Home
Administrator Guides
Administrator Guide
Administrator Guide
SAML 2.0 based federated authentication
Unica Platform implements a SAML 2.0 based Identity Provider (IdP) that enables a single sign-on federation among Unica products or between Unica products and third party applications.
How to implement federated authentication
Perform the procedures in this section to implement SAML 2.0 based federated authentication with ExperienceOne products.
Obtaining keystores and importing them into the IdP server
To establish the trusted party assertion, individual keystores are required for each integrating application and the IdP server.

Administrator Guides
- Administrator Guide
  - Administrator Guide
    - Unica Platform features
      Unica Platform provides security, configuration, notification, and dashboard features for Unica products.
    - Licensing - overview
    - HCL Unica user account management
      You can manage the attributes of user accounts created using Unica Platform user interface, which we refer to as internal accounts. This is in contrast to external user accounts, which are imported from an external system such as an LDAP server or web access control system.
    - Security management
      Unica Platform supports roles and permissions to control user access to objects and features in Unica applications.
    - Configuration management
      When Unica is first installed, the Configuration page shows only the properties used to configure Unica Platform and some global configuration properties. When you install additional Unica applications, the properties used to configure these applications are registered with Unica Platform. These properties are then shown on the Configuration page, where you can set or modify their values.
    - Dashboard management
      Dashboards are configurable pages that contain information useful to groups of users who fill various roles within your company. The components that make up dashboards are called portlets. Dashboards can contain pre-defined portlets or portlets that you create.
    - The HCL Unica Scheduler
      The Unica Scheduler enables you to configure a process to run at intervals that you define.
    - SAML 2.0 based federated authentication
      Unica Platform implements a SAML 2.0 based Identity Provider (IdP) that enables a single sign-on federation among Unica products or between Unica products and third party applications.
      - How to implement federated authentication
        Perform the procedures in this section to implement SAML 2.0 based federated authentication with ExperienceOne products.
        Creating the data repository
        Create two database tables, TP_MASTER and TP_MAPPING, to hold user mappings. Any schema can be used to create the tables.
        Configuring the IdP data source in the web application server
        Tomcat, WebSphere®, and WebLogic are supported web application servers for the IdP server. After the IdP server is deployed on the web application server, configure a JNDI data source to connect the IdP server with the data repository.
        Setting up the classpaths for the IBM IdP client façade
        If you want to use the IBM® IdP client façade, you must add JAR files in the classpath of your IdP server and the SPs.
        Deploying the IdP server
        The IdP-Server.war file can be deployed along with the Unica Platform WAR file in the same server, or it can be deployed separately. There is no direct dependence between these two WAR files.
        Configuring the IdP server
        The IdP server stores its keystore in its configuration to assert the SAML token coming from SPs. The configurations are stored in the IdPServerConfig.properties file under the conf folder of the web application server where the IdP server is deployed.
        Obtaining keystores and importing them into the IdP server
        To establish the trusted party assertion, individual keystores are required for each integrating application and the IdP server.
        Setting configuration properties on the Configuration page
        Set configuration properties on the Settings > Configuration page to configure federated authentication in Unica.
        Onboarding Service Providers and users
        The IdP server administrator must make one-time entries in the TP_MASTER table to onboard SPs and users.
        Using the IdP client façade to generate tokens and pass them to Service Providers
        When a user is authenticated and wants to access the services of another SP, call the following code on the SP side.
      - Related concepts
        This section provides general information about the technologies used in the ExperienceOne implementation of SAML 2.0 based federated single sign-on.
    - SAML 2.0 single sign-on
      Unica Platform supports SAML 2.0 based single sign-on.
    - Single sign-on between HCL Unica and IBM Digital Analytics
      If your organization uses IBM Digital Analytics, you can enable single sign-on between Digital Analytics and Unica.
    - Integration between HCL Unica and Windows Active Directory
      Unica Platform can be configured to integrate with Windows™ Active Directory server or another LDAP (Lightweight Directory Access Protocol) server. By integrating Unica with a directory server, you can maintain users and groups in one centralized location. Integration provides a flexible model for extending the enterprise authorization policies into Unica applications. Integration reduces support costs and the time needed to deploy an application in production.
    - Integration between HCL Unica and LDAP servers
      Unica Platform can be configured to integrate with Windows™ Active Directory server or another LDAP (Lightweight Directory Access Protocol) server. By integrating Unica with a directory server, you can maintain users and groups in one centralized location. Integration provides a flexible model for extending the enterprise authorization policies into Unica applications. Integration reduces support costs and the time needed to deploy an application in production.
    - Integration with web access control platforms
      Organizations use web access control platforms to consolidate their security systems, which provide a portal that regulates user access to web sites. This section provides an overview of Unica integration with web access control platforms.
    - Alert and notification management
      Unica Platform provides support for system alerts and user notifications sent by Unica products.
    - Implementation of one-way SSL
      This section describes one-way SSL in Unica.
    - Security framework for HCL Unica APIs
      Unica Platform provides the security framework for the APIs implemented by Unica products.
    - Data filter creation and management
      Data filters make it possible to restrict the customer data that an Unica user can view and work with in Unica applications. You can think of the data you secure with a data filter as a data set defined by the fields in your customer tables that you specify.
    - Audit event tracking in HCL Unica
      You can configure which audit events are tracked and assign a severity level to each tracked event.
    - The Unica Platform system log
      You should check the system log first if the Unica Platform application malfunctions. The system log is independent of the security audit information, which is stored in the system tables. While the system log tracks some of the same information contained in the security audit reports, it also contains information useful in troubleshooting Unica Platform.
    - Unica Platform utilities
      This section provides an overview of the Unica Platform utilities, including some details that apply to all the utilities and which are not included in the individual utility descriptions.
    - Unica Platform SQL scripts
      This section describes the SQL scripts provided with Unica Platform to perform various tasks relating to the Unica Platform system tables.
    - HCL Unica configuration properties
      This section describes the configuration properties found on the Settings & Configuration page.
    - Customization of stylesheets and images in the HCL Unica user interface
      You can customize the appearance of the user interface where most Unica product pages appear. By editing a cascading style sheet and providing your own graphics, you can change many of the images, fonts, and colors in the user interface.
- Configuration Properties Guide
- System Tables

