Studio SAML2 Configuration for CrafterCMS v4.0.2 and Earlier
Warning
This document only applies to CrafterCMS version 4.0.2 and earlier
Please see Studio SAML2 Configuration for the latest version.
Crafter Studio can be configured to support SAML2 SSO out of the box without using any additional plugin.
Requirements
A SAML2 compatible Identity Provider properly configured, this configuration will not be covered here
A Java KeyStore file containing all needed keys & certificates, this can be generated with the Java Keytool or any other compatible tool. For example:
keytool -genkey -alias CREDENTIAL_NAME -keystore keystore.jks -storepass STORE_PASSWORD
Note
Some versions of the Keytool support a different password for the keystore and the key generated, you will be prompted for one or you can add the
-keypass KEY_PASSWORD
parameter.Take note of the values of the following options used to generate your keystore that will be used later for configuring Studio:
alias: The value used for this option wil be used in the
studio.security.saml.keystore.alias
propertystorepass: The value used for this option will be used in the
studio.security.saml.keystore.storePassword
propertykeypass: The value used for this option will be used in the
studio.security.saml.keystore.keyPassword
property
XML descriptors for the Identity Provider and the Service Provider (Crafter Studio). The descriptor for Crafter Studio can be generated following these steps:
Export the X509 certificate from the key store file:
keytool -export -alias CREDENTIAL_NAME -keystore keystore.jks -rfc -file CREDENTIAL_NAME.cer
Create the XML descriptor, either using a third party tool or manually. The descriptor should look like this:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<Entity ID>"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate><Certificate></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate><Certificate></ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="<Logout URL>"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<SAML URL>" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor>
Replacing the following values:
Entity ID: Unique identifier for the service provider
AuthnRequestsSigned: indicates if the service provider will sign authentication requests
WantAssertionsSigned: indicates if the service provider requires signed assertions
Certificate: The content of the certificate obtained in the previous step
Logout URL: The full URL for the service provider logout endpoint (
STUDIO_URL/saml/logout
)SAML URL: The full URL for the service provider SSO processing endpoint (
STUDIO_URL/saml/SSO
)
Note
If Crafter Studio will be behind a load balancer or proxy server, the XML Service Provider descriptor needs to use the public URL for the Identity Provider to be able to communicate
Configure
To configure Studio SAML2, in your Authoring installation, we need to enable SAML security then we’ll setup the required SAML configuration properties.
To enable SAML security, go to CRAFTER_HOME/bin
, open the crafter-setenv.sh
file and uncomment the line export SPRING_PROFILES_ACTIVE=crafter.studio.samlSecurity
:
# -------------------- Spring Profiles --------------------
...
# Uncomment to enable SAML security
export SPRING_PROFILES_ACTIVE=crafter.studio.samlSecurity
# For multiple active spring profiles, create comma separated list
Next we’ll setup SAML configuration properties. Go to CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension
and add the following lines to studio-config-override.yaml (of course, make any appropriate configuration changes according to your system):
1###############################################################
2## SAML Security ##
3###############################################################
4# SAML security enabled
5studio.security.saml.enabled: true
6# SAML attribute name for email
7studio.security.saml.attributeName.email: email
8# SAML attribute name for first name
9studio.security.saml.attributeName.firstName: givenName
10# SAML attribute name for last name
11studio.security.saml.attributeName.lastName: surname
12# SAML attribute name for group
13studio.security.saml.attributeName.group: Role
14# Service Provider Metadata location (classpath resource)
15studio.security.saml.metadata.location.serviceProvider: "/crafter/studio/extension/saml/sp-metadata.xml"
16# IDP Metadata location (classpath resource)
17studio.security.saml.metadata.location.idp: "/crafter/studio/extension/saml/idp-metadata.xml"
18# SAML keystore location
19studio.security.saml.keystore.location: classpath:crafter/studio/extension/saml/keystore.jks
20# SAML keystore store password
21studio.security.saml.keystore.storePassword: crafterstore
22# SAML keystore key password
23studio.security.saml.keystore.keyPassword: crafterkey
24# SAML keystore alias
25studio.security.saml.keystore.alias: crafterstudio
26# SAML logout URL
27studio.security.saml.logoutUrl: /studio/saml/logout
28# Enable SAML configuration used when Studio is behind a reverse proxy or load balancer
29# studio.security.saml.reverseProxy.enabled: false
30# The header name that contains the public URL (matching the SAML SP URL) hostname
31# studio.security.saml.reverseProxy.forwardedHostHeaderName: X-Forwarded-Host
32# The header name that contains the public URL (matching the SAML SP URL) port
33# studio.security.saml.reverseProxy.forwardedPortHeaderName: X-Forwarded-Port
34# The header name that contains the public URL (matching the SAML SP URL) protocol
35# studio.security.saml.reverseProxy.forwardedProtoHeaderName: X-Forwarded-Proto
36# The scheme or protocol of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded header
37# studio.security.saml.reverseProxy.scheme:
38# The server name or hostname of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded header
39# studio.security.saml.reverseProxy.serverName:
40# The port of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded header
41# studio.security.saml.reverseProxy.serverPort: 0
42# The context path of the public URL (matching the SAML SP URL)
43# studio.security.saml.reverseProxy.contextPath:
44# SAML Web SSO profile options: authenticate the user silently
45# studio.security.saml.webSSOProfileOptions.passive: false
46# SAML Web SSO profile options: force user to re-authenticate
47# studio.security.saml.webSSOProfileOptions.forceAuthn: false
48
49|
where
studio.security.saml.enabled
: Indicates if SAML2 is enabled or notThe following are attributes that Studio expects from the Identity Provider:
studio.security.saml.attributeName.email
studio.security.saml.attributeName.firstName
studio.security.saml.attributeName.lastName
studio.security.saml.attributeName.group
studio.security.saml.metadata.location.serviceProvider
: The path of the service provider metadata XML descriptor in the classpathstudio.security.saml.metadata.location.idp
: The path of the identity provider metadata XML descriptor in the classpathstudio.security.saml.keystore.location
: The path of the keystore file in the classpathstudio.security.saml.keystore.storePassword
: The password of the keystore filestudio.security.saml.keystore.keyPassword
: The password of the keystudio.security.saml.keystore.alias
: Keystore entry identifier (unique string to identify the key entry)studio.security.saml.reverseProxy.enabled
: Indicates if SAML configuration used when Studio is behind a reverse proxy or load balancer is enabled or notstudio.security.saml.reverseProxy.forwardedHostHeaderName
: The header name that contains the public URL (matching the SAML SP URL) hostnamestudio.security.saml.reverseProxy.forwardedPortHeaderName
: The header name that contains the public URL (matching the SAML SP URL) portstudio.security.saml.reverseProxy.forwardedProtoHeaderName
: The header name that contains the public URL (matching the SAML SP URL) protocolstudio.security.saml.reverseProxy.scheme
: The scheme or protocol of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded headerstudio.security.saml.reverseProxy.serverName
: The server name or hostname of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded headerstudio.security.saml.reverseProxy.serverPort
: The port of the public URL (matching the SAML SP URL). Use if you want to overwrite the forwarded headerstudio.security.saml.reverseProxy.contextPath
: The context path of the public URL (matching the SAML SP URL)studio.security.saml.webSSOProfileOptions.passive
: Indicates if user is authenticated silentlystudio.security.saml.webSSOProfileOptions.forceAuthn
: Indicates if user will be forced to re-authenticate
The classpath is located in your Authoring installation, under CRAFTER_HOME/bin/apache-tomcat/shared/classes
. As shown in the example above, the identity provider metadata XML descriptor is located in your Authoring installation under CRAFTER_HOME/bin/apache-tomcat/shared/classes/crafter/studio/extension/saml
folder.
# IDP Metadata location (classpath resource)
studio.security.saml.metadata.location.idp: "/crafter/studio/extension/saml/idp-metadata.xml"
Restart your Authoring installation after configuring the above.