SAML Authentication

EnterMedia (9.1343+) supports SAML (Enterprise Single Sign On Solution) authentication via a plugin available from the Manager interface within the app.

Go to: https://yourdomain/manager Upgrade menu.

The key requirement to enable SAML is to create a properly configured properties file, which must be placed within the /WEB-INF/classes/ folder in your EnterMedia installation. This enables various endpoints and certificates to be setup to allow EnterMedia to act as a service provider.

We recommend using the OneLogin Tools you can find here to generate your certificates. Use their tools to create the certs in "string" format and add them to the file you create. Also, you need to replace each Bold Text  in the following example file by your site's URL, your OneLogin's certificate, private key and Authenticator IDP URL  and fingerprint of the IDPs certificate.  The file should be named onelogin.saml.properties and should look something like this:

 #If 'strict' is True, then the Java Toolkit will reject unsigned # or unencrypted messages if it expects them signed or encrypted # Also will reject the messages if not strictly follow the SAML onelogin.saml2.strict = false # Enable debug mode (to print errors) onelogin.saml2.debug = false ## Service Provider Data that we are deploying ## # Identifier of the SP entity (must be a URI) onelogin.saml2.sp.entityid = http://client.entermediadb.net/saml/metadata.html # Specifies info about where and how the <AuthnResponse> message MUST be # returned to the requester, in this case our SP. # URL Location where the <Response> from the IdP will be returned onelogin.saml2.sp.assertion_consumer_service.url = http://client.entermediadb.net/saml/consume.html # SAML protocol binding to be used when returning the <Response> # message. Onelogin Toolkit supports for this endpoint the # HTTP-POST binding only onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST # Specifies info about where and how the <Logout Response> message MUST be # returned to the requester, in this case our SP. onelogin.saml2.sp.single_logout_service.url = http://client.entermediadb.net/saml/logout.html # SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest> # message. Onelogin Toolkit supports for this endpoint the # HTTP-Redirect binding only onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect # Specifies constraints on the name identifier to be used to # represent the requested subject. # Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified # Usually x509cert and privateKey of the SP are provided by files placed at # the certs folder. But we can also provide them with the following parameters ##openssl req -new -x509 -days 365 -nodes -sha256 -out saml.crt -keyout saml.pem onelogin.saml2.sp.x509cert = [Your Cert] # Requires Format PKCS#8 BEGIN PRIVATE KEY # If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem onelogin.saml2.sp.privatekey = [Your Private Key] ## Identity Provider Data that we want connect with our SP ## # Identifier of the IdP entity (must be a URI) onelogin.saml2.idp.entityid = [The URL of the authenticator IDP generated with OneLogin] # SSO endpoint info of the IdP. (Authentication Request protocol) # URL Target of the IdP where the SP will send the Authentication Request Message onelogin.saml2.idp.single_sign_on_service.url = # SAML protocol binding to be used when returning the <Response> # message. Onelogin Toolkit supports for this endpoint the # HTTP-Redirect binding only onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect # SLO endpoint info of the IdP. # URL Location of the IdP where the SP will send the SLO Request onelogin.saml2.idp.single_logout_service.url = https://client.entermediadb.net/assets/emshare/authentication/logout.html # Optional SLO Response endpoint info of the IdP. # URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used. # Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url onelogin.saml2.idp.single_logout_service.response.url = # SAML protocol binding to be used when returning the <Response> # message. Onelogin Toolkit supports for this endpoint the # HTTP-Redirect binding only onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect # Public x509 certificate of the IdP #onelogin.saml2.idp.x509cert = # Instead of use the whole x509cert you can use a fingerprint # (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, # or add for example the -sha256 , -sha384 or -sha512 parameter) # If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to # let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512 # 'sha1' is the default value. onelogin.saml2.idp.certfingerprint = 8D:90:30:09:06:EC:6B:6C:4A:1C:5B:C6:20:8B:64:3B:2F:E0:CF:77 onelogin.saml2.idp.certfingerprint_algorithm = sha1 ## Security settings ## # Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted. onelogin.saml2.security.nameid_encrypted = false # Indicates whether the <samlp:AuthnRequest> messages sent by this SP # will be signed. [The Metadata of the SP will offer this info] onelogin.saml2.security.authnrequest_signed = false # Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed. onelogin.saml2.security.logoutrequest_signed = false # Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed. onelogin.saml2.security.logoutresponse_signed = false # Sign the Metadata # Empty means no signature, or comma separate the keyFileName and the certFileName onelogin.saml2.security.want_messages_signed = # Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and # <samlp:LogoutResponse> elements received by this SP to be signed. onelogin.saml2.security.want_assertions_signed = false # Indicates a requirement for the Metadata of this SP to be signed. # Right now supported null (in order to not sign) or true (sign using SP private key) onelogin.saml2.security.sign_metadata = # Indicates a requirement for the Assertions received by this SP to be encrypted onelogin.saml2.security.want_assertions_encrypted = false # Indicates a requirement for the NameID received by this SP to be encrypted onelogin.saml2.security.want_nameid_encrypted = false # Authentication context. # Set Empty and no AuthContext will be sent in the AuthNRequest, # Set comma separated values urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:urn:oasis:names:tc:SAML:2.0:ac:classes:Password # Allows the authn comparison parameter to be set, defaults to 'exact' onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact # Indicates if the SP will validate all received xmls. # (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true). onelogin.saml2.security.want_xml_validation = true # Algorithm that the toolkit will use on signing process. Options: # 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' # 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' # 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' # 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' # 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' onelogin.saml2.security.signature_algorithm = http://www.w3.org/2000/09/xmldsig#rsa-sha1 # Organization onelogin.saml2.organization.name = SP Java onelogin.saml2.organization.displayname = SP Java Example onelogin.saml2.organization.url = http://sp.example.com onelogin.saml2.organization.lang = en # Contacts onelogin.saml2.contacts.technical.given_name = Technical Guy onelogin.saml2.contacts.technical.email_address = technical@example.com onelogin.saml2.contacts.support.given_name = Support Guy onelogin.saml2.contacts.support.email_address = support@@example.com

Once configured, you can get the metadata file from: https://yourdomain/saml/metadata.html.  This can be imported into the third party Identity provider to allow EnterMedia to authenticate.  

EnterMedia matches on email addresses so the email attribute must be included in the SAML response - this needs to be configured in catalog settings as saml-email-attribute.

Start the login process off by navigating to:  https://yourdomain/authentication/saml/login.html

We recommend using fingerprints in the file above for the ISP certificate - you can generate them from the certificate provided in the IDP metadata file here: https://www.samltool.com/online_tools.php

EnterMedia supports different Authentication Methods such as: