Skip to main content
Mitratech Success Center

Client Support Center

Need help? Click a product group below to select your application and get access to knowledge articles, webinars, training content, and release notes or to contact our support team.

Authorized users - log in to create a ticket, view tickets status and check your success plan details.

 

TeamConnect SAML Setup

  1. Last updated
  2. Save as PDF
The following page details the prerequisites, IDP Setup , SP setup and TeamConnect SAML setup.

Prerequisites

  1. Servlet to deploy on (Weblogic/Tomcat)

  2. Keystore with encryption key created.

    Note: Here the example keystore provided with the WAR file, samlKeystore.jceks  is used. Clients should not use this keystore other than for testing purposes.

  3. Certificate (.cer/.crt/.cert) generated from the keystore.

    Note: Along with the example keystore, you can use the following command to generate it. (password=mitratech)
     keytool -export -alias mitratechsamlsamplekp -file TestCert.cer -keystore samlKeystore.jceks -storetype jceks
    This will provide a file TestCert.cer to use in the IDP for signing requests.

IDP Setup

This section details the steps for setting up an IDP for integration. SAML can be integrated into any IDP that supports the SAML 2.0 specification. The specific steps for integrating will differ depending on the individual IDP. This document will go through the process for setting up with Okta as the IDP as an example. All the same options should be configurable in other providers, but will be located and possibly named differently in their application.

Instructions 

Screenshot for reference
1. Log into Okta, and go to the administrator portal.  
2. Go to Applications --> Applications. Click on Create App Integration. clipboard_e3b705beb75289edac620c4478d7d0776.png
3. Choose SAML 2.0 sign in method, hit Next. clipboard_e98947fe2a5cc21be13afb74896d02aaf.png
4. Give the application a name, hit Next. clipboard_eea84aebaaf5570c44f65a5cc251e041a.png
5. Set SAML Settings

a. Set the Single Sign on URL to <saml-url>/saml/SSO and mark check against 'Use this for Recipient and Destination URL' box.

 		 clipboard_e9d1256871e68410e64e6d1303aaeeedb.png
 b. Set the Audience URI (SP Entity ID) to the required ID. This will be the ID used throughout the integration. clipboard_e2e0e220ad0f7b75764cce7fa6fb17861.png
c. Leave Default RelayState blank.

d. Set Name ID format to Unspecified . (You can use other options, along with other adjustments in SAML server setup to match).

clipboard_e2738a4ae815a53a3f7944b895bdfd964.png
e. Set Application username for Okta to validate with. In this case,  keep it simple with Okta username.
ensure both TeamConnect user and Okta users have the same email address as their usernames.
 		 clipboard_e3fe7c33828e7a2d5afdcbdf9b2ba76d2.png
f. Click on Show Advanced Settings
 		 clipboard_ee20fd0ab6ef640907293fba4809ec9ea.png
g. Set Response to Signed clipboard_e0e4ba47d189183daa3b7c88455c399a0.png
h. Set Assertion Signature to Signed clipboard_eda172a02d9f6fb8e6b7589c89933bfe3.png
i. Set Signature Algorithm to RSA-SHA256 clipboard_e3d7b39377ea6f5efcceb3c710d28d2a7.png
j. Set Digest Algorithm to SHA-256 clipboard_e9360dfc5c0bfcbf4ef2218936063df99.png

k. Leave Assertion Encryption as Unencrypted. If you do want the assertion encrypted, match this value to the same one used in the keystore.

l. Upload the signing certificate to Signature Certificate (TestCert.cer if following the example)

 clipboard_ea1ff49bc5c7d183b3c5b9c7d08461c7c.png
m.Check Signed Requests clipboard_e60a023c8e9cb5b6d47606c7f486a555b.png

n. If you are enabling Single Logout (SLO), continue with the following settings. Else, click Next to finish SAML Settings setup.

o. Check Enable Single Logout.



