Set up Bravura Security Fabric to authenticate with an IdP
After you have prepared Bravura Security Fabric as SP and set up an IdP, configure the SAML_SP authentication chain to complete the integration.
Before you begin
Have an identity provider prepared that implements SAML to authenticate users on behalf of other service providers, and configure it to provide authentication for Bravura Security Fabric .
Ensure that user profiles that will use Bravura Security Fabric as a service provider exist in the databases of both the identity provider as well as Bravura Security Fabric . Mappings between the Bravura Security Fabric and identity provider profiles must be configured in the identity provider.
Export the IdP metadata from the IdP and save the file in a location where it can be accessed by Bravura Security Fabric in order to finish configuring the authentication chain module.
Collect the following information that will be required to establish the SAML trust relationship:
idp-metadata.xmlOR
The individual endpoints and certificate the IdP makes available in that metadata file:
Single sign-on URL for the identity provider.
Identity provider issuer, a URL for your IdP that may or may not match the SSO URL.
Identity provider public certificate file (.cer), a copy of which should be placed in the instance’s plugin directory.
Issuer to send identity provider, typically the URL for the Bravura Security Fabric instance.
Single sign-on binding format as required by your IdP, either HTTP POST or HTTP Redirect.
All URLs must use HTTPS where applicable.
Configure the SAML_SP authentication chain
As superuser in the SP instance, click Manage the system > Policies > Authentication chains > custom > SAML_SP.
Disable this authentication chain so it can be edited.
Click the
fedidp_samlauthmodule to open it for editing.Ensure the Control Type is set to "Required".
Add information. Either:
Click Choose file next to Import metadata, and upload the
idp-metadata.xmlfile you copied earlier.OR
Populate the following fields manually:
Single sign-on URL: the URL of the identity provider
Issuer to send identity provider: typically the URL for the Bravura Security Fabric instance
Single sign-on binding: the format as required by your IdP, either HTTP POST or HTTP Redirect.
Identity provider issuer: a URL for your IdP that may or may not match the SSO URL.
Identity provider public certificate file (.cer): a copy of which should be placed in the instance’s plugin directory.
Choose the correct Identity provider signature location.
"Assertion" is set by default. If you are using an IdP configured to sign the response, change this to "Response" (or adjust the IdP signature settings, if desired). The response value must match what is selected on the IDP side.
Optional: Choose the correct AuthnRequest signature.
Modify the value to either RSA-SHA1 or RSA-SHA256 (recommended if enabling this feature) if your organization requires SAML AuthnRequests to be signed.
Configure the Identity provider subject type, which is used to map user profiles in Bravura Security Fabric to their counterparts on the IdP. When the IdP authenticates a user, it sends a subject attribute in the SAML assertion that is used to identify which user was authenticated:
Select ”Profile ID” if the subject attribute will be identical to the user’s Bravura Security Fabric profile ID.
Select ”Profile attribute” if the subject can be mapped to a user attribute instead of the profile ID.
Bravura Security Fabric as a SP only supports IdP initiated SSO if the Bravura Security Fabric profile ID is used.
If you selected ”Profile attribute” as the Identity provider subject type, you must also enter the Subject profile attribute , which specifies the ID of the profile attribute that can be mapped to the SAML subject.
Optional : Select the Allow IdP initiated SSO checkbox to allow users to start at the IdP log in and be redirected to the SP, where they will be automatically authenticated.
Optional: Select the Force IdP authentication checkbox to allow the IdP to re-authenticate the user even if the user has an existing session.
Some IdPs do not support the Force IdP authentication option.
Click Update, then Enable to enable this authentication chain.
Verify that the Front-end login authentication chain includes SAML_SP as an available chain for the chain selector module.
Test the configuration
Bravura Security Fabric should now be configured to authenticate with an IdP. To test this setup:
Open the SP instance login page.
Submit the username of one of the test accounts that is a member of SAML_USERS.
You should be redirected to IdP's login page.
Complete the authentication process, using valid credentials.
Login uses the SAML authentication chain.
Upon successful authentication, the user’s web browser is redirected back to the service provider, where they are logged in automatically.
Replacing certificate files in the plugin directory
When you need to replace an expired identity provider public certificate file, no restart of any services is needed. The certificate is used each time it has to be checked against the certificate coming from the IdP in the SAMLResponse. There may be minor caching of the file in the psf.exe CGI loaded into IIS.
Collect the certificate file from the IdP and put it in the instance plugin directory.
You may want to verify against the format of the previous certificate, which you can compare in a text viewer with the new certificate you exported from the IdP.
It is recommended that you back up the old certificate in case the new one has an issue and you must revert.
SAML certificates are not used in the transport layer (TLS) or in OS and IIS handshaked with the browser, so they do not have to be Trusted by the OS, nor used in IIS. They are merely used at the Application level, to verify the SAML assertion coming from the IdP.