Introscope SAML configuration

Document ID : KB000121392
Last Modified Date : 20/11/2018
Show Technical Document Details
Introduction:
This is some information to document the process of SAML configuration for APM, to give background and suggestions on how it should be configured
Background:
The SAML authentication consists of two steps :
1. SP sends request to IdP
  •      not encrypted because does not contain any sensitive info
  •     SP signs the request with SP private key
  •     IdP verifies the signature with SP public key
2. IdP replies with response ( SAML Assertion ) to SP
  •     IdP encrypts the response with SP public key
  •    IdP signs the response with IdP private key
  •     SP decrypts the response with SP private key
  •     SP verifies the response with IdP public key

SP == Service Provider, i.e. EM/WebView
IdP == Identity Provider, installed separately by user
Environment:
CA APM 10.x
Instructions:
1. perform fresh install of EM, verify that SAML works with internal IdP
     introscope.saml.enable=true
     introscope.saml.internalIdp.enable=true


2. change configuration to external IdP, for this you would need to:
    a. turn off internal IdP
                  introscope.saml.internalIdp.enable=false
    b. set urls for external IdP 
                  introscope.saml.idpUrl=
    c. on IdP side, register SP with the default private key that comes with EM

    d. import IdP public key into EM 

             The IdP's public key can be found in IdP's metadata file. 

         Follow the steps listed below to import the certificate into the keystore. 
  •        Copy the certificate information in IdP metadata into a new file (e.g: idp_public.pem). The certificate in IdP metadata is in format called PEM 
  •         Add header and footer to the new file. After adding header and footer, the file should look similar to this:

               -----BEGIN CERTIFICATE----- 
               MIIDeTCCAmGgAwIBAgIEb1CaGjANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEXMBUGA1UE 
               [..]
               z6LUS/iuMCCtjoA1FGMsF1EZiQ2Pt/MPZgPAAsMrZWkikXqNke4= 
                -----END CERTIFICATE----- 
 
  •              Save the file. 
  •              Convert the file from PEM to DER format using openssl 

                     openssl x509 -outform der -in idp_public.pem -out idp_public.der 
  •               Import the certificate in DER format into the EM/Webview keystore using keytool 

                       keytool -import -alias your-alias -keystore keystore -file idp_public.der 

     The password for the keystore is "password" without the enclosing quotes. 
  •             Verify that SAML login works.
3. replace default SP private key with new one generated by customer. This means importing it with alias spprivatekey and updating SP registration on IdP side. verify that it works.

 
Additional Information:
 These logging properties can be added for IntroscopeEnterpriseManager.properties for troubleshooting purposes:

log4j.logger.org.apache.xml=DEBUG,console,logfile 
log4j.logger.org.opensaml.xml=DEBUG,console,logfile 

Documentation relating to SAML configuration

https://docops.ca.com/ca-apm/10-7/en/administrating/apm-security/securing-introscope/securing-introscope-using-saml-2-0#SecuringIntroscopeUsingSAML2.0-Authorization