cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
matt_reardon
Level 3

Code Insight with Azure SSO

Hi,

Has anyone managed to successfully implement SSO through Azure on Code Insight? I'd be hugely grateful if anyone can share some configuration examples!

Best Regards,

Matt

Labels (3)
0 Kudos
(6) Replies
tphamda
Revenera
Revenera

Hi @matt_reardon,

I do not have any examples to provide for an SSO setup through Azure, but I am aware that using a self-signed certificate on Azure can cause errors. If that does not apply to your situation, you can provide me with what errors you run into as well as your log files, and I can take a further look. 

If you're just looking for general SSO configuration steps, you can find them in our Install Guide:
https://docs.revenera.com/fnci2023r1/pdf/FNCIInstallGuide.pdf#page=105 

0 Kudos

Thanks @tphamda ,

I guess my first question would be around the keystore - we have an existing keystore which contains only a single alias for a LetsEncrypt certificate which allows https access to the platform - can we use this or would we need to create a new keystore.

I've already had a read of the manual but SSO through Azure is not mentioned, only SSO through LDAP.

Thank you!

Matt

0 Kudos

@matt_reardon, yes, you would use the same keystore and alias that was configured for Code Insight. 

0 Kudos
matt_reardon
Level 3

Thanks @tphamda!

I get the following error:

HTTP Status 500 – Internal Server Error


Type Exception Report

Message trusted certificate entries are not password-protected

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected
	java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466)
	sun.security.provider.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:172)
	sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetEntry(JavaKeyStore.java:70)
	java.security.KeyStore.getEntry(KeyStore.java:1521)
	org.opensaml.xml.security.credential.KeyStoreCredentialResolver.resolveFromSource(KeyStoreCredentialResolver.java:132)
	org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver.resolve(AbstractCriteriaFilteringCredentialResolver.java:57)
	org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:30)
	org.opensaml.xml.security.credential.AbstractCredentialResolver.resolveSingle(AbstractCredentialResolver.java:26)
	org.springframework.security.saml.key.JKSKeyManager.resolveSingle(JKSKeyManager.java:171)
	org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:191)
	org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:205)
	org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329)
	org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189)
	org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127)
	org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	com.palamida.appsec.web.filter.SecurityHeaderResponseFilter.doFilter(SecurityHeaderResponseFilter.java:29)

Note The full stack trace of the root cause is available in the server logs.

The core.sso.common.properties file looks like this:

## this file contains all sso placeholder values.
saml.keystore=file:/home/fnciuser/CodeInsight/tomcat/certs/fnci.jks
saml.keystore.password=<password>
saml.keystore.alias=azuresso
saml.keystore.alias.password=<password>

# for extendedMetadata configuration
saml.metadata.local=true
saml.metadata.alias=
saml.metadata.idpDiscoveryEnabled=false
saml.metadata.idpDiscoveryURL=
saml.metadata.idpDiscoveryResponseURL=
saml.metadata.ecpEnabled=false
saml.metadata.securityProfile=metaiop
saml.metadata.sslSecurityProfile=pkix
saml.metadata.sslHostnameVerification=default
saml.metadata.signingKey=<password>
saml.metadata.signingAlgorithm=null
saml.metadata.signMetadata=false
saml.metadata.encryptionKey=azuresso
saml.metadata.tlsKey=
#private Set<String> trustedKeys=
saml.metadata.requireLogoutRequestSigned=false
saml.metadata.requireLogoutResponseSigned=false
saml.metadata.requireArtifactResolveSigned=false
saml.metadata.supportUnsolicitedResponse=true

#for SP
saml.entity.id=<configured>
saml.base.url=<configured>

The jks file originally just contained the Let's Encrypt SSL certificate. I used the following command to import the Azure SSO certificate:

keytool -import -alias azuresso -file <cerfifcate filename> -keystore fnci.jks

When I list the contents of the keystore, I can see the new certificate.

Thank you!

Matt

0 Kudos

@matt_reardon, when you list the contents of the keystore, is the new certificate listed as a privateKeyEntry? If it's not (e.g. trustedCertEntry), that would indicate you have only imported a public key and require a private key. If this is the case, please contact the vendor on getting the private key.

0 Kudos

Hi @tphamda 

Thanks for the reply, and apologies for the delay in my response. I have got this wokring now, in that Code Insight now displays the Microsoft sign-on screen and go through the process to login. Once the MFA challenge has been successful, I get taken to the Code Insight main screen, so all good up to this point.

The problem I'm facing is when I sign out. The Logout button in Code Insight takes me to the Code Insight login screen, not the Microsoft login, so I am able to bypass SSO, thus bypassing MFA.

I have raised a ticket with support, 02785562.

Thank you!

Matt