Try OpenEdge Now
skip to main content
Administration
REST Administration : REST Management Agent and REST Web Application Security Configurations : Using SAML in security configurations : Configuring the SAML security configuration model
 
Configuring the SAML security configuration model
After registering the REST Web application (Service provider) metadata file with the Identity provider, you must configure your SAML security configuration to specify key management, Service provider metadata, and Identity provider metadata details.
To configure your SAML security configuration model:
1. Open the SAML application security configuration model, appSecurity-XXXX-saml.xml, from the WEB-INF folder of your REST Web application in your Web server directory.
2. Search for the following code snippet to configure the key management bean:
<b:bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<b:constructor-arg value="WEB-INF/samlKeystore.keystore"/>
<b:constructor-arg type="java.lang.String" value="password"/>
<b:constructor-arg>
<b:map>
<b:entry key="<key-alias>" value="<password>"/>
</b:map>
</b:constructor-arg>
<b:constructor-arg type="java.lang.String" value="<key-alias>"/>
</b:bean>
Update the following bean properties (highlighted in bold in the previous code block) as follows:
Bean property
Description
WEB-INF/samlKeystore.keystore
Specify the keystore file that stores the keys for user authentication. This can be a self-signed or a Certificate Authority (CA) generated keystore.
key-alias
Specify the key alias, that is, a unique keystore name that you set during keystore generation.
password
Specify the keystore password required to authenticate the REST Web application.
3. Search for the following code snippet to configure the metadata bean:
<b:bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<b:constructor-arg>
<b:list>
<!-- IDP Metadata file -->

<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<b:constructor-arg>
<b:bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<b:constructor-arg>
<b:value type="java.io.File"><IdP metadata file name></b:value>
</b:constructor-arg>
<b:property name="parserPool" ref="parserPool"/>
</b:bean>
</b:constructor-arg>
<b:constructor-arg>
<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<b:property name="local" value="false"/>
<b:property name="alias" value="default"/>
<b:property name="securityProfile" value="metaiop"/>
<b:property name="requireArtifactResolveSigned" value="false"/>
<b:property name="requireLogoutRequestSigned" value="false"/>
<b:property name="requireLogoutResponseSigned" value="false"/>
<b:property name="idpDiscoveryEnabled" value="false"/>
<b:property name="ecpEnabled" value="true"/>
</b:bean>
</b:constructor-arg>
</b:bean>


<!-- SP Metadata file -->
<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<b:constructor-arg>
<b:bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<b:constructor-arg>
<b:value type="java.io.File"><Service provider metadata file name></b:value>
</b:constructor-arg>
<b:property name="parserPool" ref="parserPool"/>
</b:bean>
</b:constructor-arg>
<b:constructor-arg>
<b:bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<b:property name="local" value="true"/>
<b:property name="alias" value="default"/>
<b:property name="securityProfile" value="metaiop"/>
<b:property name="requireArtifactResolveSigned" value="false"/>
<b:property name="requireLogoutRequestSigned" value="false"/>
<b:property name="requireLogoutResponseSigned" value="false"/>
<b:property name="idpDiscoveryEnabled" value="false"/>
<b:property name="ecpEnabled" value="true"/>
</b:bean>
</b:constructor-arg>
</b:bean>
</b:list>
</b:constructor-arg>
</b:bean>
Update the following bean properties (highlighted in bold in the previous code block) as follows:
Bean property
Description
IDP metadata file name
Specify the location of the IdP metadata file.
Service provider metadata file name
Specify the location of the REST Web application (Service provider) metadata file.
4. Search for the following code snippet to configure the processing filter bean:
<!-- Processing filter for WebSSO profile messages -->
<b:bean id="samlProcessingFilter" class="com.progress.rest.security.OESamlProcessingFilter">
<b:property name="samlEntryPointHandler" ref="initializeSAMLEntryPoint"/>
<b:property name="authenticationManager" ref="RestApplicationtAuth"/>
<b:property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<b:property name="defaultFilterProcessesUrl" value="<Entity ID>"/>
<b:property name="defaultIdpProcessingUrl" value="<IdP URL>"/>
</b:bean>
Update the following bean property (highlighted in bold in the previous code block) as follows:
Bean property
Description
defaultFilterProcessesUrl
Specify, as a value, the URL where the processing filter for WebSSO must be applied.
defaultIdpProcessingUrl
Specify, as a value, your IdP's URL. For instance, if you use the Progress IdP, you specify the value as https://secure-test.progress.com.
5. Start your Tomcat Web server, in which this REST Web application is deployed, for the security configurations to take effect.