Prepare Bravura Security Fabric as an IdP
The Scenario.hid_saml_idp component installs the functionality to allow Bravura Security Fabric to act as an identity provider, enabling it to authenticate end users on behalf of a variety of web applications.
Install Bravura Security Fabric and connector packs.
Log in to the front end as a superuser.
Click Manage the system > Workflow > Email configuration
Set BASE_IDSYNCH_URL to the servername used in the IIS TLS certificate, which is the URL seen by the end users' browsers.
Note
If that URL ever changes, the
idp-metadatafile must be edited to global-replace the old server name with the new one.Click Home
> Manage components.Install the
Scenario.hid_saml_idpcomponent.Configure the ”AD” target system that was added by the component:
Update the target system address.
Update credentials.
Test the connection.
An existing Source of Profiles target can be used.
Run auto discovery to import user profiles into the Bravura Security Fabric database.
Verify the rule in table hid_authchain_select:
RuleNumber
=120
Comment
SAML authentication chain
SkipRemaining
MatchType
sessdata
MatchKey
SAML_REQUEST
MatchCondition
set
MatchValue
<null>
Action
flush
ChainId
SAML
Note
Installing this component in stand-alone mode on a new instance will override all default authentication chains, and may prevent non-SAML and console users from logging into Bravura Security Fabric . To avoid this, confirm that the hid_authchain_select table includes a valid chain for users authenticating without a SAML_REQUEST before continuing.
Component deployment
Installing Scenario.hid_saml_idp automatically installs and configures the following:
Notes:
Installing this component will overwrite any target system using the system ID ”AD”. Ensure that your environment is prepared before beginning installation.
Additional configuration is required to:
Set up appropriate login processes into Bravura Security Fabric and;
Establish a trust relationship between each application and Bravura Security Fabric .
This component, alone, does not provide for single sign-on. Users are prompted to sign into Bravura Security Fabric at every application login attempt.
This component externalizes the login process from each configured application to Bravura Security Fabric , but does not alter application logout processes.
Service provider directories
Installing Scenario.hid_saml_idp adds an idp directory inside the instance directory. The idp directory contains the following directories for pre-configured service providers:
adfs
azure
bambooHR
google
hcpa
salesforce
webex
youtrack
Each directory contains a unique SAML XML template named saml-response.xml.
If your service provider is not included, add the service provider that is not pre-configured in Bravura Security Fabric .
The SAML IdP (from version 11.0.0 upwards) is compatible only with version 39.1.1 and higher of the Webex Meetings app. The browser version is still usable with IdP authentication.
Fedidp_assert.py
This plugin is installed by the SAML component framework to the plugin directory, and is responsible for generating the SAML assertion for authenticated users. This plugin is also responsible for generating the single sign-on session data, in addition to creating and updating the browser cookie to which the session is associated.
fedidp-util.exe
This utility is installed by the SAML component framework to the util directory. Fedidp-util is used during installation to generate the self-signed PFX certificate used to securely sign SAML assertions, and the IdP metadata files, which are used to report Bravura Security Fabric ’s IdP capabilities to service providers that require it.
When installing through the component, this utility generates the following files:
saml.pfx, used to sign SAML assertions, and installed to plugin.public.cer, the public certificate file that can be provided to end users’ workstations to add the Bravura Security Fabric instance as a trusted authority. This file is installed to the <instance> \ idp \ directory.Idp-metadata, this file stores information about the instance’s capabilities as an identity provider. This file can be sent to the administrators of SPs and allows for the import of IdP metadata to help configure the SP to connect to Bravura Security Fabric . This file is installed to the <instance> \ idp \ directory.
Note
If the value of BASE_IDSYNCH_URL is changed, replace the old server name with the new server name in idp-metadata.
Read more about fedidp-util usage .
Authentication chains
Caution
Installing the SAML component will override the DEFAULT_LOGIN and HELPDESK_LOGIN authentication chains, and can render your Bravura Security Fabric instance inaccessible. Following installation of this module, ensure that DBE tables hid_authchain_select and sp_access are configured to enable a valid authentication method for both regular and federated logins. Bravura Security recommends using the authcfg program to export authentication chain settings before modifying the default configuration.
The default USER_IDENTIFICATION authentication chain is configured to include the fedidp_ident module by default for any new instance. This module captures and parses SAML requests sent by an SP. If the SAML request specifies a valid user profile in the ”subject” parameter, then this module will proceed past the user identification step as though the user had already provided their profile ID.
Fedidp_ident must be the first module called for any authentication chain that will handle SAML authentication, or the initial SAML request will not be captured.
When single sign-on authentication is enabled, fedidp_ident is responsible for reading and validating the web browser cookie used to associate SAML requests to an existing SSO session. By default, an SSO session is terminated when the user logs out of Bravura Security Fabric , however service providers that support single log-out can pass the SAMLLogout=1 GET parameter to this module in order to terminate the user’s current SSO session.
