Configuring the Platform instance to enable SAML/ADFS authentication

Before SAML or ADFS authentication is configured for a tenant or globally (all tenants), a master administrator must perform the following tasks:

1. Generate a signed certificate (through Verizon, for example) or self-signed certificate. You can create a self-signed certificate using the Java Keytool command or from a Web site that provides this service. For example, the following command creates a self-signed certificate named InfiniteBlue.jks (known as the keystore in these instructions).

   keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore InfiniteBlue.jks 
     -dname "ON=Progress, OU=Development" -storepass myPassword

   The keystore includes the public key certificate.

   Note:

   For long keys, such as those encrypted using AES-256, you will need to enable JCE unlimited strength in your JRE. To do so, download the Unlimited Strength Jurisdiction Policy Files (in ZIP format) from one of the following locations:

   • Java 7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
   • Java 8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

   Extract the files and install them as instructed in the README.txt file.

2. Export the public key certificate from the keystore using Keytool as shown below:

   keytool -export -keystore InfiniteBlue.jks -alias server -file MyCertificate.cer 

3. Create the SP metadata file. See https://docs.oracle.com/cd/E19461-01/819-7664/configspmeta/index.html for information about creating this file. See Example SP metadata file for an example of an SP metadata file.
4. Log into Platform and navigate to System Console>Control Panel>Authentication.
5. Select the required authentication mode from the Authentication Mode drop-down list.
   Note: If you select Global as the authentication mode, select the UI Authentication as SAML/ADFS and the preferred API Authentication.
6. Specify the values for the following fields in SAML/ADFS SP Configuration section to configure SAML/ADFS authentication.

   Field	Description
   SPKey Store File	The name of the keystore. In the prerquisite steps example, InfiniteBlue.jks.
   SPKey Store Password	The keystore password. In the prerquisite steps example, this is myPassword.
   SPKey Store Alias	The keystore alias. In the prerquisite steps example, this is server.
   Assertion Consumer Index	The index of the URLs to be used in the SP metadata. In general, multiple URLs are not supported by most of the IdPs, so you can set this to the default of 0.
   SP Metadata File	The SP Metadata file.

7. For customers that will configure SAML or ADFS authentication at the tenant level, provide the public key certificate to the customer administrators so they can configure SAML/ADFS authentication details for their tenants. See step 2 for an example of generating this file using the Java Keytool command.
8. If you are using ADFS authentication: For SP-initiated login to work, you need to set the ADFS Secure Hash Algorithm parameter to SHA-1. Platform uses the SHA-1 algorithm when signing SAML requests and ADFS defaults to SHA-256.