Step 2: Generate the SP Metadata
The following procedure generates the SP metadata using the Spring Security SAML application.
To generate the SP metadata using Spring Security SAML:
| 1. | Start the Spring Security SAML Extension web application by running the following command: |
fnciInstallPath/tomcat/webapps/spring-security-saml2-sample
| 2. | Once the application is started, navigate to Metadata Administration | Login | Generate new service provider metadata. |
| 3. | In the Metadata Generate Filter section, provide the following values (or values appropriate to your site): |
|
Field |
Value |
|
Store for the current session |
Select No. |
|
Entity ID |
Provide the identifier for the Code Insight Core Server as an SP in the format <w>:<x>:<y>:<z>, as in the example: palamida:cust:test:server1 This ID must be unique among the other entity IDs. It is usually specified by the Identity Provider but is not mandated by SSO. |
|
Entity base URL |
Provide the HTTPS URL handling the SP user’s sign-in requests. This is usually the URL for the Core Server in HTTPS://myhost.mycompany.com:port format, where port is the default port for the Core Server. (For default Code Insight ports, see Network and Firewall Considerations.) |
|
Entity alias |
Enter defaultAlias. |
|
Signing key |
Enter the password for the private key alias. (This value should be the same as the myAliasPassword value entered in the keyManager bean definition described in Step 1: Download and Configure the Spring Security SAML Extension.) |
|
Encryption key |
Enter the alias defined for the private key contained in the keystore.(This value should be the same as the myAlias value entered in the keyManager bean definition described in Step 1: Download and Configure the Spring Security SAML Extension.) |
|
Signature security profile |
Select MetalOP. |
|
SSL/TLS security profile |
Select PKIX. |
|
SSL/TLS hostname verification |
Select Standard hostname verifier. |
|
SSL/TLS client authentication |
Select None. |
|
Sign metadata |
Select Yes. |
|
Signing algorithm |
Enter http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. |
|
Sign sent AuthNRequests |
Select Yes. |
|
Require signed authentication Assertion |
Select No. |
|
Require signed LogoutRequest |
Select No. |
|
Require signed LogoutResponse |
Select No. |
|
Require signed ArtifactResolve |
Select No. |
|
Single sign-on bindings |
Select SSO HTTP-POST as the default. (Uncheck SSO Artifact.) |
|
Supported NameIDs |
Select Transient, E-Mail, and X509 Subject. |
|
Enable IPD Discovery profile |
Select No. |
| 4. | Generate the metadata. |
| 5. | Save the contents of the Metadata text box to SPMetadata.xml, and copy this file to fnciInstallPath/config/core/security in the Code Insight Core Server installation. |
| 6. | Save the contents of the Configuration text box to Extended.xml in a temporary location of your choice for later reference. (You will need this file when updating the core.sso.properties in Step 3: Configure the SSO Common Properties File.) |
| 7. | (Optional) If you want signing but not encryption in SSO communications, open the file SPMetadata.xml file, locate the encryption tag (usually the second tag), and remove everything between the tag and </md:KeyDescriptor>, including the encryption tag and </md:KeyDescriptor>. |