clipboard_edda34b486a1341322fc27c11f3f21146.png
p. Set Single Logout URL to <saml-url>/saml/SingleLogout clipboard_e346d630041c18c0dd631fbdddfe9313d.png
q. Set SP Issuer to the same value used in Audience Restriction (TeamConnectSAML in this example). clipboard_ee85811067052eed9f243f9265bd8b17b.png
  r. Keep defaults on the remaining settings. These can     be customized, but this example will not go into them.     Click Next. Select App Type (This is an Internal App         that we have created is recommended). Click Finish clipboard_ecf53a95d303c3fbb5fd35dbb27ab3e3f.png
6. Now that the Application is created, click on Sign On. clipboard_e68c4a09cd322a79e5f661117caaffc27.png
7. Click on View SAML setup instructions. clipboard_e558a69a186edd2087520dde549c3e73d.png
8. Scroll to Optional on the new page and copy all the contents. Save contents as a file named idp.xml. clipboard_ed41ed3fca5ed9698738b3345b5aea707.png
9. Back in the Okta Application, click on Assignments and add all users who will need access to the SAML integration. clipboard_eb10847972561772b3cc4c8b04c25270f.png

SP Setup

This section details the steps for setting up the Service Provider (SAML Server). These steps will use values from the IDP Setup example, but can be customized to the customer’s standards. Ensure that all options chosen during IDP setup are also reflected in the following SP setup (encryption algorithms, signing keys, etc should all match).

Instructions 
Screenshot for reference
1. Obtain SAML WAR file. Unzip the WAR file with an archive tool like 7zip.  
2. If  keystore and key are created, during the Prerequisite steps, place this keystore in <WAR-file>/WEB-INF/classes/security. Delete any unused keystores for security clipboard_e0226dbc3d93695be3d558c2899046e0e.png
3. Navigate to <WAR-file>/WEB-INF/classes/metadata and replace the idp.xml file with the one that was created during IDP setup. clipboard_e1aa829cee5f596e543481c2e76d2e452.png
4. Navigate to <WAR-file>/WEB-INF/classes and edit the saml.properties file. clipboard_e6d9cb454e85c54724dbcaba50bf6f188.png
a. Set idp.usernameIdentifier to NameID. This matches with our choice in setting up the IDP. Okta only uses NameID, but if using a different IDP that supports a different attribute, then you can set this value to Attribute.  
b. Set idp.nameIDFormat to match the type declared in the IDP setup. In this example, used Unspecified which maps to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

If you had set usernameIdentifier to Attribute in the previous step, leave this property blank

The following are the other available options:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity
.		 clipboard_e3c4b41932ff5d560ec02f0909ad310f9.png

c. Leave idp.attributeName empty, if using NameID in the previous steps. If using Attribute, then declare the attribute key here.

d. Set sp.entityID to the same value we chose during IDP setup. In this example, it was TeamConnectSAML.


clipboard_e580008481c316ff2a53ed7414a343e0e.png

e. Set gateway.admin.username to required administrator login name to be. Default is admin.

f. Set gateway.admin.password to required administrator password to be. For SAML 2.2.4+ this value must be encrypted with encrypt.jar that is provided with the TeamConnect installation files.

g. Set application.loginUrl to the login URL of the TeamConnect application, which will be <TeamConnect-URL>/login		 clipboard_ec3a371115191e82251ce2a32adca9015.png

h. Leave application.logoutSuccessUrl empty. This will use the default logout page. The logout page can be customized for a client. To do this, either update the existing logout.jsp or add a new jsp to WEB-INF, and update securityContext.xml to remove security from the new logout endpoint.

i. Set keystore.file to the name of the keystore you copied into the war file. In this working example we are just using the test store provided, samlKeystore.jceks.

j. Set keystore.type to the extension type of the keystore being used. In this example we are using jceks.

k. Set keystore.password to the password set in creating the keystore. In this example, it is mitratech. For SAML 2.2.4+ this value must be encrypted with encrypt.jar that is provided with the TeamConnect installation files.

l. Set keystore.privatekey.alias to the alias used during keystore creation. In the example, using samlKeystore.jceks, this value is mitratechsamlsamplekp.

m. Set keystore.privatekey.password to the password used for the alias. In the example, using samlKeystore.jceks and mitratechsamlsamplekp, the value is saml. For SAML 2.2.4+ this value must be encrypted with encrypt.jar that is provided with the TeamConnect installation files.

 clipboard_ee1be5cde4f780e9b760b82f5e947cc9a.png

n. Set saml.signatureAlgorithm to match the value declared during IDP setup. In the example, the value would be SHA256. All valid options are:

  • SHA1
  • SHA256
  • SHA512

o. Save the saml.properties updates. Update the WAR file with the changes.

