Introduction
Security Assertion Markup Language (SAML) is an XML based open data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Apigee Edge enables you to authenticate and authorize apps that are capable of presenting SAML tokens. A SAML token is a digitally signed fragment of XML that presents a set of "assertions". Apigee can function as a service provider (SP) or an Identity Provider (IDP) and provides policies for SAML Assertion generation and validation.
In this article we will build a sample application where Apigee functions as an Identity Provider (IDP) and Salesforce as a service provider (SP). The high level flows are as shown below
The steps for installation and configuration required to run this example is as listed below.
Certificates
One of the first thing you will have to do is to generates the certificates that will be used for digital signatures. You can use openssl to create certificates as shown below.
$ mkdir certs
$ cd certs
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730
This will create the files key.pem and cert.pem.
Then create a descriptor.properties files
$mkdir META-INF
then add the following to the file /META-INF/descriptor.propertiescert.pemkey.pem
Then generate a jar containing your keypair and certificates
jar -cf idpKeystore.jar cert.pem key.pem
Add decriptor.properties to your jar
$ jar -uf idpKeystore.jar META-INF/descriptor.properties
Now create a keystore for your environment.
$ curl -H "Content-Type: text/xml" \https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/keystores \-d '<KeyStore name="idpKeystore"/>' -u myname:mypass
Now upload the jar file to the keystore
$ curl -X POST -H "Content-Type: multipart/form-data" \-F file="@idpKeystore.jar" \ "https://api.enterprise.apigee.com/v1/o/{org_name}/environments/{env_name}/keystores/idpKeystore/keys?alias={key_alias}&password={key_pass}" \-u myname:mypass
Next we will first do the necessary configurations in Salesforce.
Salesforce (Service Provider) Setup
3. Check the SAML enabled check box shown on the screen and add the SAML Single sign-on settings as shown below and hit save.
4. Register a your sub domain in Salesforce
5. Enable login with your SAML configuration
6. Logout and access Salesforce using your registered domain. You will see the SAML login option on the page.
Apigee (IDP) Setup
7. Download the proxy source code from https://github.com/shahbagdadi/apigee-saml-idp
8. Change the setConfig.js with configuration for your environment
9. cd to the apigee-saml-idp folder and deploy the proxy using
python tools/deploy.py -n apigee-saml-idp -u userid:password -o org -e env -d . -p /
10. Open your Salesforce domain and click the “ApigeeSAML” button to authenticate and login using Apigee as an IDP
Awesome! I'm trying these steps now.
Thanks for the tutorial. What values are required to be entered in salesforce on the SSO Settings page for : Issuer and EntityId?
Entity Id : https://saml.salesforce.com
Issuer will be your end point on Apigee i.e http://org-env.apigee.net
@shah The images are all missing. Is there any way to add them back?
Stephen
I am going to refer to @Birute Awasthi. Is something can be done to get back the missing images?
Thanks.
--Pradeep
Screenshots, proxy code and other information is available at:
I tried this command { $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 730 } in openssl tool. It created two files like cert.pem and key.pem in openssl bin folder. Finally i uploaded the jar file in apigee website { upload a jar file to a keystore link }.I got this response
HTTP/1.1 400 Bad Request
<code>{ "code": "messaging.config.beans.KeyParseFailure", "message": "Failed to parse the Key file : keystore", "contexts": [], "cause": { "message": "Invalid rsa key, reason - bad decrypt", "contexts": [] } }
can anyone point out what the problem is?
Thanks in advance