Step 0: Preparation

Before starting the SSO configuration tasks, make sure the following are ready:

  • You have the ALM site administration privilege to access the SSO Configuration Tool.
  • IdP is available to register ALM as its SAML SP.
  • You have already obtained a certificate (or a keystore file to store the certificate) that is used for ALM to sign SAML2 and OAuth token.

    The keystore file will be uploaded to SSO Configuration Tool.

  • HTTPS communication between IdP and ALM/ALM's reverse proxy is enabled and works normally.

  • Add the IdP SSL certificate and ALM server/ALM's reverse proxy SSL certificate to ALM's JVM trusted key store.
  • If ALM is deployed in a cluster environment, make sure the system time on all ALM nodes and on users' IdP servers is synchronized as closely as possible. The systems on these servers can be configured to use a network time synchronization protocol such as the Network Time Protocol (NTP). If the time on any ALM node is different from the time on the IdP server, the authentication fails.

  • If ALM is deployed in a cluster environment, only one node is running in the load balance.

FAQ

Q: We get confused with the IdP certificate, SAML certificate, and HTTPS certificate etc. What certificates are required in ALM SSO configuration and what certificates are used when ALM communicates with IdPs?

A:

IdP SAML certificate

ALM does not import the IdP SAML certificate. ALM only requires the IdP metadata in which the IdP certificates are contained.

IdP SSL certificate It should be imported into the JVM key store on which ALM runs.
ALM SAML certificate It is used to encrypt and decrypt the SAML requests and responses between ALM and IdPs.
ALM/ALM's reverse proxy SSL certificate It should be imported into the JVM key store on which ALM runs.

Next steps: