Configuration for Using SAML Authentication (fusion_place Side) (fusion_place >= 14.0)

« Configuration for Using SAML Authentication (IdP Side) (fusion_place >= 14.0) | LDAP Authentication »

For customers subscribed to fusion_place cloud, the configuration on this page is not required.

Configuration for Using SAML Authentication (fusion_place Side) (fusion_place >= 14.0)

This manual is in pilot operation.

To enable SAML authentication in fusion_place, add entries to the Tomcat configuration file running the fusion_place server. Please check and consider the following items when configuring.

Use of SSL Communication

When using SAML authentication, it is recommended to use SSL communication to avoid security risks when communicating with an external ID Provider (IdP). For SSL configuration, refer to Configuring SSL Usage.

In particular, some IdPs require SSL communication for SAML authentication.

The following IdP requires SSL communication:

Microsoft Entra ID

Configuration Method

Modify Tomcat’s configuration file server.xml to support SAML authentication. For the location of server.xml, refer to Location for Recording Installation Information.

The content of server.xml is in XML format. By adding several Environment elements (JNDI environment properties) under the single Context element, you can enable SAML authentication. Below is an example configuration.

Example Configuration 1: Setting Only Required Items

<Context docBase="/usr/local/tomcat/webapps/fusionplace" path="/fusionplace">

  <!-- Configuration items for SAML authentication start here -->
  <Environment name="fusionplace/use_saml" type="java.lang.Boolean" value="true" />
  <Environment name="fusionplace/saml2/idp/entityid" value="https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/idp/single_sign_on_service/url" value="https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/idp/x509cert" value= "-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/sp/contact/company" value="(Company name (English))" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/sp/contact/email_address" value="(Company e-mail address)" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/sp/contact/telephone_number" value="(Company phone number)" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/security/authnrequest_signed" type="java.lang.Boolean" value="false" />
  <Environment name="fusionplace/saml2/security/logoutrequest_signed" type="java.lang.Boolean" value="false" />
  <Environment name="fusionplace/saml2/security/logoutresponse_signed" type="java.lang.Boolean" value="false" />
  <!-- Configuration items for SAML authentication end here -->
</Context>

Example Configuration 1: Description of Items

The configuration items for SAML authentication (i.e., Environment elements specified in server.xml) are as follows:

name (JNDI Environment Property Name) type (JNDI Environment Property Type) Meaning of the Value to Set value (Permissible Values) Example Value

name (JNDI Environment Property Name)	type (JNDI Environment Property Type)	Meaning of the Value to Set	value (Permissible Values)	Example Value
fusionplace/use_saml	java.lang.Boolean	Enable or disable SAML authentication	true, false Default: `false`	true
fusionplace/saml2/idp/entityid	java.lang.String	Entity identifier of IdP	Refer to IdP documentation	https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
fusionplace/saml2/idp/single_sign_on_service/url	java.lang.String	Login URL	Refer to IdP documentation	https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2
fusionplace/saml2/idp/x509cert	java.lang.String	SAML certificate	Set the SAML certificate as a single line (including header and footer)	-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----
fusionplace/saml2/sp/contact/company	java.lang.String	Company name (English)	Company name (English)	fusions corporation
fusionplace/saml2/sp/contact/email_address	java.lang.String	Company e-mail address	Company e-mail address (fusion_place contact person)	xxxxxxxxx@fusions.co.jp
fusionplace/saml2/sp/contact/telephone_number	java.lang.String	Company phone number (fusion_place contact person)	Company phone number (fusion_place contact person)	080-xxxx-xxxx
fusionplace/saml2/security/authnrequest_signed	java.lang.Boolean	Whether AuthnRequest is signed	true, false Default: `true`	false
fusionplace/saml2/security/logoutrequest_signed	java.lang.Boolean	Whether LogoutRequest is signed	true, false Default: `true`	false
fusionplace/saml2/security/logoutresponse_signed	java.lang.Boolean	Whether LogoutResponse is signed	true, false Default: `true`	false

fusionplace/use_saml

java.lang.Boolean

Enable or disable SAML authentication

true, false

Default: false

true

fusionplace/saml2/idp/entityid

java.lang.String

Entity identifier of IdP

Refer to IdP documentation

https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

fusionplace/saml2/idp/single_sign_on_service/url

java.lang.String

Refer to IdP documentation

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

fusionplace/saml2/idp/x509cert

java.lang.String

SAML certificate

Set the SAML certificate as a single line (including header and footer)

-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----

fusionplace/saml2/sp/contact/company

java.lang.String

Company name (English)

fusions corporation

fusionplace/saml2/sp/contact/email_address

java.lang.String

Company e-mail address

Company e-mail address (fusion_place contact person)

xxxxxxxxx@fusions.co.jp

fusionplace/saml2/sp/contact/telephone_number

java.lang.String

Company phone number (fusion_place contact person)

