Overview
Item | Description |
---|---|
Purpose | Provide interface for side-loading assessments that can be configured by ART |
Communicates With | OpenAM ProgMan Permissions ART |
Repository Location | https://github.com/SmarterApp/SS_TestSpecificationBank |
Additional Documentation | API SB11 Development Teams code review process SBAC11Level II Requirements-TestSpecBank.pdf Build Sequence testspecbank_Install tsb-progman-config.txt TestSpecBankTestScript TestSpecBank_TestPlan Design Pictures |
Instructions
Create AWS MongoDB Instance
- Create server instance to host the MongoDB instance that will support the component being deployed
- Select an image with the Ubuntu 14.04 LTS 64-bit operating system
- Create or choose an AWS security group with the following ports for inbount TCP traffic (can be done during instance creation):
- 22
- 27017 - 27019
- 28017 - 28018
- Remove
apparmor
:sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove
sudo apt-get --purge remove -y apparmor apparmor-utils libapparmor-perl libapparmor1
- Update package manager:
sudo apt-get update
sudo apt-get upgrade -y
- Install packages to satisfy dependencies:
sudo apt-get install -y ntp
- Install MongoDB 2.4.9:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
echo 'deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen' | sudo tee /etc/apt/sources.list.d/mongodb.list
sudo apt-get update
sudo apt-get install mongodb-10gen=2.4.9
- Pin the version of MongoDB so
apt-get
will not upgrade it:echo "mongodb-10gen hold" | sudo dpkg --set-selections
- Configure MongoDB by copying the following into
/etc/mongodb.conf
: - IMPORTANT: The config file below has
noauth=true
set. This is a temporary configuration to allow for adding MongoDB user accounts. This setting will be changed later in the checklist.
