HomeGuidesRecipesAPI
HomeGuidesAPILog In
Guides
These docs are for v11.0. Click to read the latest docs for v31.

Infiniti supports SAML 2.0 allowing a nominated identity provider enabling Single sign-on (SSO) between Infiniti Manage and Produce and other service providers. Common SAML 2.0 implementations implement Infiniti forms within another application.

When configured correctly, when navigating to Infiniti a request is sent to the identity provider via HTTP-POST. The identity provider will determine whether the user has already been authenticated or requires login. Regardless after a successful login has occurred a response is sent to Infiniti containing the user’s username (referred to as NameId which is a required field) and optionally other user profile information (name, email, address, group memberships, etc.). The response must be signed so that Infiniti knows it is from a trustworthy source.

Prerequisites

An existing Infiniti environment installed with default forms authentication.

A SAML 2.0 provider with ◦An Identity Provider (Idp) configured to

  • Return a group memberships as an assertion attribute (e.g. IsMemberOf) (mandatory to ensure at least one user can be added to an Infiniti Administrator Role after the switch to SAML) within the SAML assertion
  • Return profile information such as first and last name (Optional)

Service Providers for both Infiniti Manage and Infiniti Produce whereby:

  • The response is configured to be sent via HTTP-POST to: http://yourserver/Manage/SamlAuthenticate.aspx or http://yourserver/Produce/SamlAuthenticate.aspx respectively
  • The above post response is signed (see Appendix A for an example Response)
  • A meaningful name is given to the Service Providers (usually Produce and Manage)
  • A certificate either installed on the Infiniti web server or uploaded as file that can be used to check the SAML response signature (I.e. the certificate used by the IdP to sign the response).
  • A user configured in the SAML 2.0 provider for testing that is a member of at least one known group.

How to configure SAML 2.0

By default Infiniti Installations use Forms Authentication as the licensing and an administrator group must be configured before SAML can be configured.

Step 1 - Identify an SAML Infiniti Administrator Group

When the first user (usually a server administrator) attempts to access Infiniti via SAML Authentication, Infiniti needs to assign permissions so they can access appropriate functions. If this step is not completed users will be not be able to actually do anything post authentication.

When the first user (usually a server administrator) attempts access, Infiniti needs to assign them permissions so they can access appropriate functions. If this step is not completed users will not be able to actually do anything post authentication. Use the article below to configure an external group

Step 2 - Enable and Configure SAML

  • Navigate to Settings and 'New Group' and click the SAML 2.0 Tab
  • Check the SAML 2.0 checkbox and configure the now enabled settings as per the screen shot and table below.
1149
SettingDescriptionExample
Create UsersAn option if to actually create a user in the Infiniti platform. Necessary for any form that involves workflow and is useful for tracking and auditingUsually checked
IssuerThe Issuer ID of the Identity Providerhttp://openam.example.com:8080/openam
Manage Entity IdThe Entity Id of the Manage Service ProviderManage, ManageTest, ManageProd Etc.
Produce Entity IdThe Entity Id of the Produce Service ProviderProduce, ProduceTest, ProduceProd Etc.
Metadata URLThe metadata URL for a supported SAML IDP from where Infiniti will read the information for the service

* If user enters metadata URL and clicks save, Infiniti should be able to populate Issuer, Login URL, Logout URL and Identity provider certificate from this URL.
http:///idp/metadata.php
Identity Provider Login URLThe URL of the Single Sign on Service URL that Infiniti will make the HTTP-Post Request to.http://openam.example.com:8080/openam/SSOPOST/metaAlias/idp
Identity Provider Logout URLThe URL of the Single Sign on Service that Infiniti will make a logout request to. This value is optional. If you wish to use a logout service, you must also supply the Infiniti Signing Certificate (below)http://openam.example.com:8080/openam/metaAlias/#logout
Identity Provider CertificateThe certificate Infiniti will use to check the signature received in the HTTP-POST Response.

A certificate can be installed on the server and referenced by a thumbprint or uploaded directly to the application.
N/A
Infiniti Signing CertificateThe certificate Infiniti will use to create the signature for the logout request.