080-xxxx-xxxx

fusionplace/saml2/security/authnrequest_signed

java.lang.Boolean

Whether AuthnRequest is signed

true, false

Default: true

false

fusionplace/saml2/security/logoutrequest_signed

java.lang.Boolean

Whether LogoutRequest is signed

true, false

Default: true

false

fusionplace/saml2/security/logoutresponse_signed

java.lang.Boolean

Whether LogoutResponse is signed

true, false

Default: true

false

Example Configuration 2: When Using Single Logout (Optional)

<Context docBase="/usr/local/tomcat/webapps/fusionplace" path="/fusionplace">
  ...
  <!-- Add the following line to Example Configuration 1. -->
  <Environment name="fusionplace/saml2/idp/single_logout_service/url" value="https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2" type="java.lang.String"/>
</Context>

Example Configuration 2: Description of Items

The configuration items for SAML authentication (i.e., Environment elements specified in server.xml) are as follows:

name (JNDI Environment Property Name)	type (JNDI Environment Property Type)	Meaning of the Value to Set	value (Permissible Values)	Example Value
fusionplace/saml2/idp/single_logout_service/url	java.lang.String	Logout URL	Refer to IdP documentation	https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

name (JNDI Environment Property Name)

type (JNDI Environment Property Type)

Meaning of the Value to Set

value (Permissible Values)

Example Value

fusionplace/saml2/idp/single_logout_service/url

java.lang.String

Logout URL

Refer to IdP documentation

https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

Example Configuration 3: When Signing Data Sent from fusion_place (SP) to IdP

If SSL is configured for fusion_place, it is rarely necessary to make the following settings.

<Context docBase="/usr/local/tomcat/webapps/fusionplace" path="/fusionplace">
  ...
  <!-- Remove the following lines from Example Configuration 1. -->
  <!-- <Environment name="fusionplace/saml2/security/authnrequest_signed" type="java.lang.Boolean" value="false" /> -->
  <!-- <Environment name="fusionplace/saml2/security/logoutrequest_signed" type="java.lang.Boolean" value="false" /> -->
  <!-- <Environment name="fusionplace/saml2/security/logoutresponse_signed" type="java.lang.Boolean" value="false" /> -->
  <!-- Add the following lines to Example Configuration 1. -->
  <Environment name="fusionplace/saml2/sp/x509cert" value="-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/sp/privatekey" value="-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----" type="java.lang.String"/>
</Context>

Example Configuration 3: Description of Items

The configuration items for SAML authentication (i.e., Environment elements specified in server.xml) are as follows:

name (JNDI Environment Property Name)	type (JNDI Environment Property Type)	Meaning of the Value to Set	value (Permissible Values)	Example Value
fusionplace/saml2/sp/x509cert	java.lang.String	X.509 certificate (including header and footer)	Refer to IdP documentation	-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----
fusionplace/saml2/sp/privatekey	java.lang.String	Private key corresponding to X.509 certificate (including header and footer)	Refer to IdP documentation	-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----

name (JNDI Environment Property Name)

type (JNDI Environment Property Type)

Meaning of the Value to Set

value (Permissible Values)

Example Value

fusionplace/saml2/sp/x509cert

java.lang.String

X.509 certificate (including header and footer)

Refer to IdP documentation

-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----

fusionplace/saml2/sp/privatekey

java.lang.String

Private key corresponding to X.509 certificate (including header and footer)

Refer to IdP documentation

-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----

Example Configuration 4: When Encrypting Data (Assertion) Exchanged Between fusion_place (SP) and IdP

If SSL is configured for fusion_place, it is rarely necessary to make the following settings.

<Context docBase="/usr/local/tomcat/webapps/fusionplace" path="/fusionplace">
  ...
  <!-- <Environment name="fusionplace/saml2/security/authnrequest_signed" type="java.lang.Boolean" value="false" /> -->
  <!-- <Environment name="fusionplace/saml2/security/logoutrequest_signed" type="java.lang.Boolean" value="false" /> -->
  <!-- <Environment name="fusionplace/saml2/security/logoutresponse_signed" type="java.lang.Boolean" value="false" /> -->
  <Environment name="fusionplace/saml2/sp/x509cert" value="-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----" type="java.lang.String"/>
  <Environment name="fusionplace/saml2/sp/privatekey" value="-----BEGIN CERTIFICATE-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE-----" type="java.lang.String"/>
  <!-- As above in Example Configuration 3 -->
  <!-- Add the following line -->
  <Environment name="fusionplace/saml2/security/want_assertions_encrypted" type="java.lang.Boolean" value="true" />
</Context>

Example Configuration 4: Description of Items

The configuration items for SAML authentication (i.e., Environment elements specified in server.xml) are as follows:

name (JNDI Environment Property Name) type (JNDI Environment Property Type) Meaning of the Value to Set value (Permissible Values) Example Value

name (JNDI Environment Property Name)	type (JNDI Environment Property Type)	Meaning of the Value to Set	value (Permissible Values)	Example Value
fusionplace/saml2/security/want_assertions_encrypted	java.lang.Boolean	Encrypt data (Assertion) exchanged between fusion_place (SP) and IdP	true, false Default: `false`	true

fusionplace/saml2/security/want_assertions_encrypted

java.lang.Boolean

Encrypt data (Assertion) exchanged between fusion_place (SP) and IdP

true, false

Default: false

true