The Fusion capability manages single sign-on activity, as well as provides user management functions. You can configure Fusion to establish a trust relationship with your external identity provider. With this authentication method, a user's email address, specified in the 'email' claim value from the SAML2 Identity Provider, maps to the userID for any Fusion user.
NOTE:
You should time-synchronize Fusion and the external SAML 2.0 IDP to the same NTP server. In the configuration UI, ensure that the session timeout matches the same value that the external IDP has configured for user session timeouts.
Regarding the Trusted Provider Metadata, the metadata document for a trusted SAML provider with which an SSO-defined provider interacts must be obtained in a provider-specific manner. While not all providers do so, many supply their metadata documents via URL.
Once the trusted provider's metadata document (or the URL-accessible location of the document) is obtained, you must configure the SSO provider that will interact with the trusted provider with the trusted provider's metadata. In the document, modify the <Metadata> element within the <AccessSettings> element under either the <TrustedIDP> element or the <TrustedSP> element. For example:
com.microfocus.sso.default.login.saml2.mapping-attr = email
The email attribute refers to the email attribute name from the SAML2 IDP.
To integrate with an external SAML provider:
On the CDF server, open the sso-configuration.properties file, located by default in the /opt/arcsight/nfs/vol/arcsight/sso/default directory.
Add the following properties to the file:
com.microfocus.sso.default.login.method = saml2
com.microfocus.sso.default.saml2.enabled = true
To specify the address where the IDP supplies its metadata document, complete one of the following actions:
Add the following property to the file:
com.microfocus.sso.default.login.saml2.metadata-url = IDP SAML metadata URL
For example, a Keycloak server URL could be https://KeycloakServer/auth/realms/YourRealm/protocol/saml/descriptor.
NOTE:For HTTPS to work properly, you must import the IDP certificates to the Fusion single sign-on keystore as described in Step 5.
Convert the metadata xml file to a base64 string, then add the following property to the file:
com.microfocus.sso.default.login.saml2.metadata = base64 encoded metadata xml
Save the changes to the sso-configuration.properties properties file.
(Conditional) If you specified the metadata URL in Step 3, complete the following steps to import the IDP certificate to the SSO keystore:
Copy the IDP certificate to following location:
/path/to/sso/default/
Get the pod information using the following command:
kubectl get pods --all-namespaces | grep osp
Open a terminal in the currently running hercules-osp pod:
kubectl exec -it hercules-osp-xxxxxxxxxx-xxxxx -n arcsight-installer-xxxxx -c hercules-osp –- bash
Import the IDP certificate file using the following commands:
cd /usr/local/tomcat/conf/default/
keytool -importcert -file CertificateFileName -keystore sso.keystore -storepass $KEYSTORE_PASSWORD -alias AliasName
where
CertificateFileName represents the name of the certificate file that you want to import.
AliasName represents the new alias name that you want to assign to the certificate in the SSO keystore.
Restart the pod by completing the following steps:
To get the pod information, enter the following command:
kubectl get pods --all-namespaces | grep osp
To delete the currently running pod, enter the following command:
kubectl delete pod hercules-osp-xxxxxxxxxx-xxxxx -n arcsight-installerxxxxx
Retrieve the Fusion SSO SAML service provider metadata from the Fusion server:
https://Fusion_server/osp/a/default/auth/saml2/spmetadata
where Fusion_server represents the host name of the Fusion server.
Use the Fusion SSO SAML service provider metadata to configure your IDP.
For more information, see the IDP software documentation.
To establish a trust relationship between Fusion SSO and your IDP software, create certificates for your IDP software.
For more information on how to create and import certificates in your IDP software, see the IDP software documentation.