Configure Single Sign-on for SAML - Precisely_EnterWorks - EnterWorks - 11.0

EnterWorks Guide

Product type
Software
Portfolio
Verify
Product family
EnterWorks
Product
Precisely EnterWorks
Precisely EnterWorks > EnterWorks
Version
11.0
Language
English
Product name
Precisely EnterWorks
Title
EnterWorks Guide
Copyright
2024
First publish date
2007
Last updated
2025-01-07
Published on
2025-01-07T07:44:20.997000

EnterWorks can be configured to manage users through an Identity Provider (IDP) using the SAML protocol.

Due to operational requirements, port and SAML protocol usages may differ between development, test, QA, staging, and production environments.

The services for both the New UI and the Classic UI need to be configured to use SSO. The process of configuring them consists of editing the scripts that create the services to set parameters for the services, editing shared configuration properties, then using the scripts to recreate the affected services.

The following table indicates the names of the EnterWorks services that must be configured for SSO using SAML, plus the names of the scripts used to perform the configuration.

Service Script
enable-web-server-service create-enable-web-server-service.cmd
enable-api-go-service create-enable-api-go-service.cmd

To configure EnterWorks for SSO using SAML:

  1. Obtain Metadata

    Metadata files define how communication occurs between an Identity Provider (IDP) and a Service Provider (SP) application. Both the IDP and the SP application need to either supply metadata files, provide the URLs of the metadata files, or provide some of the content that would be in their metadata files.

    EnterWorks (the Service Provider in this case) has two application endpoints that need to be configured to communicate with the IDP, enable2020 and webcm. Both need to be configured to support SSO, therefore they both need metadata from the IDP and they both need to supply metadata.

    1. IDP's metadata: The customer will provide you with either the IDP's metadata files or the URLs of the IDP's metadata files. If the customer supplies the files, on the server that hosts the enable-web-server-service, copy the metadata files to the folder:

      
                  <drive>:\Enterworks\certs\saml
    2. EnterWorks metadata: The customer may or may not request metadata files for enable2020 and webcm.

      1. If they do not want metadata files, supply them with the callback locations:
        <hostname>/authorization-code/callback
        <hostname>/authorization-code/callback/webcm
      2. If they do want metadata files, generate them. Go to the indicated URL and a metadata file will be created and downloaded:
        • enable2020: <localhost>/saml/metadata

        • webcm: <localhost>/saml/metadata/webcm

      3. Some IDPs require that you use the information in the metadata files to configure the IDP manually. If the IDP you are using does, configure it now. For a list of IDP-specific configuration settings, see Settings for Manual Configuration of Specific IDPs.

        1. EnterWorks uses the following attribute statements:
          • login

          • firstName

          • lastName

          • email

        2. If login is not passed as an attribute, Named ID will be used instead. If firstname and lastname are both missing, EnterWorks will use login as the username that will be displayed in the UI.
        3. If SSO is being configured to manage the user's group membership as well, the following group statement must also be specified:
          • groups

      4. Instructions are given below for mapping attribute statement tags that are named differently that what EnterWorks expects.
  2. On all servers that host any of the following services:
    enable-web-server-service
    enable-api-go-service
    1. The create-scripts (create-<service-name>-service.cmd) are located in the following folder:
      <drive>:\Enterworks\enable2020\services\install\
    2. Back up the create-service scripts for the affected services. Copy the following scripts:
      • create-enable-web-server-service.cmd

      • create-enable-api-go-service.cmd

      to:
      <drive>:\Backup
      To make possible future troubleshooting easier, rename the create-service scripts in the Backup folder by appending the date or datetime to the end of their filenames.
    3. Edit the shared configuration properties as follows:

      • fromApp.secureAuth.trustedSignOn=true

      • fromApp.secureAuth.idp.type=3

    4. Set the configuration parameters for enable-web-server-service:

      1. Edit the file:
        <drive>:\Enterworks\enable2020\services\install\create-enable-web-server-service.cmd
      2. If the setting -samlSsoSettings doesn't exist in the script, add it.
      3. Set the value of -samlSsoSettings to point to the IDP's metadata for enable2020 and webcm. The setting indicates if the locations of the metadata files are given as a file path or a URL. The metadata files do not have to both be in the same location. They also do not both have to be indicated the same way; one file's location can be stated as a file path and the other file's location can be stated as a URL. The format of the -samlSsoSettings string is:
        -samlSsoSettings=\"enable2020|<file or url>|<location of metadata>;webcm|<file or url>|<location of metadata>\"
        where:
        • <file or url> is the word "file" if <location of metadata> is a file path or the word "url" if <location of metadata> is a URL.
          Note: Using a URL is recommended due to its simplicity and ease of use.
        • <location of metadata> is the file path or URL of the metadata file.

        For example:
        -samlSsoSettings=\"enable2020|url|http://dev-xxx.oktapreview.com/<...>/sso/saml/metadata;webcm|file|<drive>:\EnterWorks\certs\saml\"
      4. If the setting -spHost doesn't exist in the script, add it.
      5. The setting -spHost must be set to the domain name indicated in the webapps.baseUrl setting in the shared configuration properties. For example, if:
        webapps.baseURL=https://<domain>.com/webcm/ 
        then set:
        -sphost=https://<domain>.com
      6. If you want to map attribute statements tags that are different than what EnterWorks expects:
        1. If you have not already created an SSO mapping file, Create the SSO Mapping File.
        2. Set the ssoMappingConfig parameter to indicate the location of the sso-mapping.json file:
          -ssoMappingConfig=<drive>:\Enterworks\enable2020\services\sso-mappings\
      7. If you want to configure SSO to use a token signing certificate, uncomment out the setting: samlSigningSPKeysPath and set it to indicate the location of the token_cert.pem certificate file:
        -samlSigningSPKeysPath=<drive>:\Enterworks\certs\saml
        For more information about how EnterWorks obtains a signing certificate, see Obtaining a Signing Certificate.
      8. Save the create-enable-web-server-service.cmd script.
      9. Use the create-enable-web-server-service.cmd script.
    5. Set the configuration parameters for enable-api-go-service

      1. Open create-enable-api-go-service.cmd for editing.
      2. The setting -ssoEnabled has been deprecated. If it is present in the file, remove it.
      3. If the setting -ssoIndicator doesn't exist in the script, add it.
      4. Set the value of -ssoIndicator:
        • -ssoIndicator=2 (Recommended setting.) EnterWorks will only request that the IDP authenticates users. When an existing EnterWorks user logs into EnterWorks, EnterWorks will confirm with the IDP that the user exists in the IDP's directory. If the user exists, EnterWorks will allow the user to log in.
          Note: Ensure that the user is created in both the IDP directory and the EnterWorks application.
        • -ssoIndicator=1: (Default) Just In Time (JIT) provisioning (also known as Automatic provisioning). See Just In Time Provisioning.
          Note: The user will be created in the EnterWorks application as soon as they log in. You may need to verify the permissions for the created user.
      5. Save the script.
      6. Use the script.
    6. Restart all services.

EnterWorks is now configured for SSO using SAML.