Introscope SAML configuration
Document ID :
Last Modified Date :
Show Technical Document Details
CA Application Performance Management
This is some information to document the process of SAML configuration for APM, to give background and suggestions on how it should be configured
The SAML authentication consists of two steps :
1. SP sends request to IdP
not encrypted because does not contain any sensitive info
SP signs the request with SP private key
IdP verifies the signature with SP public key
2. IdP replies with response ( SAML Assertion ) to SP
IdP encrypts the response with SP public key
IdP signs the response with IdP private key
SP decrypts the response with SP private key
SP verifies the response with IdP public key
SP == Service Provider, i.e. EM/WebView
IdP == Identity Provider, installed separately by user
CA APM 10.x
1. perform fresh install of EM, verify that SAML works with internal IdP
2. change configuration to external IdP, for this you would need to:
a. turn off internal IdP
b. set urls for external IdP
c. on IdP side, register SP with the default private key that comes with EM
d. import IdP public key into EM
The IdP's public key can be found in IdP's metadata file.
Follow the steps listed below to import the certificate into the keystore.
Copy the certificate information in IdP metadata into a new file (e.g: idp_public.pem). The certificate in IdP metadata is in format called PEM
Add header and footer to the new file. After adding header and footer, the file should look similar to this:
Save the file.
Convert the file from PEM to DER format using openssl
openssl x509 -outform der -in idp_public.pem -out idp_public.der
Import the certificate in DER format into the EM/Webview keystore using keytool
keytool -import -alias your-alias -keystore keystore -file idp_public.der
The password for the keystore is "password" without the enclosing quotes.
Verify that SAML login works.
3. replace default SP private key with new one generated by customer. This means importing it with alias spprivatekey and updating SP registration on IdP side. verify that it works.
These logging properties can be added for IntroscopeEnterpriseManager.properties for troubleshooting purposes:
Documentation relating to SAML configuration
Was this information helpful?