How To: Configure SAML Authentication on BOARD

Document created by mik1893 Employee on Jul 13, 2017
Version 1Show Document
  • View in full screen mode

Starting from BOARD version 9.0 onwards, SAML 2.0 login is supported, via HTTP Post request.
This short technical how-to explains the basics of the configuration.

 

Part 1: Configure SAML Authentication on the Board Server

1) On BOARD Server, open the folder where Board server is installed ( usually C:\Program Files\Board\Board Server and execute, with administration rights, the SAMLConfig.exe executable.

2) The SAML Authentication configurator will open as below

 

 

3) The SAMLConfig.exe allows you to configure and test your SAML infrastructure, as well as saving the SAMLSettings.xml file, which is used by the BOARD Server to ensure a proper and working SAML authentication. Refer to the guidelines below to configure it properly:

 

Identity Provider Login URL. This is the URL of your IDP SAML endpoint, to which BOARD will send SAML requests for SP-initiated login.

Identity Provider Certificate. Browse and select the token-signing certificate of your IDP.

Entity ID. This is how your IDP will identify the BOARD Service Provider.

Issuer. Contain the unique identifier of the requesting service provider.

Enable Request Signing. Enable or disable the signed request.

Certificate Path. Path to the certificate used for signing the request.

Password. Password of the certificate used for signing the request

Enable Assertion Encryption. Enable or disable the assertion encryption.

Decrypt Assertions. Enable or disable the decryption of the assertion.

------------------------------------------------------------------------------------------------------------------------------------------------
Note: Both signing and encryption certificates can be loaded from disk or from the local machine store.
------------------------------------------------------------------------------------------------------------------------------------------------

Test connect. Try to connect with the specified configuration. If everything is OK, a Popup showing the NameID contained in the response is showed, followed by the message “Response OK”. 

Save settings. Save the current configuration in the SAMLSettings.xml file. This file is placed in the same directory of the SAMLConfig.exe (which is by default in the Board Server folder) and is read by the Board Server when starts.

Load settings. Load the existing SAMLSettings.xml in the application, so they can be modified.

------------------------------------------------------------------------------------------------------------------------------------------------
Note: You can either modify the SAMLSettings.xml file in a text editor or using the provided SAMLConfig.exe application.
------------------------------------------------------------------------------------------------------------------------------------------------

 

You can find at the end of the article, a sample samlsettings.xml code.

 

Part 2: Enable SAML on a BOARD Client:

1) In the host window, as shown below, you have to enable SAML Login on selected hosts.

 

 

2) In the picture below, you will see how the connect window will appear for a SAML-configured host after step 1.

 

3) Clicking on the connect will open the IDP login page will open. Insert your credentials to login (username and password, smart card …). The request between your IDP and BOARD is handled transparently and, if the users belong in the BOARD Security, you we’ll be granted login.

 

---------------------------------------------

SAMLSETTINGS.XML - Sample configuration

<?xml version="1.0"?>
<SAMLSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <IDPLoginURL>https://saml.mycompany.com/GetAccess/Saml/IDP/SSO/Post</IDPLoginURL>
  <IDPCertificatePath>C:\IDPCertificate.cer</IDPCertificatePath>
  <EntityID>saml.mycompany.com</EntityID>
  <Issuer>urn:issuer:sp:www.mycompany.com</Issuer>
  <SignRequest>false</SignRequest>
  <SignCertificatePath />
  <SignCertificatePassword />
  <SignCertificateHandle>0</SignCertificateHandle>
  <EncryptAssertions>false</EncryptAssertions>
  <EncryptCertificatePath />
  <EncryptCertificatePassword />
  <EncryptCertificateHandle>0</EncryptCertificateHandle>
  <DecryptAssertions>false</DecryptAssertions>
  <IssueInstant>2013-12-19T10:31:54.0194048+01:00</IssueInstant>
  <ProtocolBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</ProtocolBinding>
  <Version>2.0</Version>
  <ForceAuthentication>false</ForceAuthentication>
</SAMLSettings>

1 person found this helpful

Attachments

    Outcomes