A certificate can be installed on the server and referenced by a thumbprint (preferred) or uploaded directly to the application (not recommended as this requires the private key to be included and no password)

Step 3 - User profile Mapping
As attributes specified in a SAML response are arbitrary it is necessary to map particular user profile fields to the values provided in the SAML response.

  • Navigate to the User Profile Mapping Tab.
  • Provide at least the name of the attribute where the user’s Group Memberships are specified.
  • Optionally specify any other user fields. See Appendix B for a complete list of available Mapping fields
  • Save
1278

Step 4 Test

  • Close all browsers to ensure any existing Infiniti Sessions are removed.
  • Open a new browser and navigate to Infiniti Manage or Produce.
  • Infiniti will attempt to create a SAML session as per the settings configured above. You should either be redirected to the Produce/Manage Home Page or the Identify Provider’s Login screen should you not already have an existing session.

Logging and Troubleshooting

When attempting SAML 2.0 authentication Infiniti makes a HTTP-POST request to the identity provider and awaits a response. If both the request and response are successfully made and received Infiniti will log any errors occurred whilst processing the response in the database (for example a failure when checking).

With the logging setting in step 2 above enabled. Logs can be retrieved from the Infiniti database using the following SQL query.

SELECT *
FROM EventLog
ORDER BY DateTime DESC

Where reconfiguration is required SAML 2.0 authentication can be rolled back via the database using the SQL query below. Note the query is appropriate for single tenant environments only.

UPDATE Business_Unit
SET SamlEnabled = 0
WHERE Business_Unit_Guid = '0CC2007E-3344-4059-B368-9BAD2B9BD42B'
SAML 2.0 AUTHENTICATION START
UTCTime: 12/20/2017 4:17:42 AM
Relay State: 0cc2007e-3344-4059-b368-9bad2b9bd42b
Business Unit: 0cc2007e-3344-4059-b368-9bad2b9bd42b
Loading SAML Response
LOGIN STATUS
Login Status urn:oasis:names:tc:SAML:2.0:status:Success
ASSERTION NODE
CONDITIONS
TIME RANGE CHECK
NotBefore:12/20/2017 4:17:12 AM
Now:12/20/2017 4:17:42 AM
NotOnOrAfter:12/20/2017 4:22:42 AM
Time Range OK
ISSUER
Issuer OK
SIGNATURE VALIDATION
Checking response node for signature. + (samlp:Response/ds:Signature)
Signature found
CERTIFICATE LOAD
Loading uploaded certificate
Certificate loaded "[email protected], CN=blah, OU=Development, O=Intelledox Pty Ltd, L=Fyshwick, S=ACT, C=AU"
SIGNATURE CHECK
Signature check OK
USER SYNC
Attribute Names: username, firstName, lastName, isMemberOf, email, jobTitle, org, phone
USERNAME
Get username from mapping
Field Mapping - USERNAME to username (saml:AttributeStatement/saml:Attribute[@Name='username']).
username found
USER PROFILE
Field Mapping - EMAIL to email (saml:AttributeStatement/saml:Attribute[@Name='email']).
email found
Field Mapping - FIRSTNAME to firstName (saml:AttributeStatement/saml:Attribute[@Name='firstName']).
firstName found
Field Mapping - JOBTITLE to jobTitle (saml:AttributeStatement/saml:Attribute[@Name='jobTitle']).
jobTitle found
Field Mapping - LASTNAME to lastName (saml:AttributeStatement/saml:Attribute[@Name='lastName']).
lastName found
Field Mapping - ORGANISATION to org (saml:AttributeStatement/saml:Attribute[@Name='org']).
org found
Field Mapping - PHONENUMBER to phone (saml:AttributeStatement/saml:Attribute[@Name='phone']).
phone found
Update User Group Subscriptions
Field Mapping - GROUPS to isMemberOf (saml:AttributeStatement/saml:Attribute[@Name='isMemberOf']).
Found value: samlUser
Found value: SAML users
Found value: Domain Users
Group Common Name (CN) Conversion: samlUser
Common Name: samlUser
Group Common Name (CN) Conversion: SAML users
Common Name: SAML users
Group Common Name (CN) Conversion: Domain Users
Common Name: Domain Users
Membership Check :Domain Users
Subscribe user to group: Domain Users
Membership Check :IxSupport
User not a member of group: IxSupport
SUCCESS

Metadata URL support

From V11, Infiniti will start supporting call to metadata url for a supported SAML IDP. Infiniti will be able to read the information about the requirements of the service for e.g. Issuer, Login URL, Logout URL and Identity provider certificate from this url.

