{"id":15952,"date":"2018-09-19T23:48:56","date_gmt":"2018-09-19T23:48:56","guid":{"rendered":"https:\/\/ephesoft.com\/docs\/?p=15952"},"modified":"2021-08-27T07:49:07","modified_gmt":"2021-08-27T14:49:07","slug":"configuring-saml-sso","status":"publish","type":"docs","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/","title":{"rendered":"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1"},"content":{"rendered":"<h2 id=\"Overview\"><a name=\"_Toc524956727\"><\/a>SSO Overview<\/h2>\n<p>Single sign-on (SSO) is a mechanism of access control that can be applied on multiple related, but independent software systems. With this mechanism, a user logs in once and gains access to multiple systems without being prompted to log in again for each individual application. Conversely, single sign-off is a property mechanism whereby a single action of signing out terminates access to multiple software systems.<\/p>\n<p>As different applications and resources support different authentication mechanisms, single sign-on internally translates to and stores different credentials, compared to what is used for initial authentication.<\/p>\n<h2 id=\"Benefits\"><a name=\"_Toc524956728\"><\/a>Benefits<\/h2>\n<p>SSO has several general benefits, to include the following:<\/p>\n<ul>\n<li>Reducing password fatigue from different user name and password combinations<\/li>\n<li>Reducing time spent re-entering passwords for the same identity<\/li>\n<li>Reduced logins for discreet systems\n<ul>\n<li>Corporate systems<\/li>\n<li>Shared intranet\/web applications<\/li>\n<li>Web logon aggregators<\/li>\n<\/ul>\n<\/li>\n<li>Reduced cost to reset a password<\/li>\n<li>Reduced time spent logging into multiple systems each time<\/li>\n<li>Reduces multiple authentication, unnecessary user clicks, forgotten passwords, multiple profiles<\/li>\n<li>Limited time and resources to develop IT solutions<\/li>\n<\/ul>\n<h2><a name=\"_Toc524956729\"><\/a>SSO Support Information for Ephesoft Transact<\/h2>\n<p>This document describes how to make manual SAML 2.0 SSO configurations during a new installation of Ephesoft Transact 4.5.0.x or 2019.1.<\/p>\n<p><strong>Note<\/strong>: Automated SSO configuration for Ephesoft Transact does not have scheduled availability.<\/p>\n<p>Ephesoft Transact has been tested with the following SSO-related components:<\/p>\n<ul>\n<li><strong>SAML 2.0 <\/strong>\u2014 An XML-based protocol that entails security tokens for authentication and authorization. Ephesoft Transact supports SAML 2.0, and has tested and certified the following identity providers that are compatible with Ephesoft Transact:\n<ul>\n<li>Active Directory Federation Services (ADFS)<\/li>\n<li>Okta<\/li>\n<li>PingFederate<\/li>\n<li>SSOCircle<\/li>\n<\/ul>\n<\/li>\n<li><strong>Transport Layer Security (TLS)<\/strong> \u2014 Ephesoft Transact 4.5.0.x and 2019.1 support TLS versions 1.0, 1.1 and 1.2.<\/li>\n<\/ul>\n<p>There are multiple additional identity providers in the market that support SAML 2.0. Ephesoft has not tested every available identity provider or security product.<\/p>\n<h2><a name=\"_Toc524956730\"><\/a>SSO Configuration Overview for Ephesoft Transact<\/h2>\n<p>This document describes how to make manual SAML 2.0 SSO configurations during a new installation of Ephesoft Transact 4.5.0.x or 2019.1.<\/p>\n<p style=\"padding-left: 30px\"><strong>Note: <\/strong>This document emphasizes tasks for operational deployment. At some time in the future, Ephesoft may provide a separate document that describes security and SSO concepts.<\/p>\n<p>This document contains the following sections and purposes:<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><strong><a style=\"color: #2a6496\" href=\"#Prerequisites\">Prerequisites: <\/a><\/strong><strong>Required<\/strong>\u00a0\u2014 This section identifies the prerequisite conditions that must be in place in order to configure SSO for use with Ephesoft Transact.<\/li>\n<li><strong><a style=\"color: #2a6496\" href=\"#Obtaining_and_Installing_OpenSSL\">Obtaining and Installing OpenSSL: <\/a><\/strong><strong>Required<\/strong>\u00a0\u2014 This section describes the steps for downloading and installing OpenSSL. You must complete these steps prior to performing the additional SSO configurations in this document.