SAML CONFIGURATION (single sign on- SSO)

Single sign-on is an authentication system that allows a user to log in with a single ID and password to any of several related software. True single sign-on allows the user to log in once and access services without re-entering authentication factors. To enable the Single Sign-On (SSO) feature on SAP Hybris side so that the user logged into storefront without entering the username and password again. Hybris OOTB doesn’t support any particular SSO providers. It has a module named samlsinglesignon which can be used for the integration with any SAML-compatible SSO services.

The samlsinglesignon extension uses Spring Security and the SAML 2.0 protocol to authenticate and authorize data across different security domains. Security Assertion Markup Language (SAML) 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, that is, an identity provider, and a SAML consumer, that is, a service provider. SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain Single Sign-On.

Configuration

You only need to change the most important configuration options and leave the rest of the configuration options at their default state. There are 3 steps of configuration:

metadata : SAML metadata is an XML document containing information necessary for interaction with SAML-enabled identity or service providers. The metadata contains URLs of endpoints, information about supported bindings, identifiers and public keys.
certificates: You need to generated a signed certificate which will use for signing and communicating between your service provider and the IDP
Identity provider (IDP) : IDP discovery helps your service provider determine which identity provider should be used for authentication of the current user

Procedure to setup SSO

The samlsinglesignon extension allows you to connect SAP Commerce with external identity provider (IDP) systems. Setting up the samlsinglesignon extension, you need to add “samlsinglesignon” extension in localextensions.xml. and restart the hybris server.

<extension name='samlsinglesignon' />

</extensions>

Generating keys and importing to java keystore

It's proposed that the keystore should be stored in the Hybris/config/security folder. The filename for the keystore must be samlKeystore.jks. You can generate samlKeystore.jks with RSAby java keytool using below command.

keytool -genkey -keyalg RSA -alias hybris -keystore samlKeystore.jks -storepass Training -validity 360000 -keysize 2048

Import the public key of the IDP into the keystore. The public key is usually provided as a .crt or .cer file. If you don’t have signing certificate then create it from IDP’s metadata.xml between the X509Certificate tags. Copy the certificate information and paste it into a file named ADFS_Public_key.cer.

You can import certificates into your keystore by invoking the following command:

keytool -importcert -alias adfs -file ADFS_Public_key.cer -keystore samlKeystore.jks

Check import to keystore with below command

keytool -list -v -keystore samlKeystore.jks

Add configuration in local.properties

Add the below properties in local. Properties file under the config folder. If need more see the project.properties file in samlsinglesignon extension.

sso.entity.id=https://localhost:9002/samlsinglesignon/saml/hmc/hybris

sso.redirect.url=https://localhost:9002/

sso.cookie.name=samlPassThroughToken

#Keystore properties

sso.keystore.location=${HYBRIS_CONFIG_DIR}/security/samlKeystore.jks

sso.keystore.password=Training

sso.keystore.privatekey.alias=hybris

sso.keystore.privatekey.password=Training

sso.keystore.default.certificate.alias=hybris

#Metadata

sso.metadata.location=${HYBRIS_CONFIG_DIR}/security/metadata.xml

#sso.firstname.attribute.key=first_name

#sso.lastname.attribute.key=last_name

Export Service Provider Metadata

Now you need to do ant build and restart the server. You will see the metadata successful loaded log in hybris console. To obtain the metadata for the service provider, you need to do is requesting the following

URL : https://localhost:9002/samlsinglesignon/saml/metadata and download the XML file.

Please download the metadata with external url and this XML file contains all the information for your service provider (Hybris) that the identity provider needs.

Active Directory Federation Services (ADFS)

Active Directory Federation Services is a feature and web service in the Windows Server Operating System that allows sharing of identity information outside a company's network. It authenticates users with their usernames and passwords

Download metadata.xml provide it to ADFS or your Service provider like (neatwear or fiori). After uploading the service provider metadata , signing to ADFS then it will automatically assign the login session to the hybris commerce.

Group Level Authorization

The samlsinglesignon extension allows you to map a usergroup from the IDP to SAP Commerce by defining the group mapping in the project.properties file or in the database.

project.properties: You can use following properties to configure the mapping:

sso.mapping.<sso usergroup>.usertype=Employee

sso.mapping.<sso usergroup>.groups=employeegroup

Database: You have an additional type called SamlUserGroup, where you can put the same information:

SamlUserGroup.samlUserGroup
SamlUserGroup.userType
SamlUserGroup.userGroups