WARNING. This script is to be used for informational and learning purposes only. Should you choose to modify and or include this script in your test or production environments, you do so at your own risk. Custom scripts are only supported by Embotics, when they are produced by an Embotics Application Architect as part of a paid service engagement.
Should you require assistance modifying or troubleshooting the script, please contact your Customer Advocate who will provide you with a quote for Professional Services.
In a distributed infrastructure with multiple authentication sources, a cloud identity management platform can provide secure single sign-on, multi-factor authentication and Directory Integration.
Things you will need:
- A Onelogin account, if needed you can use the free account for testing with a single user
- vCommander Portal must be accessible from the internet(Preferrably with a SSL certificate for production environments)
- On the vCommander application server, open a command prompt and browse to <INSTALL_DIRECTORY>\Embotics\vCommander\jre\bin\.
- Issue the following command:
keytool -importkeystore -srckeystore ..\..\tomcat\conf\keystore -srcstoretype JKS -srcalias tomcat -srcstorepass changeit -destkeystore ..\..\tomcat\conf\saml-keystore.p12 -deststoretype PKCS12 -deststorepass changeit2 -destalias saml
This command extracts a key pair named tomcat from the original keystore and places it into a file. Passwords remain the same, if any were used.
- Retrieve the file <INSTALL_DIRECTORY>\Embotics\vCommander\tomcat\conf\saml-keystore.p12, and store it to a secure location.
- In OneLogin Administration portal select Apps then Add apps. Search for "SAML Test Connector (IdP w/attr)" we will use this as our Base for the SSO configuration in Onelogin.
- Rename the connector to something all administrators in onelogin will know like vCommander. you can also add custom logos to make the end user experience more fluent. Click save.
- Still on Onelogin admin portal, under Apps> Company Apps you should see your vCommander Connector. Click on it to edit the configuration
- Navigate to the configuration tab, Fill out the appropriate fields for your vCommander this is a sample from our sample configuration:
- Relay State
- (leave Blank)
- ASC Consumer validator URL
- "*" (that's right just a star)
- ASC Consumer URL
- Single logout URL
- Relay State
- The configuration tab should now look something like this with your own portal configuration:
- Navigate to the parameters tab and add an attribute called "mail" Click save and edit the custom parameter. In the window we need to link the mail attribute to the "Email" value from onelogin for successful authentication. Ensure the Flag is checked to "Include SAML assertion". Click Save
- Now to Export the SAML metadata to complete the setup in vCommander. With your connector open in onelogin and all your changes saved, in the top right under "More Actions" select "SAML Metadata". Save this is a safe place so we can import it into vCommander.
- in VCommander logged into the Admin Portal, Navigate to Configuration> System Configuration> Authentication. Navigate to SAML Single Sign-On and select edit and fill out as follows:
- Set Enabled and Global Check Boxes
- Identity provider (IdP) Metadata
- Upload the exported metadata from step 10
- SAML Key Pair section, provide the PKCS #12 keystore file from step 3. We left our keystore passwords default for the script examples to keep it simple, you could have different passwords in your environment.
- KeyStore Password
- keypair Alias
- keypair password
- Now you can test SSO Login, if there is a user configured in vCommander with the same login information and assigned permission to see the vCommander app in Onelogin we can test the connection.
- Login to one login as a Portal user that's also configured in onelogin, they will see the app if permissions are correct.
As the portal user Select the vCommander App, the user will be passed right into the vCommander portal.