<\/li>\n<li><strong><a style=\"color: #2a6496\" href=\"#Configuring_SSL_TLS\">Configuring SSL\/TLS: <\/a><\/strong><strong>Required<\/strong>\u00a0\u2014 This section describes the steps for configuring multiple components of the Secure Sockets Layer (SSL) protocol or the Transport Layer Security (TLS) protocol. One or more of these components may need to be configured, depending on your current requirements and status.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 40px\">Not all identity providers (IdP) will require SSL\/TLS configuration, but this section provides instructions for those IdPs that do require it.<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><strong><a style=\"color: #2a6496\" href=\"#Configuring_SSLTLS_for_Ephesoft_Transact\">Configuring Ephesoft Transact for SSL\/TLS: <\/a><\/strong><strong>Required <\/strong>\u2014 This section describes how to configure Ephesoft Transact over SSL\/TLS.<\/li>\n<li><strong><a style=\"color: #2a6496\" href=\"#Configuring_Ephesoft_Transact_for_SAML_SSO\">Configuring Ephesoft Transact for SAML SSO: <\/a><\/strong><strong>Required<\/strong> \u2014 This section describes the steps for configuring SAML SSO within Ephesoft Transact.<\/li>\n<li><strong><a style=\"color: #2a6496\" href=\"#Configurations_for_Integrating_SAML-Enabled_Spring_Security_Framework\">Configurations for Integrating the SAML-Enabled Spring Security Framework: <\/a><\/strong><strong>Required<\/strong> \u2014 This section describes the steps for configuring the various components of the SAML-enabled Spring Security framework. There are several elements to configure in this phase of SSO setup.<\/li>\n<li><strong><a style=\"color: #2a6496\" href=\"#Exporting_the_Self-signed_Certificate_from_Keystore\">Exporting the Self-signed Certificate from Keystore: <\/a><\/strong><strong>As Needed <\/strong>\u2014 This short section describes how to export the self-signed certificates, if you need these for the additional configurations in this document.<\/li>\n<li><strong><a style=\"color: #2a6496\" href=\"#Troubleshooting_SAML_2.0_SSO_in_Ephesoft_Transact\">Troubleshooting SAML 2.0 SSO in Ephesoft Transact: <\/a><\/strong><strong>As Needed <\/strong>\u2014 This section provides a reference for monitoring and troubleshooting SSO configuration issues in Ephesoft Transact.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1 id=\"Prerequisites\"><a name=\"_Toc524956731\"><\/a><a name=\"_Toc519774749\"><\/a>Prerequisites<\/h1>\n<h2><a name=\"_Toc524956732\"><\/a>Prerequisite Components<\/h2>\n<p>The following items are required to set up SAML 2.0 SSO authentication with Ephesoft Transact.<\/p>\n<ol>\n<li><strong>CA Certificate<\/strong> \u2014 If you have access to a trusted Certificate Authority (CA), you should complete the CA process to get a CA certificate, server certificate and server private key.<\/li>\n<\/ol>\n<ul>\n<li>If you do not have a trusted Certificate Authority (CA), you can create dummy CA certificates to test the setup in a lab or test environment.<\/li>\n<li>In an ideal scenario, you should have a trusted Certificate Authority (CA).<\/li>\n<\/ul>\n<ol start=\"2\">\n<li><strong>Identity Provider <\/strong>\u2014 You must have an installed identity provider (IdP) server that supports SAML 2.0.<br \/>\nEphesoft has tested and certified Ephesoft Transact with the following four identity providers:<\/li>\n<\/ol>\n<ul>\n<li>Active Directory Federation Services (ADFS)<\/li>\n<li>Okta<\/li>\n<li>PingFederate<\/li>\n<li>SSOCircle<\/li>\n<\/ul>\n<ol start=\"3\">\n<li><strong>Active Directory<\/strong> \u2014 This document does not provide step-by-step instructions for installing or configuring Active Directory.