Obtaining keystores and importing them into the IdP server

To establish the trusted party assertion, individual keystores are required for each integrating application and the IdP server.

About this task

Obtain keystores for the IdP server and for all SPs you want to include in the federation. You can generate the keystores using the Java™ keytool utility, or you can obtain them from a certificate authority.

If you generate keystores using the keytool utility, here is a typical workflow for this task, with example commands. In the examples, the Java™ 6 keytool path is C:\Program Files (x86)\Java\jre7\bin\keytool.

The IdP administrator generates a keystore for the IdP server and exports the certificate.


# Generate IdP JKS from keytool
c:\temp> "keytool_path\keytool" -genkey -keyalg RSA -alias idp 
-keystore idp.jks -storepass idp001 -validity 360 -keysize 2048
# Export IdP certificate from JKS
c:\temp> "keytool_path\keytool" -export -alias idp -file idp.cer 
-keystore idp.jks

An SP administrator generates a keystore and exports it.


# Generate Service Provider JKS from keytool
c:\temp> "keytool_path\keytool" -genkey -keyalg RSA -alias SP_1 
-keystore SP_1.jks -storepass SP001 -validity 360 -keysize 2048
# Export Service Provider certificate from JKS
c:\temp> "keytool_path\keytool" -export -alias SP_1 -file SP_1.cer 
-keystore SP_1.jks

The SP administrator then sends the certificate to the IdP administrator.

The IdP administrator imports the SP certificate into the IdP server.


# Import Service Provider certificate into IdP JKS
c:\temp> "keytool_path\keytool" -import -alias SP_1 
-trustcacerts -file SP_1.cer -keystore idp.jks

Have feedback?
Google Analytics is used to store comments and ratings. To provide a comment or rating for a topic, click Accept All Cookies or Allow All in Cookie Preferences in the footer of this page.