SAML
The custom authentication chain SAML is called when users provide a SAML request parameter as part of an SP-initiated login. This authentication chain is configured to call the following modules:
Fedidp_csfederated login chain selector. This module leverages the sp_authchain external database table in order to determine which authentication chains a federated login will use. By default, this chain directs users to the REGUSER chain.This plugin makes use of the Allow plugin to skip chain selection setting. When enabled,
Fedidp_cswill skip chain selection for users with an active SSO session who already meet authentication requirements for the target SP, authenticating these users without requiring them to re-input their credentials. Users without an active SSO session or those who have not met all the authentication criteria will be forced to complete remaining chains. Users lacking authorization to access the target SP, or login attempts to SPs that are not enabled or available will have their requests denied.The
Fedidp_assertmodule is the last step in SAML authentication, and uses a pre-defined PFX certificate to sign the assertion generated by thefedidp_responseplugin that will be sent to the SP.Single sign-on (SSO) session behavior is enabled or disabled in this module via the Single sign-on mode setting, which configures how SSO session data is tracked:
Enabled (default): An SSO session is always created or updated when a user completes federated login.
Disabled: SSO session information is never created or updated.
Prompt: Upon completing federated login, users are asked whether SSO session data should be retained before they are redirected to the SP.
The
Fedidp_assertmodule issues or updates a browser cookie for the user whenever SSO session information would be updated. This cookie is read by theFedidp_identmodule when the user attempts authentication to other SPs during the duration of their session.This module is also responsible for redirecting successfully authenticated end users to their SP.
REGUSER
Custom authentication chain REGUSER is used by several Bravura Security Fabric component installations, and is responsible for the actual authentication of SAML users. By default, this module will authenticate federated logins using the password / security questions modules.
External database tables
hid_authchain_select
This table is used by several Bravura Security Fabric component installations, and overrides the normal authentication chain selection process. With the SAML configuration installed, this table directs any user that has provided a SAML_REQUEST POST parameter to the SAML authentication chain.
After installing the Scenario.hid_saml_idp component the following rule should exist:
RuleNumber | =120 |
Comment | SAML authentication chain |
Proceed | False |
MatchType | sessdata |
MatchKey | SAML_REQUEST |
MatchCondition | set |
MatchValue | <null> |
Action | flush |
ChainId | SAML |
Installing this component in stand-alone mode on a new instance will override all default authentication chains, and may prevent non-SAML and console users from logging into Bravura Security Fabric . To avoid this, confirm that the hid_authchain_select table includes a valid chain for users authenticating without a SAML_REQUEST before continuing.
sp_mapping
This table associates each SP issuer with an sp_folder value, and sets parameters used in generating a SAML assertion, if they were not defined by the request.
Option | Description |
|---|---|
issuer | (Required) This parameter is passed along side the SP’s initial SAML request, and defines which SP the request came from. |
sp_folder | (Required) The sp_folder value refers to an actual folder installed to the <Instance>\idp directory of your instance server, and contains both the saml-response.xml template used to generate SAML responses for that SP, as well as the icon.png file acting as this SP’s icon image for IdP-initiated authentication |
acs_url | The URL to which successfully authenticated users should be redirected, if it differs from the issuer. In an SP-initiated authentication, the acs_url provided by the SP will take precedence. In order to support IdP-initiated authentication, this value must be defined |
idp_url | The URL of the identity provider service. IdP service is provided by Front-end (PSF) by default. |
enabled | (Required) Enable or disable SAML requests from the specified SP. By default, all SPs are disabled, and at least one must be enabled in order to perform federated authentication. |
idp_initiated | (Required) Configure whether the application can natively support IdP-initiated SSO. If set to 0, the launchpad will simulate it via SP Initiated SSO. |
disp_name | The user-friendly label for this service provider that will be displayed to users on the application launchpad page. By default, the name of the sp_folder is used. |
default_pin | Configure whether the launchpad button for this SP should be pinned to Front-end (PSF) by default for users that have access to it. |
relay_state | Set a default relayState parameter to be passed to the SP alongside the SAML assertion. Some SPs require this parameter for authentication. During SP-initiated authentication, the relayState provided by the service provider takes precedence |
sig_logic | (Required) This option configures the signing of a SAML response or SAML assertion to ensure message integrity when a response/assertion is delivered to a Relying Party. |
sp_access
This table defines which user classes are given access to federated login for a particular SP. This table acts as a subtractive filter, where access is granted to all user classes that are not explicitly denied here.
Option | Description |
|---|---|
sp_folder | (Required) The sp_folder used for this SP’s issuer. This should be the same value as defined in sp_mapping. |
userclass | (Required) The user class ID to configure access controls for. |
deny_acl | (Required) Define whether or not the selected user class is prohibited from accessing the specified SP through federated login. |
sp_authchain
This table defines which authentication chains should be used when logging into a particular SP, and is used by the fedidp_cs authentication chain module.
Option | Description |
|---|---|
sp_folder | (Required) The sp_folder used for this SP’s issuer. This should be the same value as defined in sp_mapping. This table can also direct users who are not making SAML requests, by setting this value to "__non_saml__". |
userclass | The user class that authenticating users must belong to in order to use the specified authentication chain. If the user class is unspecified, then any authenticating user who does not match another rule in this table is able to use the specified authentication chain. |
authchain | The authentication chain to be used for this issuer. If no authentication chain is defined for an issuer, then users authenticating to that SP are allowed to use any of the authentication chains defined on the system. If an SP does have values defined here, then only those authentication chains listed here will be used for authentication. |
Target system
Installing the Scenario.hid_saml_idp component automatically adds an Active Directory target system with the system ID of "AD". The target system is configured to be a source of profiles. When users login, they will validated against their Active Directory credentials.