Configure Single Sign-On (SSO) Using Security Assertion Markup Language (SAML)

You can configure Loftware Enterprise SP to use Federated SSO using SAML 2.0 to authenticate users. To accomplish this, you must download an XML file from Loftware Enterprise SP and then use that file to configure Loftware Enterprise SP as a Service Provider (SP) with your Identity Provider (idP). Finally, you must download a file from your idP and use it to complete the configuration of SSO for Loftware Enterprise SP.

Configure a Domain

To support federated SSO using SAML 2.0, you must configure an LDAP or Azure domain in Loftware Enterprise SP.

Note: To perform this task, you must be signed in as the ClientAdmin, SystemAdmin, or SuperAdmin user. For more information, see Controlling Access to System Settings

Sign in to Loftware Enterprise SP.
Note: If you've already configured Loftware Enterprise SP for federated authentication, display the Loftware Enterprise SP sign in page by typing the URL for connecting to Loftware Enterprise SP into a web browser, appending ?showLogin=true to the end of the URL, and then submitting the URL.
Example
http://<spectrum-server.example.com>:8080/loftwarespectrum?showLogin=true
Go to System > Authentication.
Create a new LDAP or Azure authentication. For more information, see Configure LDAP Authentication or Configure Azure Authentication.

Configure User Accounts in Loftware Enterprise SP

To support federated SSO using SAML 2.0, you must create domain user accounts in Loftware Enterprise SP.

Configure user accounts in Loftware Enterprise SP. For users who will sign in using single sign-on, the username must be the same as their SSO username. For more information, see Create or Modify a User.
Select the domain that you created from the Domain drop-down list. For more information, see Assign a Domain to a User.

Configure Loftware Enterprise SP as a SAML Service Provider

On the Loftware Application Server, stop the Loftware Enterprise SP service (or daemon in Linux).
Open the <LOFTWARE_HOME>\product\conf\jdbc.properties file in a text editor.

Within the jdbc.properties file, set the following:

security.authentication.scheme=federated

security.federated.idpfilename=saml2-metadata-idp.xml

Copy

jdbc.properties

# Single Sign On
# Single sign on is supported using Integrated Windows Authentication and Federated SSO using SAML
# If this JVM supports single sign on, then SSO needs to be configured in this file.
# To set the security authentication type use security.authentication.scheme with values:
# Standard Authentication through UI: default# Integrated Windows Authentication : kerberos
# Federated SSO using SAML : federated
security.authentication.scheme=federated
# Additional settings must be set for SSO to work.
# Integrated Windows Authentication:
# Federated SSO using SAML:
security.federated.idpfilename=saml2-metadata-idp.xml
#security.federated.attribute=LOFTWARE_FQN

On the Loftware Application Server, start the Loftware Enterprise SP service.
Go to the following URL and save the file as requested:
Important: The URL that you use in this step is important as it sets up the way the authentication provider will address the Loftware Enterprise SP instance. Consider whether you want to use HTTPS and 8443, the IP address instead of the host name, or a proxy address instead of the direct address. If you use HTTPS and 8443, you will need to add the Authentication providers certificate to the keystore file. For more information, see "Configuring HTTPS" in the Loftware Enterprise SP Installation and Configuration Guide.
This is a one-time configuration and the metadata is generated on the first visit to the page.
http://<spectrum-server.example.com>:8080/spectrum-server/saml/metadata
Copy the spring_saml_metadata.xml file saved in the previous step to <LOFTWARE_HOME>/product/conf/local_sp_metadata.xml.
Go to your Identity provider (idP) or configure an idP, and then add your Loftware Enterprise SP system as a service provider.
1. Add the metadata file downloaded from Loftware Enterprise SP as requested during configuration.
2. Download the metadata file from the idP, as provided.
3. Save the file you download from your idP to <LOFTWARE_HOME>/product/conf/saml2-metadata-idp.xml.
Note: The name of the metadata file can be changed as long as the security.federated.idpfilename property is changed to match in the jdbc.properties file.
On the Loftware Application Server, restart the Loftware Spectrum service.
Attempt to sign in to your Loftware Enterprise SP environment using the username and domain of a user you created in Loftware Enterprise SP.

Configure Cookie Attributes

To support federated SSO using SAML 2.0, you must configure how the system handles cookies.

On the Loftware Application Server, stop the Loftware Enterprise SP service (or daemon in Linux).
Open the <LOFTWARE_HOME>\product\conf\context.xml file in a text editor.
Do one of the following, depending on your configuration:
Note: If you are using SSO with Azure Active Directory, you must use a secure connection (HTTPS).
- If you are using a secure connection (HTTPS) to Loftware Enterprise SP, within the context.xml file, change the sameSiteCookies attribute to none.
  <CookieProcessor sameSiteCookies="none" />
- If you are not using a secure connection (HTTP) to Loftware Enterprise SP, within the context.xml file, change the sameSiteCookies attribute to unset.
  <CookieProcessor sameSiteCookies="unset" />
Save the changes to context.xml.

If you are using a secure connection (HTTPS) to Loftware Enterprise SP, do the following (if you are using HTTP, skip this step).

Open the <LOFTWARE_HOME>\product\conf\web.xml file in a text editor.

Uncomment the following setting.

Copy

<session-config>
     <session-timeout>-1</session-timeout>
                   <cookie-config>
                              <http-only>true</http-only>
                              <secure>true</secure>
                   </cookie-config>
 </session-config>

Save the changes to web.xml.

On the Loftware Application Server, restart the Loftware Spectrum service.