SAML Authentication for Admin Console
Securing Admin Dashboard using SAML
- Generate Keystore for SearchBlox Service-Provider
- Configure Keystore, Identity-Provider metadata in SearchBlox
- Configure SAML authentication in SearchBlox
- Create Users in SearchBlox
- Get Service-Provider metadata
Generate Keystore for SearchBlox Service-Provider
Create Keystore using the following command
keytool -genkeypair -alias sb-saml -keypass sb-saml-passwd -keystore sb-samlKeystore.jks -storepass sb-saml-passwd -keyalg RSA -keysize 2048 -validity 3650
Configure Keystore, Identity-Provider metadata in SearchBlox
Get the Identity-Provider metadata file and place it into the following path:
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox/WEB-INF/classes/*CUSTOM FOLDER*
(example:- saml/)
Example:-
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox/WEB-INF/classes/saml/idp-metadata.xml
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox//WEB-INF/classes/saml/sb-samlKeystore.jks
Steps in configuring SAML authentication in SearchBlox
- Go to
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox/WEB-INF/saml-config.yml
and provide relevant values for the fields as given:
enablesamlauth: true
## keystore files should be placed before starting the SearchBlox Server
## Production - <SearchBlox deployed dir>/WEB-INF/classes/<place the files under custom folder or here (example:-saml/)>
keystorepath: saml/samlKeystore.jks
keystorepassword: pac4j-demo-passwd
privatekeypassword: pac4j-demo-passwd
## Production - <SearchBlox deployed dir>/WEB-INF/classes/<place the files under custom folder or here (example:-saml/)>
identityprovidermetadatapath: saml/idp-metadata.xml
searchbloxcontext: http://localhost:8080/searchblox
## SP Metadata Info ##
#sp-metadata.xml file created while first request of SAML authentication initiated
#sp-metadata.xml path tomcat server: <tomcat installation dir>/bin/
#sp-metadata.xml path jetty server: <jetty_home>
The description of fields and the values to be provided in the saml-config.yml file
enablesamlauth | Give the value as true to enable SAML authentication |
keystorepath | Give the Keystore file path. Example: If the files are placed in ../searchblox/WEB-INF/classes/saml then the Keystore path value should be Keystore path: saml/Keystore.jks |
keystorepassword | Password used when generating keystore |
privatekeypassword | The private password used when generating keystore |
identityprovidermetadatapath | The path where the identity provider meta file is placed Example: If the files are placed in ../searchblox/WEB-INF/classes/saml then the keystore path value should be identityprovidermetadatapath: saml/testshib-providers.xml |
searchbloxcontext | SearchBlox location |
Create Users in SearchBlox:
This is to create roles for users in SearchBlox.
Important Information:
It is required to configure users before restarting SearchBlox.
Identity-Provider user has to be mapped with proper roles in SearchBlox. Therefore login to the SearchBlox admin
- Navigate to “Admin” and select “Users” tab
- Go to Add User Section
- Provide username(should match with identity-Providers uid) and password then add the user based on your requirement.
Get Service-Provider metadata:
It is required to configure service provider information into the identity provider. You can either upload the service provider metadata xml file into identity provider or update the details in the file into your identity provider
Steps to generate the Service-Provider metadata file:
- As in the previous steps make relevant changes to saml-config.yml and configure users.
- Restart SearchBlox
- Login to Admin console
SearchBlox would redirect to Identity-Provider for authentication. - Service-Provider metadata file will now be available in the following path depending on your SearchBlox installation.
If you are using tomcat:
<tomcat installation dir>/bin/sp-metadata.xml
If you are using jetty:
<jetty home>/sp-metadata.xml
- Get the file and configure it into your Identity-Provider.
SearchBlox will be configured with SAML authentication for the admin dashboard after completing the preceding steps.
Important Note:
If the Service-Provider metadata file is not available in the path mentioned in the preceding step, then please restart the SearchBlox server after configuring saml-config.yml. Try to login to the SearchBlox admin console, after SearchBlox redirects to the Identity-Provider service for authentication you can check the Service-Provider metadata file (sp-metadata.xml) on the path mentioned earlier.
Updated about 4 years ago