Details

    • Type: Technical Documentation
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: 7.4.X, Master
    • Fix Version/s: None
    • Labels:
      None
    • Sprint:
      Iteration 43, Iteration 44, Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49
    • Type of Documentation:
      Deployment

      Description

      Confluence page

      https://liferay.atlassian.net/wiki/spaces/ENGAPPSECURITY/pages/1481605784/Doc+Documentation+of+the+Story+As+a+Portal-Wide+Administrator+I+want+to+send+and+apply+SAML+configuration+from+one+instance+in+SaaS+into+another+instance+in+SaaS

      Background
      This is a functionality only available in the Liferay SaaS Product, with this feature all SAML-configuration and SAML-related certificates are allowed to be exported from one environment to another.
      The idea is that, after testing SAML in a "Sandbox" environment, all the data needed to make SAML work can be sent to a "Production" environment with one click.
      It's only available at 7.3.x, at osb folder: https://github.com/martamedio/liferay-portal-ee/tree/7.3.x/modules/dxp/apps/osb/osb-saml
       
      Features
      If all the prerequisites for SaaS are met (see next section: Steps and Pre-Requisited), a new Export button will appear at General tab on SAML Admin.
      When the export action is executed, all SAML-related data will be obtained from the environment and sent to the environment marked as "Production". Please note that any SAML data previously configured in that target environment ("Production") will be deleted.

      On the technical side: we obtain all the necessary SAML data from the "Sandbox" environment and we build a payload in JSON format, it will be encrypted symmetrically to send it to an available endpoint in the target environment ("Production").
      At the target environment ("Production"), we symmetrically decrypt the payload to replace all the existing SAML data (existing SAML Admin configuration in that environment will be lost)
       
      Steps and Pre-Requisites
      There are some prerequisites to be configured by the SaaS Team for this functionality to be operational.

      • It's mandatory that both environments have a SaaS-SAML Configuration, available using a config file. With this file we will configure the two environments for this export/import.
        • The configuration file should be follow this pattern name:
          com.liferay.osb.saml.internal.configuration.OSBSamlConfiguration.scoped-XXX.config
          
          • "Sandbox" environment: if this configuration it's not present, the "Export" button won't show up.
            • saml.saas.production.environment: false
            • saml.saas.pre.shared.key: Security PreSharedKey used to send the information, it should have the same value in both environments
            • saml.saas.target.instance.import.url: http://PRODUCTION-URL/o/saml-saas-import
          • "Production" environment: if this configuration it's not present, the process will fail showing an error (log and UI).
            • saml.saas.production.environment: true
            • saml.saas.pre.shared.key: Security PreSharedKey used to send the information, it should have the same value in both environments
            • saml.saas.target.instance.import.url: it should be empty
      • It's mandatory that on both environments, at System Settings - SAML KeyStoreManager Implementation Configuration, the KeyStore Manager target must be: Document Library Keystore Manager or the default value (Choose an Option) as it is the default Keystore Storage.
        If not:
        • "Sandbox" environment: the button won't show up
        • "Production" environment: an error will appear during the execution of the process (log and UI)
      • The "Export" functionality should only be available if the "Sandbox" environment is configured as a Service Provider SAML Role, the button should not appear if the selected role is Identity Provider.

       See attached files as examples.

       

      Technical Note

      We're using Java tools to encrypt the data. If the Java Version being used is older than Java 8 u162, it may be necessary to manually include some policy files related to the Java Cryptography Extension (JCE) in order to get the correct encryption algorithm.
      It would be necessary to extract the jar files from the Policy zip and save them in:

      ${java.home}/jre/lib/security/

      More info and links to download the Oracle JCE zip: https://stackoverflow.com/a/6481658/1303637

       

      Code
      All the code related to this functionality is in the modules/saas folder (take into account that this folder is not part of the build): saml-saas

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              marta.medio Marta Medio (Inactive)
              Reporter:
              nora.szel Nóra Szél
              Recent user:
              Nóra Szél
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package