# mongodb.conf
# Where to store the data.
dbpath=/var/lib/mongodb
#where to log
logpath=/var/log/mongodb/mongodb.log
logappend=true
#bind_ip = 127.0.0.1
bind_ip = 0.0.0.0
port = 27017
# Enable journaling, http://www.mongodb.org/display/DOCS/Journaling
journal=true
# Enables periodic logging of CPU utilization and I/O wait
#cpu = true
# Turn on/off security. Off is currently the default
noauth = true
#auth = true
# Verbose logging output.
#verbose = true
# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true
# Enable db quota management
#quota = true
# Set oplogging level where n is
# 0=off (default)
# 1=W
# 2=R
# 3=both
# 7=W+some reads
#oplog = 0
# Diagnostic/debugging option
#nocursors = true
# Ignore query hints
#nohints = true
# Disable the HTTP interface (Defaults to localhost:27018).
#nohttpinterface = true
# Turns off server-side scripting. This will result in greatly limited
# functionality
#noscripting = true
# Turns off table scans. Any query that would do a table scan fails.
#notablescan = true
# Disable data file preallocation.
#noprealloc = true
# Specify .ns file size for new databases.
# nssize = <size>
# Accout token for Mongo monitoring server.
#mms-token = <token>
# Server name for Mongo monitoring server.
#mms-name = <server-name>
# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>
# Replication Options
# in replicated mongo databases, specify here whether this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com
# Address of a server to pair with.
#pairwith = <server:port>
# Address of arbiter server.
#arbiter = <server:port>
# Automatically resync if slave data is stale
#autoresync
# Custom size for replication operation log.
#oplogSize = <MB>
# Size limit for in-memory storage of op ids.
#opIdMem = <bytes>
- Restart MongoDB:
sudo service mongodb restart
- Add an administrative-level user to MongoDB:
$ mongo admin
db.addUser({
user:"mongo_admin",
pwd:"[choose a suitable password]",
roles:["dbAdminAnyDatabase","userAdminAnyDatabase","clusterAdmin","readWrite"]
});
- Update
/etc/mongodb.conf
to enable authentication:- Comment out the
noauth = true
line - Uncomment the
auth = true
line
- Comment out the
- Example:
# Turn on/off security. Off is currently the default
#noauth = true
auth = true
- Restart MongoDB:
sudo service mongodb restart
- Connect to MongoDB in the admin database:
mongo admin -u mongo_admin -p
[password for the mongo_admin user]--authenticationDatabase admin
- Add a user for the component:
use [name of database];
db.addUser({
user:"[name of user]",
pwd:"[password for user]",
roles:["readWrite"]
});
- Example:
use progman;
db.addUser({
user:"progman",
pwd:"[redacted]",
roles:["readWrite"]
});
Verify User Can Authenticate to MongoDB
- On the AWS instance hosting MongoDB, run the following commands:
mongo admin -u mongo_admin -p '
[The password for the mongo_admin user]' --authenticationDatabase admin
mongo [
component database name] -u
[Component user]-p '
[The password for the component user]'
- If successful, the prompt should appear as follows:
MongoDB shell version: 2.4.9
connecting to: admin
>
Create AWS Web Application Instance
- Create server instance to host the Test Specification Bank (TestSpecBank) component
- Select an image with the Ubuntu 14.04 LTS 64-bit operating system
- Create or choose an AWS security group with the following ports for inbound TCP traffic (can be done during instance creation):
- 22
- 80
- 443
- 1043
- 8080
- 8084
- 8443
TestSpecBank Setup
- Update package manager:
sudo apt-get update
sudo apt-get upgrade -y
- Install packages to satisfy dependencies:
sudo apt-get install -y ntp mercurial openjdk-7-jdk
Set Up Tomcat Server
- Remove
apparmor
:sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove
sudo apt-get --purge remove -y apparmor apparmor-utils libapparmor-perl libapparmor1
- Install Tomcat Server (if not installed already):
sudo apt-get install -y tomcat7
- Stop the Tomcat service:
sudo service tomcat7 stop
- Remove the
ROOT
directory:sudo rm -rf /var/lib/tomcat7/webapps/ROOT
- Update the
server.xml
to allow for large HTTP Headers:- Edit the
/etc/tomcat7/server.xml
file - Find the
<Connector>
element - Add the following attribute and value to the
<Connector>
element:maxHttpHeaderSize="65536"
- Example of an updated
<Connector>
element:
- Edit the
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443"
maxHttpHeaderSize="65536" />
Set Up a Keystore
- Create resources directory and child directories:
sudo mkdir -p /var/lib/tomcat7/resources/{progman,security}
sudo chown -R tomcat7:tomcat7 /var/lib/tomcat7/resources/
- Create the wildcard SSL cert public key (*.sbtds.org):
sudo vi /var/lib/tomcat7/resources/security/sbtds_org.cer
- Copy the certificate contents (including the BEGIN CERTIFICATE and END CERTIFICATE lines) into
/var/lib/tomcat7/resources/security/sbtds_org.cer
- Example:
-----BEGIN CERTIFICATE-----
// This is where the certificate content is
-----END CERTIFICATE-----
- Create the keystore (NOTE: the keystore file must be named samlKeystore.jks):
cd /var/lib/tomcat7
sudo keytool -importcert -alias
[<A meaningful alias]-keystore ./resources/security/samlKeystore.jks -file ./resources/security/
[name of certificate file]- Example:
sudo keytool -importcert -alias
sbtdsorg-keystore ./resources/security/samlKeystore.jks -file ./resources/security/sbtds_org.cer
- provide password
- Type
yes
when prompted to trust the certificate
- Example:
- Generate the private key:
sudo keytool -genkey -alias
[choose a meaningful alias]-keyalg RSA -keystore
[path/to/keystore]-keysize 2048
- Example:
sudo keytool -genkey -alias
proctor-saml-sp-keyalg RSA -keystore ./resources/security/samlKeystore.jks -keysize 2048
- Example:
- Provide the password to the keystore created previously.
- Answer the prompts. Example of the command and prompts shown below:
sudo keytool -genkey -alias progman-saml-sp -keyalg RSA -keystore ./resources/security/samlKeystore.jks -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: ProgMan Component
What is the name of your organizational unit?
[Unknown]: sbac
What is the name of your organization?
[Unknown]: SBAC
What is the name of your City or Locality?