726

User just need to provide Metadata Url for the configured SAML IDP. Click Save and Infiniti should read all the service information from the URL and populate the appropriate fields.

725

Example service information on the URL

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://ServerName/saml/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIEMjCCAxqgAwIBAgIJAP/0GJV/ftHCMA0GCSqGSIb3DQEBCwUAMIGtMQswCQYDVQQGEwJBVTEMMAoGA1UECAwDQUNUMREwDwYDVQQHDAhGeXNod2ljazEbMBkGA1UECgwSSW50ZWxsZWRveCBQdHkgTHRkMRkwFwYDVQQLDBBFbmdpbmVlcmluZyBUZWFtMRcwFQYDVQQDDA5NaWNoZWxsZSBLb3RoZTEsMCoGCSqGSIb3DQEJARYdbWljaGVsbGUua290aGVAaW50ZWxsZWRveC5jb20wHhcNMTgwNzA0MjM1NDI3WhcNMjgwNzAzMjM1NDI3WjCBrTELMAkGA1UEBhMCQVUxDDAKBgNVBAgMA0FDVDERMA8GA1UEBwwIRnlzaHdpY2sxGzAZBgNVBAoMEkludGVsbGVkb3ggUHR5IEx0ZDEZMBcGA1UECwwQRW5naW5lZXJpbmcgVGVhbTEXMBUGA1UEAwwOTWljaGVsbGUgS290aGUxLDAqBgkqhkiG9w0BCQEWHW1pY2hlbGxlLmtvdGhlQGludGVsbGVkb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwB6FN++gXaRKec+s3r6RT6rjMe/ojwJafvpw5x8BQmK+lhGF9RwoqMLExIYb7EzPcsf9X0sG2IxsoqWprkJCQkWn8HI0LfNE2BlzfGfzOznS0Lw+fxAyJ5Deo2fh4pC2CX0amHUmCBN2MyRHep3g5Els4V+LuwaYie+s3WUBfbv5+nExd2bytwvF6SSxYPDQRa39sw+4qRb7IxUkgWJxuSe7Hpepl/MvtI6CYR8GDfN6Pm+B7Q8HadPDFGbwrIO+lwtOIJ0KBYZqjWgNNm5q/1RzFtRfTHSloSbr9nXxjYukWVAOTSJyp9FJQufwAY4lX2YUJFdoNUB2n+Qhds03iQIDAQABo1MwUTAdBgNVHQ4EFgQUHnI7Aped/OFx6YcDnKzIyutRi40wHwYDVR0jBBgwFoAUHnI7Aped/OFx6YcDnKzIyutRi40wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHCWw5Hi8r76Te9Nq1VGT5/aKGXIkcwu565drmeMd3tcuAD1fZ5nutLzlRji3jeQ2jnKYJ5WtfeKd7yGmR7cDY47ismDPU/qtGLUn1Gl3m0rm6T81CHZovzpgo5MMrRuLvUdejN0bcsNP0iOxPCbxvHUYB2zWjkZbPTbsJ5km1Ca0PwDw31S5lmjiMUyFkDB6rABzWWvL57smquXCoPIeuz0t0JACLJFXsnuqD8nuCvGFqOSNHxko5nnyo+ytKDwEyKLgp66LDAr1N/qLggCs+22aoC8mBJDMVYQspZdbZH+nICYtPqnJ0Sc3qp7CDP5mb7G+AiDBDOy9HIKacbUTGw