<br \/>\nIf you need to set up Active Directory in preparation for configuring SSO, refer to one or more of the following articles:<\/li>\n<\/ol>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li><a href=\"https:\/\/ephesoft.com\/docs\/configurations\/user-connectivity\/how-to-configure-active-directory\/\">How to Configure Active Directory<\/a><\/li>\n<li><a href=\"https:\/\/ephesoft.com\/docs\/kb0007802-active-directory-configurationsetup-sample-file-changes-for-proper-setup\/\">KB0007802 Active Directory Configuration\/Setup: Sample File Changes for Proper Setup<\/a><\/li>\n<li><a href=\"https:\/\/ephesoft.com\/docs\/configurations\/user-connectivity\/multiple-groups-active-directory\/\">Multiple Groups as Roles in Active Directory<\/a><\/li>\n<li><a href=\"https:\/\/ephesoft.com\/docs\/configurations\/user-connectivity\/how-to-administer-ephesoft-users-groups\/\">How to Administer Ephesoft Users &amp; Groups<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1 id=\"Obtaining_and_Installing_OpenSSL\"><a name=\"_Toc524956733\"><\/a>Obtaining and Installing OpenSSL<\/h1>\n<p>OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Use OpenSSL in the case that a trusted Certificate Authority (CA) certificate is not available.<\/p>\n<p>You can download OpenSSL on Windows from the <a href=\"https:\/\/slproweb.com\/products\/Win32OpenSSL.html\">Win32\/Win64 OpenSSL Open Installation Project<\/a><\/p>\n<p><strong>Note<\/strong>: You need to install PERL on the system before using OpenSSL. Refer to <a href=\"https:\/\/www.perl.org\/get.html\">the PERL website<\/a>.<\/p>\n<h1 id=\"Configuiring_SSL_TLS\"><a name=\"_Toc524956734\"><\/a><a name=\"_Toc519774751\"><\/a>Configuring SSL\/TLS<\/h1>\n<h2><a name=\"_Toc524956735\"><\/a>Introduction<\/h2>\n<p>This section provides detailed steps for setting up certificates for the Secure Sockets Layer (SSL) or Transport Layer Security (TLS).<\/p>\n<ul>\n<li>If you already have CA certificates, and the keystore is ready for SSL setup on the server, navigate to <a href=\"#Configuring_SSLTLS_for_Ephesoft_Transact\">Configuring SSL\/TLS for Ephesoft Transact<\/a>.<\/li>\n<li>If the server is already set up for certificates, keystore and SSL, navigate to the <a href=\"#Configuring_Ephesoft_Transact_for_SAML_SSO\">Configuring Ephesoft Transact for SAML 2.0 SSO<\/a>.<\/li>\n<\/ul>\n<h2><a name=\"_Toc524956736\"><\/a><a name=\"_Toc519774752\"><\/a>SSL\/TLS Setup: Server Certificates<\/h2>\n<p>To set up SSL\/TLS protocols, you need to use either certificate issued by CA or self-signed certificates, which can be used in the TEST environment as mentioned above.<\/p>\n<h3><a name=\"_Toc524956737\"><\/a><a name=\"_Toc519774753\"><\/a>Production Environment: CA Certificates<\/h3>\n<p>In a production environment, you must make use of certificates issued by a trusted CA.<\/p>\n<h3><a name=\"_Toc524956738\"><\/a><a name=\"_Toc519774754\"><\/a>Testing Environment: Self-Signed Certificates<\/h3>\n<p>For a lab or test environment, you can generate your own dummy self-signed certificates for testing the Ephesoft SSO integration. This can be done using OpenSSL, as described below. OpenSSL is an open-source general-purpose cryptography library, which is used for the implementation of SSL and TLS.<\/p>\n<p>Perform the following steps to create self-signed certificates using OpenSSL:<\/p>\n<p><strong>Note: <\/strong>In the case that <strong>cacert.pem<\/strong>, <strong>servercert.pem,<\/strong> and <strong>serverkey.pem<\/strong> files are already available, then you can directly proceed to Step 7 below.<\/p>\n<p style=\"padding-left: 30px\">1. Locate the OpenSSL <strong>CA.pl<\/strong> file, as this file is required to create the dummy CA certificate file.<\/p>\n<p style=\"padding-left: 30px\">2. Create a directory to store certificates:<\/p>\n<pre style=\"padding-left: 60px\"><strong>mkdir certificates<\/strong><\/pre>\n<p style=\"padding-left: 30px\">3. In <strong>Linux<\/strong>, execute the following command:<\/p>\n<pre style=\"padding-left: 60px\"><strong>\/usr\/lib\/ssl\/misc\/CA.pl -newca<\/strong><\/pre>\n<p style=\"padding-left: 60px\">OR,<\/p>\n<p style=\"padding-left: 60px\">In <strong>Windows<\/strong>, execute the above command replacing the path of <strong>CA.pl <\/strong>with the Windows path.<\/p>\n<p style=\"padding-left: 60px\">This creates\u00a0<strong>demoCA\/cacert.pem\u00a0<\/strong>(CA Certificate) and\u00a0<strong>demoCA\/private\/cakey.pem\u00a0<\/strong> (private key).<\/p>\n<p style=\"padding-left: 60px\"><strong>Note<\/strong>: The generated cacert.pem is located inside the demoCA folder.