[Unknown]: San Diego
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=ProgMan Component, OU=sbac, O=SBAC, L=San Diego, ST=California, C=US correct?
[no]: yes
Verify Keystore Contents
- To view the keystore contnets, use the following command:
sudo keytool -list -keystore
[path/to/samlKeystore.jks]- Example:
sudo keytool -list -keystore
/var/lib/tomcat7/resources/security/samlKeystore.jks
- Example:
- Output will be similar to the following (after providing the correct password):
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
sbtdsorg, Apr 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): D6:06:FA:33:AB:E4:27:26:D5:E1:B2:AB:1E:1D:FF:1E:7E:C0:21:4F
progman-saml-sp, Apr 6, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8D:3A:66:1D:0C:7B:0A:40:96:B7:A6:8F:13:27:AB:E8:05:7D:8D:3A
Additional Notes
- Common keystore commands can be found here
Configure TestSpecBank in ProgMan
- Log into the ProgMan web application
- Select Manage Component Properties
- If a record for the component already exists, click the Edit button (the pencil icon on the lefthand side of the row)
- If a record for the component must be created, click the New button (above the table of records)
- When creating a new record, provide the following:
- A meaningful name for the component
- The name of the environment
- When creating a new record, provide the following:
- Click the option button to view the properties in Property File Entry mode
-
Copy the properties shown below and paste them into the text area of the Edit Configuration Settings screen in ProgMan.
-
NOTE: It may be worthwhile to edit the properties and their values in another text editor prior to pasting the values into the Edit Configuration Settings screen in ProgMan. It is possible the ProgMan session could time out prior to completing the component’s configuration.
-
Shown below are the TestSpecBank properties that need to be configured in ProgMan:
permission.uri=
http://[FQDN or IP address for the Permissions component]/restcomponent.name=
TestSpecBanktsb.mna.description=
The Test Spec Bank Componentmna.mnaUrl=
http://name.of.mna.server/restmna.logger.level=
DEBUGmna.clean.days=
30mna.clean.cron=
0 0 0 * * ?mna.oauth.batch.account=
mna-client-usernamemna.oauth.batch.password=
mna-client-passwordtsb.mongo.hostname=
[FQDN or IP address of MongoDB server that hosts the TestSpecBank database]tsb.mongo.port=
[Port that MongoDB listens on. MongoDB’s default port is 27017]tsb.mongo.username=
[MongoDB user account withreadWrite
access to TestSpecBank’s MongoDB database]tsb.mongo.password=
[Password for MongoDB user account withreadWrite
access to TestSpecBank’s MongoDB database]tsb.mongo.dbname=
[Name of TestSpecBank’s database in MongoDB]tsb.dtd.url=
http://name.of.test.authoring.server/rest/resources/dtd/testpackage_v_9_19_2013.dtdtsb.rest.context.root=
/rest/tsb.minJs=
falsetib.tibUrl=
http://name.of.test.item.bank.server/tsb.sftp.host=
tsb.sftp.port=
22tsb.sftp.user=
tsb.sftp.pass=
tsb.sftp.dir=
tsb.tib.sftp.host=
tsb.tib.sftp.port=
22tsb.tib.sftp.user=
tsb.tib.sftp.pass=
tsb.download.directory=
tsb.export.cron.trigger=
0,30 * * * * ?tsb.security.idp=
https://[FQDN or IP address of OpenAM server]/auth/saml2/jsp/exportmetadata.jsp?realm=/sbactsb.security.dir=
file:////var/lib/tomcat7/resources/securitytsb.security.saml.keystore.pass=
[Password to access the content of the samlKeystore.jks]tsb.security.saml.keystore.user=
[Name of private key for TestSpecBank in samlKeystore.jks]tsb.oauth.checktoken.endpoint=
https://[FQDN or IP address of OpenAM server]/auth/oauth2/tokeninfo?realm=/sbactsb.oauth.resource.client.id=
[The OAuth client name for the TestSpecBank component; can use a “common” OAuth client name, e.g. one OAuth client for multiple components]tsb.oauth.resource.client.secret=
[Password for OAuth client used for TestSpecBank. Starting value is sbac12345]tsb.webapp.saml.metadata.filename=
[Name of file that stores SAML data for TestSpecBank Web Application component]-
tsb.rest.saml.metadata.filename=
[Name of file that stores SAML data for TestSpecBank REST component] - Example ProgMan properties for TestSpecBank:
permission.uri=http://52.32.19.35:8080/rest
component.name=TestSpecBank
tsb.mna.description=The Test Spec Bank Component
mna.mnaUrl=http://name.of.mna.server/rest
mna.logger.level=DEBUG
mna.clean.days=30
mna.clean.cron=0 0 0 * * ?
