SAML Authentication for Admin Console

Securing Admin Dashboard using SAML

  1. Generate Keystore for SearchBlox Service-Provider
  2. Configure Keystore, Identity-Provider metadata in SearchBlox
  3. Configure SAML authentication in SearchBlox
  4. Create Users in SearchBlox
  5. Get Service-Provider metadata

Generate Keystore for SearchBlox Service-Provider

Create Keystore using the following command

keytool -genkeypair -alias sb-saml -keypass sb-saml-passwd -keystore sb-samlKeystore.jks -storepass sb-saml-passwd -keyalg RSA -keysize 2048 -validity 3650

Configure Keystore, Identity-Provider metadata in SearchBlox

Get the Identity-Provider metadata file and place it into the following path:
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox/WEB-INF/classes/*CUSTOM FOLDER*
(example:- saml/)

Example:-
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox/WEB-INF/classes/saml/idp-metadata.xml
<SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox//WEB-INF/classes/saml/sb-samlKeystore.jks

Steps in configuring SAML authentication in SearchBlox

  • Go to <SEARCHBLOX_INSTALLATION_PATH>/webapps/searchblox/WEB-INF/saml-config.yml and provide relevant values for the fields as given:
enablesamlauth: true
## keystore files should be placed before starting the SearchBlox Server
## Production - <SearchBlox deployed dir>/WEB-INF/classes/<place the files under custom folder or here (example:-saml/)>
keystorepath: saml/samlKeystore.jks
keystorepassword: pac4j-demo-passwd
privatekeypassword: pac4j-demo-passwd
## Production - <SearchBlox deployed dir>/WEB-INF/classes/<place the files under custom folder or here (example:-saml/)>
identityprovidermetadatapath: saml/idp-metadata.xml
searchbloxcontext: http://localhost:8080/searchblox
## SP Metadata Info ##
#sp-metadata.xml file created while first request of SAML authentication initiated
#sp-metadata.xml path tomcat server: <tomcat installation dir>/bin/
#sp-metadata.xml path jetty server: <jetty_home>

The description of fields and the values to be provided in the saml-config.yml file

enablesamlauthGive the value as true to enable SAML authentication
keystorepathGive the Keystore file path.
Example: If the files are placed in ../searchblox/WEB-INF/classes/saml then the Keystore path value should be
Keystore path: saml/Keystore.jks
keystorepasswordPassword used when generating keystore
privatekeypasswordThe private password used when generating keystore
identityprovidermetadatapathThe path where the identity provider meta file is placed
Example: If the files are placed in ../searchblox/WEB-INF/classes/saml then the keystore path value should be
identityprovidermetadatapath: saml/testshib-providers.xml
searchbloxcontextSearchBlox location

Create Users in SearchBlox:

This is to create roles for users in SearchBlox.

🚧

Important Information:

It is required to configure users before restarting SearchBlox.

Identity-Provider user has to be mapped with proper roles in SearchBlox. Therefore login to the SearchBlox admin

  • Navigate to “Admin” and select “Users” tab
  • Go to Add User Section
  • Provide username(should match with identity-Providers uid) and password then add the user based on your requirement.

Get Service-Provider metadata:

It is required to configure service provider information into the identity provider. You can either upload the service provider metadata xml file into identity provider or update the details in the file into your identity provider
Steps to generate the Service-Provider metadata file:

  • As in the previous steps make relevant changes to saml-config.yml and configure users.
  • Restart SearchBlox
  • Login to Admin console
    SearchBlox would redirect to Identity-Provider for authentication.
  • Service-Provider metadata file will now be available in the following path depending on your SearchBlox installation.
    If you are using tomcat:
    <tomcat installation dir>/bin/sp-metadata.xml
    If you are using jetty:
    <jetty home>/sp-metadata.xml
  • Get the file and configure it into your Identity-Provider.

SearchBlox will be configured with SAML authentication for the admin dashboard after completing the preceding steps.

❗️

Important Note:

If the Service-Provider metadata file is not available in the path mentioned in the preceding step, then please restart the SearchBlox server after configuring saml-config.yml. Try to login to the SearchBlox admin console, after SearchBlox redirects to the Identity-Provider service for authentication you can check the Service-Provider metadata file (sp-metadata.xml) on the path mentioned earlier.