Simplesaml setup

  • Make sure that mod_ssl is installed on the E6 server.
  • Make sure that there is an SSL certificate installed on the E6 server that matches the DNS name that it going to be used for the SAML implementation (so if using "saml.napc.com" then there needs to be an SSL certificate that specifies either that exact name or a wildcard cert that specifies "*.napc.com").
  • Install Apache SSO module on the WNS Server per instructions
  • Configure your Apache server or Apache Virtual Host so that the DocumentRoot points at the folder containing your E6 installation, like so: DocumentRoot /var/www/html/elegant6
  • Obtain SAML plugin from NAPC.
  • Install it in your Elegant 6 application (more info)

Virtual host configuring, img #01.1

  • Create “saml.conf” file with the following contents:

Alias /simplesaml /var/www/html/elegant6/framework/simplesamlphp-sp-5-2/www

NOTE: replace “/var/www/html/elegant6” part if your Elegant 6 destination folder is different.

  • Place config file in one of the following directories:

a. /usr/napc/conf/apache

b. /etc/httpd/conf.d

  • Restart apache:

    apachectl graceful

Centrify setup

  • Login to your Centrify account and choose Switch to Cloud Manager (make sure you have the rights to create applications)

Virtual host configuring, img #01.1

  • Go to “Apps” page and click “Add Web Apps” button

Virtual host configuring, img #01.1

  • Select “Custom” and pick “SAML” application

Virtual host configuring, img #01.1

  • Click “Yes” in the next popup dialog

Virtual host configuring, img #01.1

  • Close any popup dialogs. After that you will be redirected to “Application Settings” page

Virtual host configuring, img #01.1

  • Go to *Elegant 6 -> Admin -> Sites and pick a site you want to enable SAML login for.
  • Open SAML plugin configuration.

SAML, img #01.1

  • Copy “Assertion Consumer Service URL” value from plugin configuration to corresponding SAML application field in Elegant 6.

SAML, img #01.1

  • Copy “Issuer”, “Identity Provider Sign-in URL”, “Identity Provider Sign-out URL” and “Thumbprint” values from SAML application to corresponding plugin configuration fields in Elegant 6.

Virtual host configuring, img #01.1

  • Go to User Access tab and choose the groups which will have an access to the application.

Virtual host configuring, img #01.1

  • Then go to Account Mapping tab and fill in the current field with the value:

sAMAccountName

Virtual host configuring, img #01.1

  • Go to “Advanced” SAML application settings

Virtual host configuring, img #01.1

  • Copy and paste the following data into script field:

setIssuer(Issuer);

setSubjectName(LoginUser.Username);

setAudience(ServiceUrl);

setRecipient(ServiceUrl);

setServiceUrl(ServiceUrl);

setHttpDestination(ServiceUrl);

setAttribute('uid', LoginUser.Username);

setSignatureType('Assertion');

  • Don’t forget to save the changes

If all settings are met the Ready to deploy would be automatically transferred to Deployed.

Additional notes

Elegant 6 SAML plugin can work in two modes

Virtual host configuring, img #01.1

  • “As link” allows you to use SAML AND default login functionalities at the same time. In this case a button that allows to login using SAML will be added to login form.

Virtual host configuring, img #01.1

NOTE in this mode “Logout” button logs you out of Elegant 6 only

  • “Replace default login” – in this mode Elegant 6 login page will immediately redirect to SAML login screen.

NOTE: in this mode “Logout” button logs you out of Elegant 6 and Centrify

We also recommend to change default Simplesaml password here:

/var/www/html/elegant6/framework/simplesamlphp-sp-5-2/config/config.php (line 60):

'auth.adminpassword' => 'admin',

Note: replace “/var/www/html/elegant6” part if your Elegant 6 destination folder is different.

Go to the Next tab.