Connecting Soffid console

&&TODO&& pagina 43

Introduction

Soffid console has a built-in SAML client, so it can act as a service provider in Soffid federation. It is interesting to use this configuration, as it allows you to enforce the use of two factors authentication to log into the Soffid console.

Step-by-step

1. Enable the SAML protocol in Soffid console

1.1. Open the Authentication page:

Main Menu > Administration > Configure Soffid > Security settings > Authentication

1.2. You must enable the External XAML identity provider.

1.3. Then you must fill in the fields:

- - - - Soffid server host name: URL of the Soffid console.
      - SAML federation metadata URL: URL where the whole federation metadata can be obtained. It use to be
        https://your.primary.sync.server:760/SAM/metadata.xml
      - Sometimes, an error as "unable to find valid certification path to requested target" could be displayed. In that case, you must obtain the public certificate form the sync server and store in your Java trusted certs repository. To do that, use the keytool command. The trusted certs repository is located at <JAVA_HOME>/lib/security/cacerts
      - The command should look like the next one. When prompted for a password type in "changeit"
    - - root@myserver:~$ /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/keytool
        -import -file /tmp/RootCA -trustcacerts -alias syncserver
        -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
    - - Cache limit (seconds): the amount of time the metadata should be kept in memory before refreshing.
      - Identity provider: after reading the federation metadata, this drop-down box lets you select any identity provider present at the federation. Usually, you will select the Soffid IdP.