Using SAML for Single Sign-On in the Akana Platform

Instructions for configuring a SAML Web SSO domain and enabling single sign-on login for Community Manager.

Table of Contents

Prerequisites

Before you begin:

  1. Install the SAML 2.0 Web Browser SSO Service Provider plug-in on the Community Manager container.

    Installation plug-ins list: Akana SAML 2.0 Web Browser SSO Service Provider

  2. Install the SAML 2.0 Web Browser SSO Service Provider UI plug-in on the Policy Manager container.

    Installation plug-ins list: Akana SAML 2.0 Web Browser SSO Service Provider UI

  3. Generate the metadata.xml file from your SAML identity provider.

Configuration on Policy Manager

  1. Log in to Policy Manager.

  2. Under Configure tab, select Security and then select Identity Systems.

  3. Click Add Identity System to access the Add Identity System wizard.

  4. From the Identity System Type drop-down list, select SAML Web Browser SSO.

    Policy Manager -- Modify Identity System Wizard

  5. Upload the metadata.xml file from your SAML identity provider, and then click Next.

    Policy Manager, SAML setup -- select configuration method

  6. If the Entity ID is not automatically populated then enter the entity ID. Select the appropriate Authentication URLs, Logout URLs, and SAML Signature Policy.

  7. Make sure to include the highlighted options with the correct values and that the Entity ID and Base URL values match the values from your SAML identity provider.

    Policy Manager, SAML Service Provider Configuration.

    Policy Manager, SAML setup -- Metadata Configuration

  8. Identity Mapping must match with your SAML identity provider's configuration.

  9. Generate a self-sign certificate and upload the certificate to your SAML identity provider (or use the Import PKI Keys & X509 Certificate feature and upload the certificate to your SAML identity provider). You can also use Assign PKI Keys and X.509 Certificate from User Keystore option to assign keys from an external keystore. The Assign PKI Keys and X.509 Certificate from User Keystore assignment option is only available if you have downloaded the External Keystore feature. For more information, see Using the JCEKS as an External Keystore or Using the HSM as an External Keystore to configure an external keystore using the JCEKS or HSM for storing and managing Policy Manager PKI keys and certificates.  
    Policy Manager, SAML setup -- Manage PKI Keys
  10. Under Keystore Details, click the keystore type to import the keys and specify the keystore password. Select Load Aliases if you want to define an alias and enter the password. Click Finish.

    Policy Manager, SAML setup

  11. Click Finish to view the summary of domain identity details, PKI keys details, and certificate details.

Configuration on Community Manager

  1. Log in to the Community Manager developer portal.
  2. Go to More tab, select Admin, and then select Logins.
  3. Select the check box next to the SAMLWebSSO domain to enable it as a platform login domain and then click Save.

    SAML Web SSO use case -- Community Manager, enable login domain

  4. Optional, required only if the same LDAP is used and users are already logged in to CM with LDAP domain. In the database, move all the users from the LDAP domain to the SAML Web SSO domain.

Steps to Verify the SSO configuration

  1. In the Community Manager developer portal log in page, select the SAML login domain.

    SAML Web SSO use case -- Community Manager, logging in

  2. Verify that the user is taken to the SAML SSO login page for your provider. Enter the credentials and then select Sign In.

    SAML Web SSO use case -- Community Manager, redirect to Identity Provider Sign On page

  3. Verify that the user is successful in logging in to Community Manager using the credentials configured for SAML.

    SAML Web SSO use case -- logged in