Enable SSO

Enable SSO On Site Authentication Using Active Directory

Procedure

  1. Run the LDAP Synchronization Process Manually or Schedule a LDAP Synchronization Process .
  2. Log out of GE Digital APM.
  3. Log in to GE Digital APM with the Windows user name and password.
    You are logged in.

Results

  • SSO On-Site Authentication is enabled.

Enable SSO Off-Site Authentication Using GE Digital APM Server Setup

About this task

Note: The settings shown below may vary depending on your system.

Procedure

  1. In the module navigation menu, select Admin > Operations Manager > Host Names.
    The Host Names page appears.

  2. In the left pane, select .
    The workspace for a new host name appears, displaying default values.

  3. In the Name box, replace the default text with the GE Digital APM Server's fully qualified hostname.
  4. In the IDP URL box, replace the default text with the SAML Issuer ID that is specified on the IDP.
  5. Select the SSO Enabled check box.
  6. Select .
    The host name is saved.
  7. Log out of GE Digital APM.
  8. On the GE Digital APM Server, in the GE Digital APM program files, navigate to the folder ..\ApplicationServer\api.
    Note: If you installed the software in the default location, the folder location will be C:\Program Files\Meridium\ApplicationServer\api.
  9. Via an application that you can use to modify XML script (e.g., Notepad), open the file saml.config and uncomment the following section:
    
                        <PartnerIdentityProvider Name="urn:componentspace:MvcExampleIdentityProvider"
                        SignAuthnRequest="false"
                        WantSAMLResponseSigned="true"
                        WantAssertionSigned="true"
                        WantAssertionEncrypted="false"
                        SingleSignOnServiceUrl="http://foundationvm/SSOIDP/SAML/SSOService"
                        SingleLogoutServiceUrl="http://foundationvm/SSOIDP/SAML/SLOService"
                        CertificateFile="idp.cer"/>
                    
    Note: The settings in saml.config must be configured to match the environment to which you are connecting. For example, the URL listed in SingleSignOnServiceUrl should point to the URL where you want to authorize the users.
  10. In the uncommented section, replace the text urn:componentspace:MvcExampleIdentityProvider with the SAML Issuer ID that is specified on the IDP.
  11. In the uncommented section, modify the assertion and response signing settings to match the signing settings that are specified on the IDP, and then save and close the file.
  12. In your system's IDP, specify urn:componentspace:Meridium as the Audience Restriction.
    Note: If the IDP is doing assertion and/or response signing, then the IDP signature algorithm must be SHA1.
  13. Place the idp.cer file in the following location C:\Program Files\Meridium\ApplicationServer\api.
    Note: The idp.cer file should be obtained from the team responsible for setting up the SAML Identity Provider (IDP).
  14. Reset IIS.
    IIS is reset.
  15. Access GE Digital APM via a web browser.
    The user is logged in, and SSO off-site authentication is enabled.