  

5. Stage the WAR file in servlet, and launch the application

6. Once running, visit <SAML-URL>/saml/web/metadata.

 clipboard_ee9d4c459294871404c9eba44b1d4beb9.png
7. Login using the admin credentials declared in saml.properties. The default values are admin/admin. clipboard_ebe0dbdf8c3cac1603835fcdeab62b2cc.png
8. Click on Generate New Metadata clipboard_e8a5a11f06ead64bf8abb4004e179a09e.png

9. Setup SP metadata

a. Set Entity ID to the value chosen during IDP setup. In the working example we are using TeamConnectSAML

 clipboard_e44a9ea141d5754c85eb3c120c56482c3.png
b. The Entity base URL should auto generate from deployment. Double check the value matches the actual URL endpoint. If not, update it to match. clipboard_edf9c6743a4412f84f31e72bf4f392f6c.png
c. Leave Entity alias blank, unless you are using SAML to connect multiple applications. If so, give this a unique name to identify this specific integration.
 		 clipboard_e7502b1d3ab174165fe3e6631ab22afa5.png
d. Set Signing key to the value of the keystore alias being used for this integration. In the example, it will be mitratechsamlsamplepk.
 		 clipboard_e5703c711fecbbc28cb920ef67957bb8f.png
e. Set Encryption key to the value of the keystore alias being used for this integration. In the example, it will also be mitratechsamlsamplepk.
 		 clipboard_e89aa5f7ea17aa3e6acee6b651105c7ec.png
f. Set Signature security profile to MetalOP (default). This requires both sp and idp to have a specific key for signatures and is highly recommended for security reasons. If using public CAs for signing, change this to PKIX (Not recommended). clipboard_e3ef79498ffb56f7653c3f29940f17cd0.png
g. Set SSL/TLS security profile to PKIX (default). This allows connections between the sp and idp to validate using public CA certificates. If using private keys for communication, switch this to MetalOP.
 		 clipboard_e7fd50abbcabd69573e79179ea946b5b4.png
h. Set SSL/TLS hostname verification to Standard hostname verifier. If using localhost or non-public certificates for SSL, set this value to Allow All. clipboard_e25b81406972a81633c23259ce8da79f9.png
i. Leave SSL/TLS client authentication as None. If using private keys for SSL, then choose the matching alias from the keystore here. clipboard_ed248883c25bddd07da70330020a367cc.png
j. Set Sign metadata to Yes. It is generally insecure to not sign the metadata, so leaving this as No is not recommended.
 		 clipboard_e6700614a16c822518c4b718f92f4a96a.png
k. Set Sign AuthNRequests to Yes. It is generally insecure to not sign the authentication requests, so leaving this as No is not recommended. clipboard_eb208bb5366f40b8b03a2a7dcfc42467c.png
l. Leave Require signed authentication Assertion as No. If you set up Assertion encryption during IDP Setup, then you will want to set this to Yes. clipboard_e85f81abf796a9fe0cfed9d6fd1517c66.png
m. If you set up SLO during IDP setup and are following the example in Okta, then Require signed LogoutRequest and Require signed LogoutResponse should both be set to Yes. Other IDPs might not require SLO to have signed requests, but Okta does. If you IDP does not require it, and you choose not to have signed logout requests, then you can leave these as No. clipboard_e1572192991d4d6fd6bca88b89d9b29f2.png
n. Leave Require signed ArtifactResolve as No. If  IDP allows configuration of this setting,  you can set this to Yes if doing so. Okta does not provide this setting. clipboard_ec5bb09727d256ecd561a531e20835dcc.png
o. Leave default settings for Single sign-on bindings unless the integration uses special protocols.
 		 clipboard_ee75dfc53094939caecc048722e18e81f.png
p. Leave default settings for Supported NameIDs, which will allow the IDP to be slightly flexible. If needed limit the list as well to the declared in IDP setup. clipboard_e96b4171d067c173f5250c7a7f8eea5e9.png
q. Click Generate metadata. clipboard_e0656e644dd179fb72010e188fdffbb88.png
r. Copy the contents of Metadata and save them in a file called sp.xml.
 		 clipboard_e847f10934e7e4558d1915cc8f1a18f5f.png
s. Copy the contents of Configuration to a notepad for use in the next steps. clipboard_e406c1c17732e0c90b6f599889c05d138.png

t. Stop the SAML server.

