Configure Tenant SAML Realm - Fluid Topics - 3.7

Fluid Topics Integration Guide
Operating system
Debian
Category
Reference Guides
Audience
public
Version
3.7

It is necessary to update the configuration of the tenant's SAML realm within the conf.json configuration file.

Edit the following file:

As antidot user

/usr/local/afs7/Fluid-Topics/conf/$TENANT_ID/conf.json

To meet the minimum requirements, it is necessary to add the following lines within the "ui" object:

“ui”: {
...
  "authentication": {
    "realms": [
      {
        "name": "$SAML_NAME_EXAMPLE",
        "type": "saml2",
        "configuration": {
            "name": "$SAML_NAME_EXAMPLE",
            "keystoreFile": "saml/keystore.jks",
            "keystorePassword": "$KEYSTORE_PASSWORD",
            "privateKeyPassword": "$PRIVATE_KEY_PASSWORD",
            "entityId": "http://$HOSTNAME/$TENANT_ID/",
            "idpMetadataFile": "saml/idp_metadata.xml",
            "idPropertyKey": "$USER_ID",
            "mailPropertyKey": "$USER_MAIL",
            "namePropertyKey": "$USER_NAME",
            "maxAuthenticationLifetime": "$NUMERICAL_VALUE"
        }
      }
    ]
  }
...
},

Where:

  • name: expects a name for the configuration.
  • keystoreFile: expects the path to the keystore.jks file generated in the previous step (-keystore parameter).

    This parameter is mandatory. Example: saml/keystore.jks

  • keystorePassword: expects the password used to generated the keystore.jks file in the previous step (-storepass parameter).
  • privateKeyPassword: expects the password entered for the SP private key when generating the keystore.jks file in the previous step (-keypass parameter).
  • entityId: expects the ID of the current Fluid Topics tenant.

    This parameter is mandatory. Example: http://$HOSTNAME/$TENANT_ID/

  • idpMetadataFile: expects the path to the metadata.xml file that has been generated on the IdP side.

    This parameter is mandatory. Example: saml/idp_metadata.xml

  • idPropertyKey: expects the name of the parameter within the SAML response where the user ID can be retrieved.

    It may be replaced by the "idReaderFunction" parameter. See SAML Profile Retrieval.

    By default, if no idPropertyKey is used, the value will be mapped with the nameId property from the SAML assertion.

    Any missing information (i.e other *PropertyKey attributes) is requested when the user tries to login.

  • mailPropertyKey: expects the name of the parameter within the SAML response where the user mail can be retrieved.

    It may be replaced by the mailReaderFunction parameter. See SAML Profile Retrieval.

  • namePropertyKey: expects the name of the parameter within the SAML response where the user name can be retrieved.

    It may be replaced by the nameReaderFunction parameter. See SAML Profile Retrieval.

  • maxAuthenticationLifetime: expects a numerical value to set the authentication lifetime.

To prevent user sessions from timing out unexpectedly, it is necessary to use one of the recommended maxAuthenticationLifetime values.