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIEMjCCAxqgAwIBAgIJAP/0GJV/ftHCMA0GCSqGSIb3DQEBCwUAMIGtMQswCQYDVQQGEwJBVTEMMAoGA1UECAwDQUNUMREwDwYDVQQHDAhGeXNod2ljazEbMBkGA1UECgwSSW50ZWxsZWRveCBQdHkgTHRkMRkwFwYDVQQLDBBFbmdpbmVlcmluZyBUZWFtMRcwFQYDVQQDDA5NaWNoZWxsZSBLb3RoZTEsMCoGCSqGSIb3DQEJARYdbWljaGVsbGUua290aGVAaW50ZWxsZWRveC5jb20wHhcNMTgwNzA0MjM1NDI3WhcNMjgwNzAzMjM1NDI3WjCBrTELMAkGA1UEBhMCQVUxDDAKBgNVBAgMA0FDVDERMA8GA1UEBwwIRnlzaHdpY2sxGzAZBgNVBAoMEkludGVsbGVkb3ggUHR5IEx0ZDEZMBcGA1UECwwQRW5naW5lZXJpbmcgVGVhbTEXMBUGA1UEAwwOTWljaGVsbGUgS290aGUxLDAqBgkqhkiG9w0BCQEWHW1pY2hlbGxlLmtvdGhlQGludGVsbGVkb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwB6FN++gXaRKec+s3r6RT6rjMe/ojwJafvpw5x8BQmK+lhGF9RwoqMLExIYb7EzPcsf9X0sG2IxsoqWprkJCQkWn8HI0LfNE2BlzfGfzOznS0Lw+fxAyJ5Deo2fh4pC2CX0amHUmCBN2MyRHep3g5Els4V+LuwaYie+s3WUBfbv5+nExd2bytwvF6SSxYPDQRa39sw+4qRb7IxUkgWJxuSe7Hpepl/MvtI6CYR8GDfN6Pm+B7Q8HadPDFGbwrIO+lwtOIJ0KBYZqjWgNNm5q/1RzFtRfTHSloSbr9nXxjYukWVAOTSJyp9FJQufwAY4lX2YUJFdoNUB2n+Qhds03iQIDAQABo1MwUTAdBgNVHQ4EFgQUHnI7Aped/OFx6YcDnKzIyutRi40wHwYDVR0jBBgwFoAUHnI7Aped/OFx6YcDnKzIyutRi40wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHCWw5Hi8r76Te9Nq1VGT5/aKGXIkcwu565drmeMd3tcuAD1fZ5nutLzlRji3jeQ2jnKYJ5WtfeKd7yGmR7cDY47ismDPU/qtGLUn1Gl3m0rm6T81CHZovzpgo5MMrRuLvUdejN0bcsNP0iOxPCbxvHUYB2zWjkZbPTbsJ5km1Ca0PwDw31S5lmjiMUyFkDB6rABzWWvL57smquXCoPIeuz0t0JACLJFXsnuqD8nuCvGFqOSNHxko5nnyo+ytKDwEyKLgp66LDAr1N/qLggCs+22aoC8mBJDMVYQspZdbZH+nICYtPqnJ0Sc3qp7CDP5mb7G+AiDBDOy9HIKacbUTGw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ServerName/simplesaml/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ServerName/saml/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Name</md:GivenName>
<md:SurName>LastName</md:SurName>
<md:EmailAddress>[email protected]</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>