mna.oauth.batch.account=mna-client-username
mna.oauth.batch.password=mna-client-password
tsb.mongo.hostname=172.31.24.48
tsb.mongo.port=27017
tsb.mongo.username=mongo_admin
tsb.mongo.password=[redacted]
tsb.mongo.dbname=tsb
tsb.dtd.url=http://name.of.test.authoring.server/rest/resources/dtd/testpackage_v_9_19_2013.dtd
tsb.rest.context.root=/rest/
tsb.minJs=false
tib.tibUrl=http://name.of.test.item.bank.server/
tsb.sftp.host=
tsb.sftp.port=22
tsb.sftp.user=
tsb.sftp.pass=
tsb.sftp.dir=
tsb.tib.sftp.host=
tsb.tib.sftp.port=22
tsb.tib.sftp.user=
tsb.tib.sftp.pass=
tsb.download.directory=
tsb.export.cron.trigger=0,30 * * * * ?
tsb.security.idp=https://sso-dev.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
tsb.security.dir=file:////var/lib/tomcat7/resources/security
tsb.security.saml.keystore.pass=[redacted]
tsb.security.saml.keystore.user=tsb-saml-sp
tsb.oauth.checktoken.endpoint=https://sso-dev.sbtds.org/auth/oauth2/tokeninfo?realm=/sbac
tsb.oauth.resource.client.id=tsb
tsb.oauth.resource.client.secret=[redacted]
tsb.webapp.saml.metadata.filename=tsb_saml_sp.xml
tsb.rest.saml.metadata.filename=tsb_rest_sp.xml
Deploy TestSpecBank Components
Configure Tomcat
- Stop the Tomcat service:
sudo service tomcat7 stop
- Edit the
/etc/default/tomcat7
file, updating theJAVA_OPTS
value to what’s shown below:
JAVA_OPTS="-Djava.awt.headless=true\
-XX:+UseConcMarkSweepGC\
-Xms[initial amount of memory that can be allocated to the JVM heap]\
-Xmx[maximum amount of memory that can be allocated to the JVM heap]\
-XX:PermSize=[initial amount of memory that can be used for PermGen]\
-XX:MaxPermSize=[maximum amount of memory that can be used for PermGen]\
-DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
-Dspring.profiles.active=progman.client.impl.integration,mna.client.null,server.singleinstance\
-Dprogman.baseUri=http://[URL to the ProgMan REST component]/rest/\
-Dprogman.locator=[name of component in ProgMan],[name of Component's environment in ProgMan]"
-
NOTE: If the component being set up will be load-balanced, then change the
server.singleinstance
(for thespring.profiles.active
option) toserver.loadbalanced
. -
Example:
JAVA_OPTS="-Djava.awt.headless=true\
-XX:+UseConcMarkSweepGC\
-Xms512m\
-Xmx4096m\
-XX:PermSize=512m\
-XX:MaxPermSize=1512m\
-DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
-Dprogman.baseUri=http://52.34.140.123:8080/rest/\
-Dspring.profiles.active=mna.client.null,progman.client.impl.integration,server.singleinstance\
-Dprogman.locator=tsb,Development"
Create TestSpecBank Log File Directories
- Create directories for TestSpecBank log files:
sudo mkdir -p /usr/share/tomcat7/logs/{test-spec-bank.webapp,test-spec-bank.rest}
sudo chown -R tomcat7:tomcat7 /usr/share/tomcat7/logs
Download War Files
- Download the latest
.war
file for the TestSpecBank REST Component into the Tomcat server’swebapps
directory:sudo wget https://github.com/SmarterApp/SS_TestSpecificationBank/releases/download/R02.00.00/test-spec-bank.rest-R02.00.00.war -O /var/lib/tomcat7/webapps/rest.war
- Download the latest
.war
file for the TestSpecBank Web Application Component into the Tomcat server’swebapps
directory:sudo wget https://github.com/SmarterApp/SS_TestSpecificationBank/releases/download/R02.00.00/test-spec-bank.webapp-R02.00.00.war -O /var/lib/tomcat7/webapps/ROOT.war
- Create a
pm-client-security.properties
file in/var/lib/tomcat7/resources/progman
- Copy the following into
/var/lib/tomcat7/resources/progman/pm-client-security.properties
:
oauth.access.url=https://[FQDN or IP address of OpenAM server]/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=[OAuth client id from OpenAM]
pm.oauth.client.secret=[OAuth client secret from OpenAM]
