Configuring Single Sign-on with SAML

If you are using single sign-on with Archibus, hosted beneath a SAML Service Provider, follow the steps in this topic to configure Archibus for SAML.

Note: When you configure the SAML timeout, set it less than the Web Central timeout.

Prerequisites for Web Central SAML Configuration

Prerequisites are provided by an IT resource and outside the scope of this document.

Install and configure a SAML Service Provider and Reverse-proxy

  1. Install Service Provider.
    • Example: Shibboleth SP installed on Apache HTTP server or Microsoft Internet Information Server
  2. Configure SAML SP to protect the Web Central server.
    • Example: Modify Shibboleth SP's shibboleth2.xml configuration file.
  3. Configure web server to reverse-proxy authenticated sessions to Web Central.
    • Example: mod_proxy and mod_proxy_ajp on Apache HTTP or Apache JK on Microsoft Internet Information Server
  4. Configure SAML SP to extract from the SAML response the following values:
    • a unique ID (such as email or sAMAccountName) ;
    • email (optional).
  5. Present the unique ID and email as HTTP header name/value pairs.
    • Example: Modify Shibboleth SP's attribute-map.xml configuration file.

Configuring Web Central

Once your Service Provider (e.g. Shibboleth) is set up, you need to configure Web Central with the names of headers that the authentication system is providing.

The only required header is the one that specifies username (unique ID). This is set in step 4, below.

Once you have the email and unique ID that the authentication system will provide, make the following changes to Web Central security configuration.

  1. Turn on saml authentication in /WEB-INF/config/security.properties :
    • security.configurationFile=context/security/security-preauth-saml.xml
  2. Modify the saml.properties file.
    • Enter project ID and autoCreateUserAccount .
    • If autoCreateUserAccount is true and if user account does not exist, WebCentral creates user account with values specified in request header and in the properties file. Values specified in the properties file are used if those values are not supplied in the request header.
    • (Note: If your SAML Service Provider is Shibboleth's Service Provider, then header name should be in all caps.)
  3. If autoCreateUserAccount is false, create records in the afm_users table for any authenticated users that should be granted access to Web Central. The afm_users.user_name field should be filled with the unique id coming from the SAML Service Provider.
  4. Modify the WEB-INF/config/context/security/preauth/username-source/request-header/username-source.properties file: enter name of the header that specifies unique user ID.

Configuring the Smart Client and Smart Client Extensions for AutoCAD and Revit

When selecting the server to connect to, select the "Use SAML authentication" option:

saml_revit.png

Configuring the Outlook Plugin

Also see Reservations Plugin for Microsoft Outlook: Installation / SAML

To let the Outlook Plugin connect with SAML, add the SamlActive="true" attribute to the Settings element in OutlookPlugin.dll.config .

To specify which security protocol to use, add the SecurityProtocol="Tls12" (for TLS 1.2) attribute to the Settings element in OutlookPlugin.dll.config .

Example settings are:

DefaultAppServerLocation="https://qsrv.archibusgo.com/archibus/"
DefaultProject="Hq"
SamlActive="true"
SecurityProtocol="Tls12"

Note: When the Outlook Plugin is configured for SAML, it generates a user.config file after the first successful connection. The SAML setting in this user.config file takes precedence over the setting in the installation folder, even after reinstalling the Plugin for connecting to a non-SAML server. This results in the inability to connect.

To work around this issue, when changing the server for the Outlook Plugin from an SAML server to a non-SAML server, delete the user.config file under %LOCALAPPDATA%.

See also

Authentication with SAML