u. Open the WAR file again with 7zip.

v. Replace sp.xml in <WAR-file>/WEB-INF/classes/metadata with the file that was just created.

 clipboard_eafa115c468faf19df5360375f6bf4d57.png
w. Navigate to <WAR-file>/WEB-INF/classes and edit securityContext.xml. Search for the bean with class org.springframework.security.saml.metadata.ExtendedMetadata and replace it with the configuration contents copied during step 9s. Save the changes and update the WAR file.

x. Redeploy the application.		 clipboard_eb6b0a00cb4a8eb93e72f5ea8ce5cc9c6.png

 

TeamConnect Setup

This section goes over the steps to integrate the TeamConnect application with the SAML-IDP infrastructure. This section only details the process of integrating with our offered SAML solution. Custom SAML solutions can also be integrated with TeamConnect, but generally will require Services through Mitratech or one of our implementation vendors.

Instructions 
Screenshot for reference
1. Copy the TeamConnect-SSO resources provided with SAML to an accessible place.
 		 clipboard_ebb04e18acf5977dc0447a838345456b9.png

2. Log into TeamConnect as an administrator.

3. Navigate to Documents > Top Level > System

 clipboard_e4a7f74d8bb4683bd07abe70ed9f10077.png
4. Navigate into the Authentication folder. If the folder does not exist yet, then create it. Then create a folder with the name you want this integration to have. In this case, it is called SAML. Navigate into the new folder.
 		 clipboard_e23b38682d8930625463cf15583a584ec.png
5. Create two folders within the integration’s parent folder named classes and pages. clipboard_e9137b3326b4714267a55b28779d86db2.png

6. Navigate into the pages folder.

7. Open the badCredentials.html file from the SAML files copied earlier. Edit the root URLs listed in the file to the URL that matches the SAML server. Under isolation network environment, add the Redirect attribute displayed in the comment section below as well. This will ensure the user’s initial target page is retained through authentication and isolation.

 clipboard_ed708f7a4022748b707849494737525fb.png
8. Open the logout.html file from the SAML files copied earlier. Edit the root URLs listed in the file to the URL that matches the SAML server. If you are using SLO, as in the current example,  set local=false and add {user.token} as an additional parameter (see screenshot below) clipboard_e8a3f2a30288a2f00d54def3358498d94.png
9. Edit the sessionTimeout.html page if you desire, but it doesn’t add any functionality other than a landing page.

10. Upload all edited html files to TeamConnect in the pages folder.		 clipboard_ebcd08647ad499810c9dada3e2efdc9e9.png

11. Navigate to the classes folder in TeamConnect

12. Open the authenticationDescriptor.properties file from the provided SAML files to edit.

  1. Set tc.displayName to what name you want to render in the UI in Admin Settings.
  2. Set tc.uniqueId to what you named the integration folder in TeamConnect > Documents > System > Authentication. SAML in this example.
  3. Set tc.isSSO to true to enable SSO flow in TeamConnect.
  4. Set tc.isSLO to true if configuring the system with SLO. Leave as false if not implementing SLO.
  5. Set tc.authenticatorClassName to SAMLAuthenticator. This value will be different if using a custom SSO solution. This should match the class name that handles the SSO logic on the TeamConnect side.
  6. Set tc.ssoHostURL to the base URL of the SAML server. This setting is really only important if you have custom endpoints that could be accessed from outside TeamConnect.
  7. Set page.badCredentials to badCredentials.html
  8. Set page.logout to logout.html
  9. Set page.sessionTimeout to sessionTimeout.html
  10. Save the file.













clipboard_e1ea6b2410ee368d8a0ae1f862d061067.png
13. Upload authenticationDescriptor.properties, Crypto.class, and SAMLAuthenticator.class into the classes folder in TeamConnect. clipboard_eb9f5d0076107217275e2120bdcaee58b.png
14. Navigate to Admin > Admin Settings > Security and scroll down to the Authentication Plug-in section. Hit the Reload button and set the Default Authentication Method to SAML Single Sign-On (or as the integration was named in its properties file).
 		 clipboard_ed9e24e3ddcfd16cf2043bd3597db37a6.png