pm.oauth.batch.account=[User account in OpenDJ]
pm.oauth.batch.password=[Password for OpenDJ user account]
- Example:
oauth.access.url=https://sso-dev.sbtds.org/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=pm
pm.oauth.client.secret=[redacted]
pm.oauth.batch.account=prime.user@example.com
pm.oauth.batch.password=[redacted]
- Update ownership for directories and files in the
/var/lib/tomcat7/resources/
directory:sudo chown -R tomcat7:tomcat7 /var/lib/tomcat7/resources
- Start Tomcat to expand the deployed
.war
files:sudo service tomcat7 start
IMPORTANT: Conduct the SAML Setup and Configuration for the REST component and Web Application Component. After completing the SAML Setup and Configuration steps, there should be two metadata files:
- A SAML XML metadata file for the REST component, located where-ever the file name/path is configured for
tsb.security.dir
andtsb.rest.saml.metadata.filename
(e.g./var/lib/tomcat7/resources/security/tsb_rest_local_sp.xml
) - A SAML XML metadata file for the web application component located where-ever the file name/path is configured for
tsb.security.dir
andtsb.webapp.saml.metadata.filename
(e.g./var/lib/tomcat7/resources/security/tsb_local_sp.xml
)
SAML (Security Assertion Markup Language) Setup and Configuration
Configure Automatic Metadata Generation
Create SAML Metadata File For the Component
- Use the following command to generate a SAML metadata file for use with the automatic generation process:
sudo wget https://
[FQDN or IP address of OpenAM server]/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac -O /var/lib/tomcat7/resources/security/
[Name of the saml.metadata.filename as configured in ProgMan]- Example:
sudo wget https://
sso-dev.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac -O /var/lib/tomcat7/resources/security/saml_metadata.xml
- NOTE: When configuring ProgMan (and only ProgMan), the file name will be in the
/var/lib/tomcat7/resources/progman/progman-bootstrap.properties
file.
- Example:
- Change ownership of the SAML metadata file(s) to
tomcat7
:sudo chown tomcat7:tomcat7 /var/lib/tomcat7/resources/security/*.xml
Update the securityContext.xml File for Automatic Metadata Generation
- Open
securityContext.xml
file in an editor for the deployed component- NOTE: The
securityContext.xml
file can be found in [Tomcat web application directory]/
[component]/WEB-INF/classes/security
- Example: /var/lib/tomcat7/webapps/ROOT
/WEB-INF/classes/security/securityContext.xml
- Example: /var/lib/tomcat7/webapps/ROOT
- NOTE: When editing the
securityContext.xml
file, elevated privileges (i.e.sudo
) may by required
- NOTE: The
- Add the following line within a
<security:http>
element:<security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
- NOTE: Typically a
<security:http>
element can be found around line 31 of thesecurityContext.xml
file - Example:
<security:http entry-point-ref="delegatingAuthenticationEntryPoint" use-expressions="true">
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
<security:custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
<security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
</security:http>
- Add configuration for the SAML metadata generator to
securityContext.xml
:- Add the following
<bean>
definitions tosecurityContext.xml
, immediately after the closing</security:http>
tag:
- Add the following
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg ref="metadataGenerator"/>
</bean>
<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="bindingsSSO">
<list>
<value>redirect</value>
<value>artifact</value>
</list>
</property>
<property name="entityId" value="[name of component]"/>
</bean>
NOTE: The component name should not have spaces.