<\/p>\n<figure id=\"attachment_15958\" aria-describedby=\"caption-attachment-15958\" style=\"width: 644px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-a-Viewing-cacert.pem_.png\"><img decoding=\"async\" class=\"wp-image-15958 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-a-Viewing-cacert.pem_.png\" alt=\"\" width=\"644\" height=\"736\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-a-Viewing-cacert.pem_.png 644w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-a-Viewing-cacert.pem_-263x300.png 263w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><\/a><figcaption id=\"caption-attachment-15958\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Viewing the <strong>cacert.pem<\/strong>\u00a0file (CA Certificate)<\/span><\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 30px\">4. Make a server certificate signing request (CSR) using the following command:<\/p>\n<pre style=\"padding-left: 60px\"><strong>openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem<\/strong><\/pre>\n<figure id=\"attachment_15959\" aria-describedby=\"caption-attachment-15959\" style=\"width: 643px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-b-using-openssl.png\"><img decoding=\"async\" class=\"wp-image-15959 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-b-using-openssl.png\" alt=\"\" width=\"643\" height=\"358\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-b-using-openssl.png 643w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-b-using-openssl-300x167.png 300w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/a><figcaption id=\"caption-attachment-15959\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Using the <strong>openssl reg<\/strong> Command<\/span><\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 60px\"><strong>Note<\/strong>: Make sure to use the same name\/value in Common Name as that of the <strong>servername\/hostname<\/strong>.<br \/>\nOtherwise, when trying to access the server, the browser might warn the user that the name does not match the hostname.<br \/>\nAlso, make sure to access the server with the same hostname as mentioned here.<\/p>\n<p style=\"padding-left: 30px\">5. Create the server certificate \u2014 that is, sign the certificate CSR (certificate signing request) with CA using the following command:<\/p>\n<pre style=\"padding-left: 60px\"><strong>\/usr\/lib\/ssl\/misc\/CA.pl -sign<\/strong><\/pre>\n<p style=\"padding-left: 60px\"><strong>Note<\/strong>: Replace the path of the <strong>CA.pl<\/strong> file according to your operating system (Windows\/Linux).<\/p>\n<figure id=\"attachment_15960\" aria-describedby=\"caption-attachment-15960\" style=\"width: 643px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-c-create-server-cert.png\"><img decoding=\"async\" class=\"wp-image-15960 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-c-create-server-cert.png\" alt=\"\" width=\"643\" height=\"462\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-c-create-server-cert.png 643w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-c-create-server-cert-300x216.png 300w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/a><figcaption id=\"caption-attachment-15960\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Creating the Server Certificate<\/span><\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 30px\">The following files will be created after executing the previous steps.<\/p>\n<ul>\n<li><strong>cacert.pem <\/strong>(CA certificate) \u2014 created in Step 3<\/li>\n<li><strong>newreq.pem<\/strong> (Server key) \u2014 created in Step 4<\/li>\n<li><strong>newcert.pem <\/strong>(Server certificate or certificate signed by CA) \u2014 created in Step 5 above<\/li>\n<\/ul>\n<p style=\"padding-left: 30px\">6. For improved clarity, rename these files:<\/p>\n<ul>\n<li>Rename\u00a0<strong>newreq.pem <\/strong>to\u00a0<strong>serverkey.pem<\/strong><\/li>\n<li>Rename\u00a0<strong>newreq.pem\u00a0<\/strong>to\u00a0<strong>servercert.pem<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px\">The following PEM files will be available after renaming the original files:<\/p>\n<ul>\n<li><strong>cacert.pem<\/strong><\/li>\n<li><strong>servercert.pem<\/strong><\/li>\n<li><strong>serverkey.pem<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px\">7. Convert the\u00a0<strong>servercert.pem\u00a0<\/strong>file to PKC12 format (*.p12) using the following command:<\/p>\n<pre>openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out servercert.p12 -name servercertificate<\/pre>\n<p><strong>Note<\/strong>: The converted file (<strong>servercert.p12<\/strong>) acts as a server certificate and is used to generate keystore. When prompted for the <strong>Export Password<\/strong>, enter a password and keep the password safe.