Single Sign On metadata file configure download

Document ID : KB000118701
Last Modified Date : 30/10/2018
Show Technical Document Details
Issue:
Followed the instructions available at https://docops.ca.com/ca-release-automation/6-6/en/installation/enable-single-sign-on to enable single sign on.

Receiving a 404 error when trying to download the metadata file at http://RA-SERVER:8080/datamanagement/saml/metadata
Environment:
CA Release Automation 6.6 and later
Cause:
The documentation contains errata, which is addressed in the Resolution.
Resolution:
There are several points to consider.

Point 1:  Completeness of the distributed.properties file
If one examines an RA install's distributed.properties file, located in <RA Install>\webapps\datamanagement\WEB-INF, there should be a block of text that reads as:

ra.security.profile=basic

ra.security.saml.metadata.entity-base-url=http://localhost:8080/datamanagement
ra.security.saml.context.scheme=http
ra.security.saml.context.serverName=localhost
ra.security.saml.context.serverPort=8080
ra.security.saml.context.includeServerPort=true
ra.security.saml.context.contextPath=/datamanagement

ra.security.saml.context.wantAssertionSigned=false
ra.security.saml.profile.responseSkew=60
ra.security.saml.profile.maxAssertionTime=3000
ra.security.saml.profile.maxAuthenticationAge=31556926


The above block of text may be absent if your install of Release Automation was developed as part of an upgrade from a release older than 6.6.  You will need to add the above block of text to your distributed.properties file.  If you are using a fresh RA 6.6 install, you only need to examine the distributed.properties file to confirm the above text block is present.

Point 2:  Existing Documentation Errata
The existing documentation asks that the following block of text be introduced into the existing distributed.properties file (Configure SSO Authentication, step 3)

ra.security.profile=saml ra.security.saml.metadata.entity-base-url=http://ratesting:8443/datamanagement
ra.security.saml.context.scheme=https
ra.security.saml.context.serverName=ratesting
ra.security.saml.context.serverPort=8443
ra.security.saml.context.includeServerPort=true
ra.security.saml.context.contextPath=/datamanagement


The above assumes a server name of "ratesting", that there is SSL in place, and the first line of the above block of text is actually a concatenation of two lines of text.  These entries will not work for most installs of RA.

Assuming you have the block of text described in Point 1 in place in your distributed.properties, you need only change this one line at minimum to configure the distributed.properties file for Single Sign On:

ra.security.profile=basic

Line will need to be changed to:

ra.security.profile=saml

You may also need to modify the additional entries listed in Point 1 to suit your requirements, if you need to use a specific server name, or implement with SSL.  (Side:  SSL is NOT a prerequisite for Single Sign On).  However, the purpose of this point is to establish the bare minimum to what configuration is needed to get Single Sign On configuration to work, to allow the install to download the spring_saml.metadata.xml file (discussed in the next point)

Point 3:  Download of the spring_saml_metadata.xml
After modifying the distributed.properties file, you will need to cycle RA Services, then run the following URL:

http://RA-SERVER:8080/datamanagement/saml/metadata

After recycling RA, it is recommended to wait about 10 minutes before attempting the metadata file download as it may take some time for RA to fully configure and generate the metadata file spring_saml_metadata.xml

Simply changing the distributed.properties file as described in Point 2 will allow for the download of the metadata file spring_saml_metadata.xml via the above URL.  The idp.xml file is not necessary to obtain the file in the first place.  However, you should obtain the idp.xml from your Single Sign On solution provider and place it in the requested location per the above documentation (click on this link to review) to configure SSO (location prescribed as <NAC_installation_Folder>/conf/idp.xml) as it will be needed for RA to communicate with its Single Sign On solution.