Step 0: Preparation
Understand the following before starting the SSO configuration tasks.
|Site administration privilege||You should have the ALM site administration privilege to access the SSO Configuration Tool.|
|IdP||IdP is available to register ALM as its SAML SP.|
You have already obtained a certificate (or a keystore file to store the certificate) that is used for ALM to sign SAML2 and OAuth tokens.
The keystore file will be uploaded to SSO Configuration Tool.
|HTTPS||HTTPS communication between IdP and ALM/ALM's reverse proxy is enabled and works normally.|
IdP SSL certificate
ALM server/ALM's reverse proxy SSL certificate
|Add the IdP SSL certificate and ALM server/ALM's reverse proxy SSL certificate to ALM's JVM trusted key store.|
|System time||If ALM is deployed in a cluster environment, make sure the system time on all ALM nodes and on users' IdP servers is synchronized as closely as possible. The systems on these servers can be configured to use a network time synchronization protocol such as the Network Time Protocol (NTP). If the time on any ALM node is different from the time on the IdP server, the authentication fails.|
|Node running in load balance||If ALM is deployed in a cluster environment, only one node is running in the load balance.|
Q： We get confused with the IdP certificate, SAML certificate, and HTTPS certificate etc. What certificates are required in ALM SSO configuration and what certificates are used when ALM communicates with IdPs?
|IdP SAML certificate||
ALM does not import the IdP SAML certificate. ALM only requires the IdP metadata in which the IdP certificates are contained.
|IdP SSL certificate||It should be imported into the JVM key store on which ALM runs.|
|ALM SAML certificate||It is used to encrypt and decrypt the SAML requests and responses between ALM and IdPs.|
|ALM/ALM's reverse proxy SSL certificate||It should be imported into the JVM key store on which ALM runs.|