Skip to main content

Prepare Bravura Security Fabric as an SP

The Scenario.hid_authchain_saml_sp component installs the functionality to allow Bravura Security Fabric to act as service provider, accepting third-party authentication assertions from a trusted IdP.

To prepare Bravura Security Fabric as an SP:

  1. Log in to the front end as superuser.

  2. Click Manage the system > Workflow > Email configuration .

  3. Set BASE_IDSYNCH_URL to the servername used in the IIS TLS certificate, which is the URL seen by the end users' browsers.

  4. Click Home Home icon > Manage components.

  5. Install the Scenario.hid_authchain_saml_sp component.

  6. Configure which users in Bravura Security Fabric you want enabled for SAML Authentication.

    1. Click Manage the system > Policies > User classes > SAML_USERS.

    2. Add the users you want to authenticate against the IdP to this user class. You can add explicit users, a domain group or other criteria.

      IdP initiated SSO is only supported if the profile IDs match the IdP account names.

    3. Recalculate the user class cache.

Component deployment

Installing Scenario.hid_authchain_saml_sp automatically installs and configures the following:

Notes:

  • Additional configuration is required to:

    1. Set up appropriate login processes into Bravura Security Fabric and;

    2. Establish a trust relationship between the IdP and Bravura Security Fabric .

  • This component does not provide single sign-on functionality.

  • Federated login event actions (exit traps) can also be configured.

User class

Installing this component adds the SAML_USERS user class. By default, members of this user class attempting to authenticate to Bravura Security Fabric will be directed to the federated authentication login process, via the SAML_SP authentication chain.

fedsp-util.exe

This utility is executed by the Scenario.hid_authchain_saml_sp component in order to generate a PFX signing certificate and public certificate pair and is located in the util directory

When installing through the component, this utility generates the following files:

  • saml.pfx, used to sign SAML SP assertions.

  • public.cer, the public certificate file that can be passed to the Identity provider to add the Bravura Security Fabric instance as a trusted authority.

Both files are added to the <instance>\sp\directory.

Read more about fedsp-util usage.

Authentication chains

SAML_SP

Custom authentication chain SAML_SP is responsible for redirecting users to the identity provider, as well as granting them Bravura Security Fabric access once they have successfully authenticated. This authentication chain is configured to call the Fedidp_samlauth authentication module, and must be manually configured before use.

Fedidp_samlauth

Installing Scenario.hid_authchain_saml_sp creates a skeleton authentication chain module called SAML_SP that contains the Fedidp_samlauth module. This authentication chain module is responsible for generating the SAML authentication request, redirecting users to the identity provider, and granting access to successfully authenticated users upon their return.

External database tables

hid_authchain_select

Installing Scenario.hid_authchain_saml_sp:

  • Adds a row to the hid_authchain_select table that automatically selects SAML_SP if the user is a member of SAML_USERS.

  • Adds a row to the hid_authchain_select table to continue SAML authentication requests if SAMLResponse is in the session.

This table is used by several Bravura Security Fabric component installations, and overrides the normal authentication chain selection process. With the SAML SP configuration installed, this table directs members of the SAML_SP user class, or any user that has provided a SAML_RESPONSE POST parameter to the SAML_SP authentication chain.

Federated login configuration options

Installing Scenario.hid_authchain_saml_sp sets the following federated login configuration options (Manage the system > Modules > Federation / Web Single Sign-on):

  • Sets the FEDSP CERT FILE system variable with a generated PFX file

  • Sets the FEDSP CERT PASS system variable to be the password of the generated PFX file.

  • Sets the FEDSP CERT STORE system variable to be the PFX file store.

  • Sets the FEDSP CERT SUBJECT system variable to be "BravuraSecuritySpSaml".

Federated login event actions (exit traps) can also be configured.

In this section: