Studio SAML2 Configuration 
Crafter Studio can be configured to support SAML2 SSO out of the box without using any additional plugin.
Requirements
A SAML2 compatible Identity Provider properly configured, this configuration will not be covered here
A Java KeyStore file containing all needed keys & certificates, this can be generated with the Java Keytool or any other compatible tool. For example:
keytool -genkey -alias CREDENTIAL_NAME -keystore keystore.jks -storepass STORE_PASSWORDNote
Some versions of the Keytool support a different password for the keystore and the key generated, you will be prompted for one or you can add the
-keypass KEY_PASSWORDparameter.Take note of the values of the following options used to generate your keystore that will be used later for configuring Studio:
alias: The value used for this option wil be used in the
studio.security.saml.keystore.aliaspropertystorepass: The value used for this option will be used in the
studio.security.saml.keystore.storePasswordpropertykeypass: The value used for this option will be used in the
studio.security.saml.keystore.keyPasswordproperty
XML descriptors for the Identity Provider and the Service Provider (Crafter Studio). The descriptor for Crafter Studio can be generated following these steps:
Export the X509 certificate from the key store file:
keytool -export -alias CREDENTIAL_NAME -keystore keystore.jks -rfc -file CREDENTIAL_NAME.cerCreate the XML descriptor, either using a third party tool or manually. The descriptor should look like this:
Example SAML 2.0 Service Provider Metadata<?xml version="1.0" encoding="UTF-8" standalone="no"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<Entity ID>"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate><Certificate></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate><Certificate></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<Logout URL>"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<SAML URL>" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor>
Replacing the following values:
Entity ID: Unique identifier for the service provider
AuthnRequestsSigned: indicates if the service provider will sign authentication requests
WantAssertionsSigned: indicates if the service provider requires signed assertions
Certificate: The content of the certificate obtained in the previous step
Logout URL: The full URL for the service provider logout endpoint (
STUDIO_URL/saml/logout)SAML URL: The full URL for the service provider SSO processing endpoint (
STUDIO_URL/saml/SSO)
Note
If Crafter Studio will be behind a load balancer or proxy server, the XML Service Provider descriptor needs to use the public URL for the Identity Provider to be able to communicate
Configure
To configure Studio SAML2, in your Authoring installation, we need to enable SAML security then we’ll setup the required SAML configuration properties.
To enable SAML security, go to CRAFTER_HOME/bin, open the crafter-setenv.sh file and uncomment the line export SPRING_PROFILES_ACTIVE=crafter.studio.samlSecurity:
# -------------------- Spring Profiles --------------------
...
# Uncomment to enable SAML security
export SPRING_PROFILES_ACTIVE=crafter.studio.samlSecurity
# For multiple active spring profiles, create comma separated list
Next we’ll setup SAML configuration properties. Go to CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension and add the following lines to studio-config-override.yaml (of course, make any appropriate configuration changes according to your system):
1###############################################################
2## SAML Security ##
3###############################################################
4# SAML attribute name for email
5studio.security.saml.attributeName.email: email
6# SAML attribute name for first name
7studio.security.saml.attributeName.firstName: givenName
8# SAML attribute name for last name
9studio.security.saml.attributeName.lastName: surname
10# SAML attribute name for group
11studio.security.saml.attributeName.group: Role
12# Service Provider Metadata location (classpath resource)
13studio.security.saml.metadata.location.serviceProvider: "/crafter/studio/extension/saml/sp-metadata.xml"
14# IDP Metadata location (classpath resource)
15studio.security.saml.metadata.location.idp: "/crafter/studio/extension/saml/idp-metadata.xml"
16# SAML keystore location
17studio.security.saml.keystore.location: classpath:crafter/studio/extension/saml/keystore.jks
18# SAML keystore store password
19studio.security.saml.keystore.storePassword: crafterstore
20# SAML keystore key password
21studio.security.saml.keystore.keyPassword: crafterkey
22# SAML keystore alias
23studio.security.saml.keystore.alias: crafterstudio
24# SAML logout URL
25studio.security.saml.logoutUrl: /studio/saml/logout
26# Enable SAML configuration used when Studio is behind a reverse proxy or load balancer
27# studio.security.saml.reverseProxy.enabled: false
28# The header name that contains the public URL (matching the SAML SP URL) hostname
29# studio.security.saml.reverseProxy.forwardedHostHeaderName: X-Forwarded-Host
30# The header name that contains the public URL (matching the SAML SP URL) port
31# studio.security.saml.reverseProxy.forwardedPortHeaderName: X-Forwarded-Port
32# The header name that contains the public URL (matching the SAML SP URL) protocol
33# studio.security.saml.reverseProxy.forwardedProtoHeaderName: X-Forwarded-Proto
34# The scheme or protocol of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded header
35# studio.security.saml.reverseProxy.scheme:
36# The server name or hostname of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded header
37# studio.security.saml.reverseProxy.serverName:
38# The port of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded header
39# studio.security.saml.reverseProxy.serverPort: 0
40# The context path of the public URL (matching the SAML SP URL)
41# studio.security.saml.reverseProxy.contextPath:
42# SAML Web SSO profile options: authenticate the user silently
43# studio.security.saml.webSSOProfileOptions.passive: false
44# SAML Web SSO profile options: force user to re-authenticate
45# studio.security.saml.webSSOProfileOptions.forceAuthn: false
46
47|
where
studio.security.saml.enabled: Indicates if SAML2 is enabled or notThe following are attributes that Studio expects from the Identity Provider:
studio.security.saml.attributeName.emailstudio.security.saml.attributeName.firstNamestudio.security.saml.attributeName.lastNamestudio.security.saml.attributeName.group
studio.security.saml.metadata.location.serviceProvider: The path of the service provider metadata XML descriptor in the classpathstudio.security.saml.metadata.location.idp: The path of the identity provider metadata XML descriptor in the classpathstudio.security.saml.keystore.location: The path of the keystore file in the classpathstudio.security.saml.keystore.storePassword: The password of the keystore filestudio.security.saml.keystore.keyPassword: The password of the keystudio.security.saml.keystore.alias: Keystore entry identifier (unique string to identify the key entry)studio.security.saml.reverseProxy.enabled: Indicates if SAML configuration used when Studio is behind a reverse proxy or load balancer is enabled or notstudio.security.saml.reverseProxy.forwardedHostHeaderName: The header name that contains the public URL (matching the SAML SP URL) hostnamestudio.security.saml.reverseProxy.forwardedPortHeaderName: The header name that contains the public URL (matching the SAML SP URL) portstudio.security.saml.reverseProxy.forwardedProtoHeaderName: The header name that contains the public URL (matching the SAML SP URL) protocolstudio.security.saml.reverseProxy.scheme: The scheme or protocol of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded headerstudio.security.saml.reverseProxy.serverName: The server name or hostname of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded headerstudio.security.saml.reverseProxy.serverPort: The port of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded headerstudio.security.saml.reverseProxy.contextPath: The context path of the public URL (matching the SAML SP URL)studio.security.saml.webSSOProfileOptions.passive: Indicates if user is authenticated silentlystudio.security.saml.webSSOProfileOptions.forceAuthn: Indicates if user will be forced to re-authenticate
The classpath is located in your Authoring installation, under CRAFTER_HOME/bin/apache-tomcat/shared/classes. As shown in the example above, the identity provider metadata XML descriptor is located in your Authoring installation under CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension/saml folder.
# IDP Metadata location (classpath resource)
studio.security.saml.metadata.location.idp: "/crafter/studio/extension/saml/idp-metadata.xml"
Restart your Authoring installation after configuring the above.