This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
matt_reardon
Level 3
‎Mar 29, 2023 10:17 AM

Code Insight with Azure SSO

Hi,

Has anyone managed to successfully implement SSO through Azure on Code Insight? I'd be hugely grateful if anyone can share some configuration examples!

Best Regards,

Matt

Labels (3)
0 Kudos

(6) Replies
tphamda
Level 6 Flexeran
Level 6 Flexeran
‎Mar 29, 2023 07:52 PM

Hi @matt_reardon,

I do not have any examples to provide for an SSO setup through Azure, but I am aware that using a self-signed certificate on Azure can cause errors. If that does not apply to your situation, you can provide me with what errors you run into as well as your log files, and I can take a further look. 

If you're just looking for general SSO configuration steps, you can find them in our Install Guide:
https://docs.revenera.com/fnci2023r1/pdf/FNCIInstallGuide.pdf#page=105 

0 Kudos
matt_reardon
Level 3
In response to tphamda
‎Mar 30, 2023 06:19 AM

Thanks @tphamda ,

I guess my first question would be around the keystore - we have an existing keystore which contains only a single alias for a LetsEncrypt certificate which allows https access to the platform - can we use this or would we need to create a new keystore.

I've already had a read of the manual but SSO through Azure is not mentioned, only SSO through LDAP.

Thank you!

Matt

0 Kudos
tphamda
Level 6 Flexeran
Level 6 Flexeran
In response to matt_reardon
‎Mar 30, 2023 06:11 PM

@matt_reardon, yes, you would use the same keystore and alias that was configured for Code Insight. 

0 Kudos
matt_reardon
Level 3
‎Mar 31, 2023 05:08 AM

Thanks @tphamda!

I get the following error:

HTTP Status 500 – Internal Server Error

Type Exception Report

Message trusted certificate entries are not password-protected

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
	java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466)
	sun.security.provider.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:172)
	sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetEntry(JavaKeyStore.java:70)
	java.security.KeyStore.getEntry(KeyStore.java:1521)
	org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132)
	org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
	org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30)
	org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26)
	org.springframework.security.saml.key.JKSKeyManager.resolveSingle(JKSKeyManager.java:171)
	org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:191)
	org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:205)
	org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329)
	org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189)
	org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127)
	org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	com.palamida.appsec.web.filter.SecurityHeaderResponseFilter.doFilter(SecurityHeaderResponseFilter.java:29)

Note The full stack trace of the root cause is available in the server logs.

The core.sso.common.properties file looks like this:

## this file contains all sso placeholder values.
saml.keystore=file:/home/fnciuser/CodeInsight/tomcat/certs/fnci.jks
saml.keystore.password=<password>
saml.keystore.alias=azuresso
saml.keystore.alias.password=<password>

# for extendedMetadata configuration
saml.metadata.local=true
saml.metadata.alias=
saml.metadata.idpDiscoveryEnabled=false
saml.metadata.idpDiscoveryURL=
saml.metadata.idpDiscoveryResponseURL=
saml.metadata.ecpEnabled=false
saml.metadata.securityProfile=metaiop
saml.metadata.sslSecurityProfile=pkix
saml.metadata.sslHostnameVerification=default
saml.metadata.signingKey=<password>
saml.metadata.signingAlgorithm=null
saml.metadata.signMetadata=false
saml.metadata.encryptionKey=azuresso
saml.metadata.tlsKey=
#private Set<String> trustedKeys=
saml.metadata.requireLogoutRequestSigned=false
saml.metadata.requireLogoutResponseSigned=false
saml.metadata.requireArtifactResolveSigned=false
saml.metadata.supportUnsolicitedResponse=true

#for SP
saml.entity.id=<configured>
saml.base.url=<configured>

The jks file originally just contained the Let's Encrypt SSL certificate. I used the following command to import the Azure SSO certificate:

keytool -import -alias azuresso -file <cerfifcate filename> -keystore fnci.jks

When I list the contents of the keystore, I can see the new certificate.

Thank you!

Matt

0 Kudos
tphamda
Level 6 Flexeran
Level 6 Flexeran
In response to matt_reardon
‎Mar 31, 2023 02:05 PM

@matt_reardon, when you list the contents of the keystore, is the new certificate listed as a privateKeyEntry? If it's not (e.g. trustedCertEntry), that would indicate you have only imported a public key and require a private key. If this is the case, please contact the vendor on getting the private key.

0 Kudos
matt_reardon
Level 3
In response to tphamda
‎Aug 23, 2023 09:16 AM

Hi @tphamda 

Thanks for the reply, and apologies for the delay in my response. I have got this wokring now, in that Code Insight now displays the Microsoft sign-on screen and go through the process to login. Once the MFA challenge has been successful, I get taken to the Code Insight main screen, so all good up to this point.

The problem I'm facing is when I sign out. The Logout button in Code Insight takes me to the Code Insight login screen, not the Microsoft login, so I am able to bypass SSO, thus bypassing MFA.

I have raised a ticket with support, 02785562.

Thank you!

Matt