Integrating IdP with Remedy SSO for SAML IdP initiated login
Starting from version 9.1.02, Remedy Single Sign-On (Remedy SSO) supports SAML Identity Provider (IdP) initiated login.
To activate the IdP initiated login, perform the following steps:
- Configure SAMLv2 authentication on Remedy SSO server. For more information on configuring SAMLv2 authentication, see SAMLv2 authentication process.
- Configure Relying Party Trust on the IdP.
- Configure claim rules. For more information, see Configuring claim rules.
- Configure Remedy SSO to provide the service URL.
Configuring Relying Party Trust on the IdP
This is second step that you must perform to support the IdP initiated login. Consider AD FS as the IdP.
Before you begin
- Ensure that the required certificates are imported in the AD FS Trusted Root Certificate Authorities folder. For more information, see Importing certificates.
- Ensure that you have the following information:
|Relying Party Trust URL|
URL of the Relying Party Trust, which is the Remedy SSO server. Use the following format.
If you have only the default realm on the Remedy SSO server, use the following format:
|Display name||Name of the Relying Party Trust that IdP displays in the menu for users.|
|Notes||Appropriate description for the Relying Party Trust.|
|Token encryption certificate||Certificate that IdP uses to encrypt the claims that are sent to the relying party trust. Encryption certificate is required only if you need the response from the Relying Party Trust to be encrypted|
|Relying party trust identifier||Identifier for Relying Party Trust that is same as the Relying Party Trust URL.|
To configure AD FS
- Open the AD FS console.
- Click Trust Relationships to expand the folder.
- Right-click the Relying Party Trusts folder and select Add Relying Party Trust.
- On Add Relying Party Trust Wizard, click Start.
- On the Select Data Source page, click Enter data about the relying party manually and click Next.
- On the Specify Display Name page, enter Display Name and Notes for the relying party trust and click Next.
- On the Choose Profile page, click AD FS profile and click Next.
- On the Configure Certificate page do not import any certificate and click Next.
- On the Configure URL page, select the Enable support for the SAML 2.0 WebSSO protocol check box and enter the Relying Party Trust URL in the Relying party SAML 2.0 SSO service URL field.
- Click Next.
- On the Configure Identifiers page, enter relying party trust identifier in the Relying party trust identifier field and click Add.
- Click Next.
- On the Configure Multi-factor Authentication Now page, select the I do not want to configure multi-factor authentication settings for the relying party trust at this time check box and click Next.
- On the Choose Issuance Authorization Rules page, click Permit all users to access this relying party.
- On the Ready To Add Trust page, click the Advanced tab.
In the Secure hash algorithm box click SHA-1 and click Next.
If you cannot select the secure hash algorithm in this step, from the Relying Party Trusts list, right click the relying party trust that you just created and select Properties option from the menu. Click the Advanced tab and verify that the secure hash algorithm is selected as SHA-1.
- Select the check box for opening the Edit Claim Rules dialog box when you close the wizard and click Close. For more information about claim rules, see Configuring claim rules.
Configuring claim rules
This is the third step that you must perform to support the IdP initiated login.
Configure the claim rules for the relying party.
- On AD FS 2.0, select rsso-sp, and click Edit Claim Rules from the Actions menu.
- To add the claim rule, click Add Rule.
- Select the claim-rule template Send Claims Using Custom Rule.
Enter the claim-rule name Send Claims Using UPN. In this case, use the following script:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue( Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "<idp-entity-id>", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<sp-entity-id>/<realm-id>" );
- sp name qualifier is required only when you want to implement SP initiated Single log out.
- The properties " " must be the same as the NameID format value in the Authentication tab of Remedy SSO. For example, a Transient Identifier such as urn:oasis:tc:SAM:2.0:nameid-format:transient.
- The FQDN specified for the properties " " must be the FQDN of the AD FS server.
- The properties " " must be the same as the SP Entity Id value specified in Remedy SSO (General > Advanced > SAML Service Provider > SP Entity ID).