Enabling SSO between a SAML identity provider and the Sametime Community Server

About this task

The Sametime® Community Server supports Security Assertion Markup Language (SAML) single sign-on. When this feature is enabled, the Community Server can validate SAML assertions that are generated by a SAML identity provider (idP). This allows a client to authenticate by password to the idP, receive a SAML assertion, and then use that assertion to log in to Sametime, without having to re-enter the password. The Community Server can validate either SAML or LTPA (Lightweight Third-Party Authentication) tokens, but it can only generate LTPA tokens.

Procedure

  1. Update the Sametime.ini file.
  2. Remote to the Sametime Community Server.
  3. Open the sametime.ini file with a text editor.
  4. Under the [ST_BB_NAMES] section, add or modify the ST_AUTH_TOKEN setting to support SAML authentication as shown in the following example.
  5. ST_AUTH_TOKEN=Fork:Saml,Notes.
  6. Save and close the sametime.ini file.

Set up the certificate trust store for SAML signature validation

Sametime Community Server validates the signature in the SAML assertion. While the SAML identity provider (IdP) uses a private key for signing the assertion, the Sametime Community Server only needs the corresponding public key for validating the signature. Validation is achieved by adding the public certificate of the IdP to the list of signer certificates in the Sametime trust store.

The trust store can be either a P12 file (PKCS#12), JKS (Java™ Key Store). You can use an existing certificate store file, or create a new one.

Once you have the trust store, specify the trust store file and password in the Sametime configuration. If you are securing other areas of Sametime, you can use the same keystore and trust stores at a global scope. If you plan to use the same trust store, review and complete the topic Implementing the Global TLS Scope.

To implement a dedicated trust store for SAML, use the STSAML_ pre-fix on the sametime.ini settings. These settings are in the [Config] section of sametime.ini.

STSAML_TRUST_STORE_FILE=Trust store file

STSAML_TRUST_STORE_TYPE=Trust store type

STSAML_TRUST_STORE_PASSWORD=Trust store password

STSAML_TRUST_STORE_PASSWORD_STASH_FILE=Trust store password stash file

Setting up the certificate trust store for decoding encrypted SAML assertions

SAML 2.0 supports encrypted assertions, as an optional feature. This step is not needed if your IdP is not encrypting the assertions.

If the IdP encrypts the assertion, the Sametime Community Server needs to decrypt it in order to validate the assertion. This encryption is based on asymmetric cryptography, using two related keys: a private key and a public key. The IdP typically uses the public key for encryption, and the Sametime server uses the private key for decryption.

Configure the Sametime Community Server with the private key, and the IdP must use the corresponding public key for encryption.

Setting up a key store is similar to setting up a trust store as explained in the topic Set up the certificate trust store for SAML signature validation described above. The difference between a trust store and a key store, is that the trust store is used for signature validation, and as such does not require a private key, while the key store is used for element decryption, and must contain a private key. The private key is specified by adding the private key certificate under Personal Certificates in the key store.

The key store can be a P12 file (PKCS#12) or JKS (Java™ Key Store). You can use an existing certificate store file, or create a new one.

If you plan to use a different key store for TLS and SAML, specify the key store using the following SAML-specific settings in the [Config] section of the sametime.ini file:

STSAML_KEY_STORE_FILE=Key store file

STSAML_KEY_STORE_TYPE=Key store type

STSAML_KEY_STORE_PASSWORD=Key store password

STSAML_KEY_STORE_PASSWORD_STASH_FILE=Key store password stash file

STSAML_KEY_LABEL=Certificate alias in key store

Save and close the sametime.ini file.