For the SAML IDPS’s that are not configured for metadata URL the service information can be entered manually on Infiniti >> Manage >> Settings >> SAML 2.0 page.
After setup during user login if Infiniti fails to validate a signed login request it will automatically retrieve the latest certificate from the metadata URL and try the login again. If the login is successful with the updated certificate it will be replaced in Infiniti and will be used for subsequent login attempts for the environment.

Note - It needs to be ensured that web server has appropriate access to make a call to the metadata URL to read the required information which might not be the case in some locked down sites.

Appendix A Example SAML Request and Response

Request

<?xml version=1.0 encoding=UTF-8?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_fd6b794b-3f77-4529-bc70-b4839fb82f86" Version="2.0" IssueInstant="2016-02-26T03:46:13.057Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">Manage</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
</samlp:AuthnRequest>

Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://ix10-simonp/ManageV9_3/SamlAuthenticate.aspx" ID="s20ba81f0f7d8dac0a377109c03787e2ea585297c7" InResponseTo="_f9a49ee4-143b-4d15-a2fe-0d431a3d09c7" IssueInstant="2016-02-26T03:52:00Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://openam.example.com:8080/openam</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="#s20ba81f0f7d8dac0a377109c03787e2ea585297c7">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>LYUM7JsNmj4ds9wvdypXjJ4tOJM=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
      UJFiE3TyM82NjCi6QOUQjdTZQiaVcKkpwyxKah0PXQe/i/ZWl+vKduLFVDXDPGP5gVrZoKKtEDWr
      xDoGCE6UUNruQD85zWdVNO0D0LIHLM/j6+1+myvWP7uTv1/BPlYcQ2Owb34diPmOwN/jeBd/AX3f
      1F4faB55Qo9JGiLCANU=
    </ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>
          MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
          bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
          ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
          CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
          BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
          AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
          RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
          Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
          QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
          cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
          /FfwWigmrW0Y0Q==
        </ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    </samlp:StatusCode>
  </samlp:Status>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s27b4cdc935aa3d98c0d727fa2079d9bb0103bd732" IssueInstant="2016-02-26T03:52:00Z" Version="2.0">
    <saml:Issuer>http://openam.example.com:8080/openam</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <ds:Reference URI="#s27b4cdc935aa3d98c0d727fa2079d9bb0103bd732">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
          <ds:DigestValue>fnw+2iscOwNy7rTSX8767kMCi6g=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
        f4f+iFzRvc5/VSMQLS16xD9vrZeSgDR+GvR7gICnGFK5ZHLa2sYb1l5GiTJJb7VqAvaYA701fbod
        otbjVmqmsbf+IZVwictbYj0swWmH1WQ63acRHCHg04LLfIBs0nMfsdQ/lWiO2PO82UaAM2XPbpKO
        a1/9DsY2Habpp5qONjE=
      </ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>
            MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
            bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
            ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
            CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
            BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
            AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
            RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
            Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
            QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
            cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
            /FfwWigmrW0Y0Q==
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="http://openam.example.com:8080/openam" SPNameQualifier="Manage">sampleuser</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData InResponseTo="_f9a49ee4-143b-4d15-a2fe-0d431a3d09c7" NotOnOrAfter="2016-02-26T04:02:00Z" Recipient="http://ix10-simonp/ManageV9_3/SamlAuthenticate.aspx" />
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2016-02-26T03:42:00Z" NotOnOrAfter="2016-02-26T04:02:00Z">
      <saml:AudienceRestriction>
        <saml:Audience>Manage</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2016-02-26T03:52:00Z" SessionIndex="s2ae61fa7dd0d09dcc262fabac9c6e7d29fcd0d401">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="givenName">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Sample</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="IsMemberOf">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=Sales,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=Infiniti_Administrator,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
        <saml:AttributeValue="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=IT,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">cn=HR,ou=groups,dc=openam,dc=forgerock,dc=org</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="sn">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Appendix B User Profile Mapping Fields

SettingDescription
User NameA field to use for the Infiniti Username if the default SAML ‘NameID’ element does not contain a meaningful value. This is a required field.

For example, use the email address.
GroupsThe element to look for the user’s group Memberships
Prefix, Job Title, Organization,
Last Name, Phone Number, Full Name
, Fax Number, Email, Address Line 1,
Address Line 2, Suburb/Town/City,
State/Province/Region, Postal/Zip Code,
Country
Regular address fields
CultureA culture code to use for example en-AU, zh-CN, es, etc
LanguageA language to use must be supported by Infiniti. Possible values:
ar
zh-cn
zh-tw
nl
en
en-us
fr
fr-ca
de
ko
pt
es
* th
Time ZoneAn appropriate user time zone. Possible Values:

Dateline Standard Time
UTC-11
Samoa Standard Time
Hawaiian Standard Time
Alaskan Standard Time
Pacific Standard Time (Mexico)
Pacific Standard Time
US Mountain Standard Time
Mountain Standard Time (Mexico)
Mountain Standard Time
Central America Standard Time
Central Standard Time
Central Standard Time (Mexico)
Canada Central Standard Time
SA Pacific Standard Time
Eastern Standard Time
US Eastern Standard Time
Venezuela Standard Time
Paraguay Standard Time
Atlantic Standard Time
Central Brazilian Standard Time
SA Western Standard Time
Pacific SA Standard Time
Newfoundland Standard Time
E. South America Standard Time
Argentina Standard Time
SA Eastern Standard Time
Greenland Standard Time
Montevideo Standard Time
UTC-02
Mid-Atlantic Standard Time
Azores Standard Time
Cape Verde Standard Time
Morocco Standard Time
UTC
GMT Standard Time
Greenwich Standard Time
W. Europe Standard Time
Central Europe Standard Time
Romance Standard Time
Central European Standard Time
W. Central Africa Standard Time
Namibia Standard Time
Jordan Standard Time
GTB Standard Time
Middle East Standard Time
Egypt Standard Time
Syria Standard Time
South Africa Standard Time
FLE Standard Time
Israel Standard Time
E. Europe Standard Time
Arabic Standard Time
Arab Standard Time
Russian Standard Time
E. Africa Standard Time
Iran Standard Time
Arabian Standard Time
Azerbaijan Standard Time
Mauritius Standard Time
Georgian Standard Time
Caucasus Standard Time
Afghanistan Standard Time
Ekaterinburg Standard Time
Pakistan Standard Time
West Asia Standard Time
India Standard Time
Sri Lanka Standard Time
Nepal Standard Time
Central Asia Standard Time
Bangladesh Standard Time
N. Central Asia Standard Time
Myanmar Standard Time
SE Asia Standard Time
North Asia Standard Time
China Standard Time
North Asia East Standard Time
Singapore Standard Time
W. Australia Standard Time
Taipei Standard Time
Ulaanbaatar Standard Time
Tokyo Standard Time
Korea Standard Time
Yakutsk Standard Time
Cen. Australia Standard Time
AUS Central Standard Time
E. Australia Standard Time
AUS Eastern Standard Time
West Pacific Standard Time
Tasmania Standard Time
Vladivostok Standard Time
Central Pacific Standard Time
New Zealand Standard Time
UTC+12
Fiji Standard Time
Kamchatka Standard Time
* Tonga Standard Time

SAML authentication in multi tenant environments

Unfortunately, when navigating to the Produce home page, Infiniti does not know which tenancy that should be logged into. The default in a Forms authentication environment is to present the login page.

To allow navigation to a specific tenancy, and therefore to authenticate using SAML instead of forms authentication, Infiniti has the following techniques:

  1. When navigating to a specific form, Infiniti is able to determine the tenancy of that form and will, therefore, use the authentication method defined by that tenancy.

  2. A TenantId may be used to specify what tenancy to log in to if navigation to the Produce home page is required. The produce homepage in this situation will be the normal home page with "/b/12345" appended to the URL (where the tenant id is 1f0ff6c1-7f29-45fb-9727-1b7b18019f1c). So if Produce is normally http://ixtransform.com then a specific tenancy can be navigated to at http://ixtransform/b/1f0ff6c1-7f29-45fb-9727-1b7b18019f1c.

The easiest way to determine the Tenant Id is via the multi-tenant management portal. Simply click on the tenancy to navigate to the "edit tenant" screen, then examine the URL, which should have something like:

TenantEdit.aspx?ID=1f0ff6c1-7f29-45fb-9727-1b7b18019f1c
on the end. The ID in question is the tenant Id.

📘

Note:

Once a SAML Produce instance is navigated to, a cookie will be stored on that computer and will remember that when accessing that instance of Infiniti, SAML login is preferred. In this situation, in the unlikely situation where forms authentication is desired, the SAML tenancy must be logged out and cookies cleared

Recent Changes

  • SAML settings now have a log mode where that captures a more verbose description of what has happens/fails during a SAML authentication and also each SAML authentication (i.e. success and fail).
  • SAML 2.0 Settings page has a log Mode check Box
  • SAML 2.0 Settings page has the last failed message on display (with a more or less expander),when logging is turned on.
  • EventLog Table has all SAML authentication attempts logged. Event level ID is failed/success.