- Example of a
metadataGenerator
configured with anentityId
of progman_rest:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg ref="metadataGenerator"/>
</bean>
<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="bindingsSSO">
<list>
<value>redirect</value>
<value>artifact</value>
</list>
</property>
<property name="entityId" value="progman_rest"/>
</bean>
- Restart Tomcat:
sudo service tomcat7 restart
Verify SAML Metadata Setup
- Visit the
/saml/metadata
endpoint for the deployed component:- Example:
http://
54.213.81.243:8080/rest/saml/metadata
- Example:
- The output should appear as XML containing:
- The X509 Certificate data
- URLs containing the domain name of the server hosting the component as the value of a
Location
attribute- Examples:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://
54.213.81.243:8080/rest/saml/SingleLogout"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://
54.213.81.243:8080/rest/saml/SSO" index="0" isDefault="true"/>
- Examples:
SAML Pre-Configured Metadata Configuration
- Use
wget
to save the output of/saml/metadata
endpoint to/var/lib/tomcat7/resources/security/
[Name of the saml.metadata.filename as configured in ProgMan]- Example: save the
sudo wget http://54.213.81.243:8080/saml/metadata -O /var/lib/tomcat7/resources/security/
saml_metadata.xml
- Example: save the
- Disable (by removing or commenting out) the
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
from thesecurityContext.xml
file to disable the autoamtic generation of SAML metadata- The automatic generation of SAML metadata is only needed once to generate the metadata file. After the metadata file is generated, there is no further need for automatically generating SAML metadata.
- OPTIONAL: Remove the
metadataGeneratorFilter
andmetadataGenerator
bean definitions from thesecurityContext.xml
- Set permissions on the metadata XML file(s) so that only the
tomcat7
user can read it/them:sudo chmod 0400 /var/lib/tomcat/resources/security/*.xml
Verify SAML Metadata Setup
- Visit the
/saml/metadata
endpoint for the deployed component:- Example:
http://
54.213.81.243:8080/rest/saml/metadata
- Example:
- The output should appear as XML containing:
- The X509 Certificate data
- URLs containing the domain name of the server hosting the component as the value of a
Location
attribute- Examples:
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://
54.213.81.243:8080/rest/saml/SingleLogout"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://
54.213.81.243:8080/rest/saml/SSO" index="0" isDefault="true"/>
- Examples:
Additional Notes
SAML Service Provider Registration
- Launch OpenAM
- Log in with appropriate credentials
- Click on Register Remote Service Provider
- On the Create a SAMLv2 Remote Service Provider page:
- Select the /sbac realm
- Verify the URL option button is checked/selected
- Enter the
/saml/metadata
endpoint for the desired component in the URL field- Example: enter
http://
54.213.81.243:8080/saml/metadata
in the URL field
- Example: enter
- Under the Circle of Trust
- Verify the Add to existing option button is checked/selected
- Verify sbac is the selected value for the Existing Circle of Trust dropdown list
- Click the Configure button (upper righthand corner, across from the Create a SAMLv2 Remote Service Provider header)
Verify the Service Provider is Configured
- Click on the Federation tab
- Observe the following:
- The Circle of Trust table contains a record that represents the component that was added
- The Entity Providers table conains a record with a Name equal to the entityId set in the component’s SAML metadata file
Update ART Configuration for TestSpecBank in ProgMan
- After TestSpecBank REST and Web Application Components have been registered as service providers, update the following ProgMan settings for ART:
tsb.tsbUrl=
[FQDN or IP Address of the TestSpecBank server]/rest/
- Example:
tsb.tsbUrl=http://54.149.254.189:8080/rest/
- Save the changes to ART’s configuration settings in ProgMan
ssh
into the ART server- Restart tomcat:
sudo service tomcat7 restart
Verification
- Log into TestSpecBank with an account that has access to the TestSpecBank (e.g. the Prime User account).