B Setting Up SAML2 SSO Support for XML API
When SAML2 SSO is enabled in an OSM instance, human users that access the OSM UIs (task UI, orchestration UI and the landing page) will be authenticated against the IdP. This means that the human users will be redirected to the IdP login page, and need to provide login credentials of the IdP and then login. But XML APIs are authenticated against the WebLogic embedded LDAP server by default.
Additionally, when XML APIs are configured to be authenticated through SAML2 SSO, you should not authenticate XML API calls against the embedded LDAP server. This means that you need to avoid calling /OrderManagement/XMLAPI/login for logging in and /OrderManagement/XMLAPI/logout for logging out. To change the authentication process for the XML APIs so that they can be authenticated against the IdP through SAML2 SSO, you need to follow the steps given here.
When SAML2 SSO is enabled on XML API, XML API calls would utilize SAML tokens (via JSESSIONID) obtained through the Web UI. This capability allows XML APIs to be used by the Java script code within the browser. This means that the client will use the same SAML tokens to invoke XML API calls as the Web UI. As XML APIs are not typically used within web applications hosted in the browser, it provides a streamlined method for frontend code to authenticate via XMLAPI.
- When this feature is configured, XML APIs calls would utilize SAML tokens obtained through the Web UI, instead of using the embedded LDAP. Therefore, if XML APIs are called on in non web-based applications (such as standalone Java applications, standalone Python applications, or any application that runs without a web browser), you should not have this feature enabled.
- This feature simplifies the use of XML API for frontend code hosted and run by
the browser. This is conditional upon the following:
- The application that calls OSM XML APIs is SAML2 SSO enabled and is configured to authenticate against the same IdP as the OSM instance.
- You would like to have XML API calls to be authenticated against SAML2 SSO.
- Supporting a mix of SAML token and embedded LDAP authentication is deemed non-trivial and is not necessary for the intended use case.
To enable OSM to support SAML2 SSO
on XML API, you need to add the OSM XML API endpoints to the "Redirect URI" list in
the Single Sign-On Identity Provider Partner setting under the SAML2 Assertion
Provider. You need to add /OrderManagement/XMLAPI/* to the Redirect
URI list. For more information on how to add the XML API path for OSM on-premises,
refer to "Registering IdP in WebLogic"
- Add /OrderManagement/XMLAPI/* to the idp.redirectUris values
of the $OSM_CNTK/resources/saml2/saml2idppartner.properties
file.
saml2.idp.partners=idp idp.description=Generic IdP for SAML2 SSO. idp.metadata.file=saml2Metadata.xml idp.enabled=true idp.redirectUris=/OrderManagement/*.jsp,/OrderManagement/*.html,/OrderManagement/*.htm,/OrderManagement/control/*,/OrderManagement/control/*.jsp,/OrderManagement/control/*.html,/OrderManagement/control/*.htm,/OrderManagement/orchestration/*,/OrderManagement/orchestration/*.jsp,/OrderManagement/orchestration/*.html,/OrderManagement/orchestration/*.htm,/OrderManagement/osmweb/*,/OrderManagement/osmweb/*.jsp,/OrderManagement/osmweb/*.html,/OrderManagement/osmweb/*.htm,/OrderManagement/processhistory/*,/OrderManagement/processhistory/*.jsp,/OrderManagement/processhistory/*.html,/OrderManagement/processhistory/*.htm,/OrderManagement/fallout-runtimeui/*,/OrderManagement/fallout-runtimeui/*.jsp,/OrderManagement/fallout-runtimeui/*.html,/OrderManagement/fallout-runtimeui/*.htm,/OrderManagement/osm-landingpage/*,/OrderManagement/osm-landingpage/*.jsp,/OrderManagement/osm-landingpage/*.html,/OrderManagement/osm-landingpage/*.htm,/OrderManagement/XMLAPI/* idp.virtualUserEnabled=true
- Create or recreate the SSO archive secret. For more information on how to do that, refer to "Creating SSO Archive Secret".
- Create or upgrade the OSM instance.
OSM XML API calls are being configured to be authenticated against SAML2 SSO only when XML APIs are called in web based applications that run in web browsers. This is conditional upon OSM XML APIs utilizing the same authentication credentials and being authenticated against the same IdP.
To leverage this, do not use the XMLAPI login and logout calls for logging in and loggin out. To login, begin by accessing the OSM Task UI or the OSM Order Management UI. This should bring up the IdP challenge. After successful authentication, using the session cookies (by being in the same browser, for instance), access the XMLAPI endpoints as desired.
To logout, go back to the OSM Task UI or OSM Order Management UI and select logout.