf.jar with User App. You can check this in the “setenv.sh” file where the catalina option is.

-Dcom.netiq.osp.ext-context-file=/opt/netiq/apps/osp_sspr/lib/osp-conf-edir.jar

This jar contains a number of generic and tenant (which idm is ) configurations. Generic configurations would include thread pool size, logging configurations etc., while the tenant configuration contain a bunch of similar configurations same as generic, but it overrides the generic ones. In addition to these it has authcfg.xml file which contains quite a few Authentication related configurations, of which we are interested in the SAML2.0 protocol configuration.

In order to access these files one needs to unjar the conf file to layout a directory structure in a chosen file path.

The SAML2.0 protocol configuration looks like below:

<SAML2Protocol
enabled="${com.netiq.idm.osp.saml2.enabled:false}"
>
<SAML2SP
id="saml2-sp"
ssoPost="${com.netiq.osp.login.saml2.ssoPost:true}"
ssoRedirect="${com.netiq.osp.login.saml2.ssoRedirect:true}"
sloSoap="${com.netiq.osp.login.saml2.sloSoap:false}"
sloRedirect="${com.netiq.osp.login.saml2.sloRedirect:true}"
sloPost="${com.netiq.osp.login.saml2.sloPost:true}"
>
<TrustedIDP
displayName="SAML2 Identity Provider"
enabled="true"
id="saml2-idp"
validateMetadataCert="${com.netiq.osp.login.saml2.idp-validateMetadataCert:false}"
>
<Metadata
source="${com.netiq.idm.osp.login.saml2.metadata-url}"
failOnError="true"
><Inject propertyName="com.netiq.idm.osp.login.saml2.metadata"/></Metadata>
<AccessSettings
responseBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<Reference refId="saml2-attr-map" type="AssertionAttributeMap"/>
<Binding
sso="${com.netiq.idm.osp.login.saml2.binding-post.sso:false}"
slo="${com.netiq.idm.osp.login.saml2.binding-post.slo:true}"
>HTTP-POST</Binding>
<Binding
sso="${com.netiq.idm.osp.login.saml2.binding-redirect.sso:true}"
slo="${com.netiq.idm.osp.login.saml2.binding-redirect.slo:true}"
>HTTP-Redirect</Binding>
</AccessSettings>
</TrustedIDP>
</SAML2SP>
</SAML2Protocol>

This configuration contains service provider (SP) under SAML2SP element and Identity Provider (IDP) under TrustedIDP element configurations. The configurations that one may need to change are the ones that define the IDP.

Some of these properties like the “source” under Metadata element would come from the configupdate tool. So one may never need to change it. However in many cases one may need a greater control on the http methods and bindings that osp uses in a samlrequest and expects in a samlresponse. And that is controlled by the “AccessSettings”.

<AccessSettings
responseBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<Reference refId="saml2-attr-map" type="AssertionAttributeMap"/>
<Binding
sso="${com.netiq.idm.osp.login.saml2.binding-post.sso:false}"
slo="${com.netiq.idm.osp.login.saml2.binding-post.slo:true}"
>HTTP-POST</Binding>
<Binding
sso="${com.netiq.idm.osp.login.saml2.binding-redirect.sso:true}"
slo="${com.netiq.idm.osp.login.saml2.binding-redirect.slo:true}"
>HTTP-Redirect</Binding>
</AccessSettings>

If the IDP that you are integrating with OSP requires a SAML AuthRequest to be called as part of a http GET call instead of the usual POST you can set the com.netiq.idm.osp.login.saml2.binding-post.sso to take a default value of false.

GET is used in SAML HTTP Redirect binding, which means there is a good chance the IDP may want to respond in a similar fashion by embedding the SAML response in the query rather than the http body. In this case you can set the

responseBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT"

But if the IDP likes to do a POST in response of a HTTP-DIRECT auth request, you can use the HTTP-POST itself as a response.

responseBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Once you make these changes, you would need to re-jar the folders and replace the original osp-conf-edir.jar in osp/lib folder and restart tomcat to consume these changes.

F:\osp-conf-edir>"C:\Program Files\Java\jdk1.7.0_79\bin\jar.exe" -cvf .\osp-conf
-edir.jar .
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: sdhaval
Aug 1, 2017
3:19 pm
Reads:
338
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow