- Revenera Community
- :
- Code Insight
- :
- Code Insight Forum
- :
- Re: Code Insight with Azure SSO
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
Code Insight with Azure SSO
Hi,
Has anyone managed to successfully implement SSO through Azure on Code Insight? I'd be hugely grateful if anyone can share some configuration examples!
Best Regards,
Matt
Hi @matt_reardon,
I do not have any examples to provide for an SSO setup through Azure, but I am aware that using a self-signed certificate on Azure can cause errors. If that does not apply to your situation, you can provide me with what errors you run into as well as your log files, and I can take a further look.
If you're just looking for general SSO configuration steps, you can find them in our Install Guide:
https://docs.revenera.com/fnci2023r1/pdf/FNCIInstallGuide.pdf#page=105
Thanks @tphamda ,
I guess my first question would be around the keystore - we have an existing keystore which contains only a single alias for a LetsEncrypt certificate which allows https access to the platform - can we use this or would we need to create a new keystore.
I've already had a read of the manual but SSO through Azure is not mentioned, only SSO through LDAP.
Thank you!
Matt
@matt_reardon, yes, you would use the same keystore and alias that was configured for Code Insight.
Thanks @tphamda!
I get the following error:
HTTP Status 500 – Internal Server Error
Type Exception Report
Message trusted certificate entries are not password-protected
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Exception
java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466) sun.security.provider.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:172) sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetEntry(JavaKeyStore.java:70) java.security.KeyStore.getEntry(KeyStore.java:1521) org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132) org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57) org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30) org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26) org.springframework.security.saml.key.JKSKeyManager.resolveSingle(JKSKeyManager.java:171) org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:191) org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:205) org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329) org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189) org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127) org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) com.palamida.appsec.web.filter.SecurityHeaderResponseFilter.doFilter(SecurityHeaderResponseFilter.java:29)
Note The full stack trace of the root cause is available in the server logs.
The core.sso.common.properties file looks like this:
## this file contains all sso placeholder values.
saml.keystore=file:/home/fnciuser/CodeInsight/tomcat/certs/fnci.jks
saml.keystore.password=<password>
saml.keystore.alias=azuresso
saml.keystore.alias.password=<password>
# for extendedMetadata configuration
saml.metadata.local=true
saml.metadata.alias=
saml.metadata.idpDiscoveryEnabled=false
saml.metadata.idpDiscoveryURL=
saml.metadata.idpDiscoveryResponseURL=
saml.metadata.ecpEnabled=false
saml.metadata.securityProfile=metaiop
saml.metadata.sslSecurityProfile=pkix
saml.metadata.sslHostnameVerification=default
saml.metadata.signingKey=<password>
saml.metadata.signingAlgorithm=null
saml.metadata.signMetadata=false
saml.metadata.encryptionKey=azuresso
saml.metadata.tlsKey=
#private Set<String> trustedKeys=
saml.metadata.requireLogoutRequestSigned=false
saml.metadata.requireLogoutResponseSigned=false
saml.metadata.requireArtifactResolveSigned=false
saml.metadata.supportUnsolicitedResponse=true
#for SP
saml.entity.id=<configured>
saml.base.url=<configured>
The jks file originally just contained the Let's Encrypt SSL certificate. I used the following command to import the Azure SSO certificate:
keytool -import -alias azuresso -file <cerfifcate filename> -keystore fnci.jks
When I list the contents of the keystore, I can see the new certificate.
Thank you!
Matt
@matt_reardon, when you list the contents of the keystore, is the new certificate listed as a privateKeyEntry? If it's not (e.g. trustedCertEntry), that would indicate you have only imported a public key and require a private key. If this is the case, please contact the vendor on getting the private key.
Hi @tphamda
Thanks for the reply, and apologies for the delay in my response. I have got this wokring now, in that Code Insight now displays the Microsoft sign-on screen and go through the process to login. Once the MFA challenge has been successful, I get taken to the Code Insight main screen, so all good up to this point.
The problem I'm facing is when I sign out. The Logout button in Code Insight takes me to the Code Insight login screen, not the Microsoft login, so I am able to bypass SSO, thus bypassing MFA.
I have raised a ticket with support, 02785562.
Thank you!
Matt