<\/p>\n<figure id=\"attachment_15961\" aria-describedby=\"caption-attachment-15961\" style=\"width: 1016px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-d-convert-servercert-file.png\"><img decoding=\"async\" class=\"wp-image-15961 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-d-convert-servercert-file.png\" alt=\"\" width=\"1016\" height=\"130\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-d-convert-servercert-file.png 1016w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-d-convert-servercert-file-300x38.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-d-convert-servercert-file-768x98.png 768w\" sizes=\"(max-width: 1016px) 100vw, 1016px\" \/><\/a><figcaption id=\"caption-attachment-15961\" class=\"wp-caption-text\"><em>Converting the servercert.pem File to PKC12 Format<\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 30px\">8. Create a java keystore file by converting the p12 file to Java Keytool format by using the following command:<\/p>\n<pre>keytool -importkeystore -destkeystore servercert.jks -srckeystore servercert.p12 -srcstoretype PKCS12 -alias servercertificate<\/pre>\n<p><strong>Note<\/strong>: When prompted for the destination keystore password, enter a password and keep it safe. It will be used as keystore password in the server.xml file. Also, when prompted for source keystore password, enter the export password for input servercert.p12 file created in the previous step (Step 7).<\/p>\n<figure id=\"attachment_15962\" aria-describedby=\"caption-attachment-15962\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-e-keytool-command.png\"><img decoding=\"async\" class=\"wp-image-15962 size-large\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-e-keytool-command-1024x108.png\" alt=\"\" width=\"1024\" height=\"108\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-e-keytool-command-1024x108.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-e-keytool-command-300x32.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-e-keytool-command-768x81.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-e-keytool-command.png 1474w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15962\" class=\"wp-caption-text\"><em>Keytool Command<\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 30px\">9. Create a java truststore file by converting the pem file to Java Keytool format by using the following command:<\/p>\n<pre>keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem<\/pre>\n<p><strong>Note<\/strong>: When prompted for <strong>keystore<\/strong> password, enter a password and keep the password safe. It will be used as <strong>truststore<\/strong> password in <strong>server.xml<\/strong>.<\/p>\n<figure id=\"attachment_15963\" aria-describedby=\"caption-attachment-15963\" style=\"width: 917px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-f-java-truststore.png\"><img decoding=\"async\" class=\"wp-image-15963 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-f-java-truststore.png\" alt=\"\" width=\"917\" height=\"738\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-f-java-truststore.png 917w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-f-java-truststore-300x241.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-f-java-truststore-768x618.png 768w\" sizes=\"(max-width: 917px) 100vw, 917px\" \/><\/a><figcaption id=\"caption-attachment-15963\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>Creating a Java Truststore file<\/em><\/span><\/figcaption><\/figure>\n<p>These files will be used while configuring SSL\/TLS on the Ephesoft Transact server.<\/p>\n<h1 id=\"Configuring_SSLTLS_for_Ephesoft_Transact\"><a name=\"_Toc519774757\"><\/a><a name=\"_Toc524956739\"><\/a>Configuring SSL\/TLS for Ephesoft Transact<\/h1>\n<h2><a name=\"_Toc524956740\"><\/a>Introduction<\/h2>\n<p>Use the steps in this section to configure SSL\/TLS on Ephesoft, after you have generated the certificates with the previous chapter.<\/p>\n<p>If you do not need to perform any of these SSL\/TLS setup tasks, please proceed to <a href=\"#Configuring_Ephesoft_Transact_for_SAML_SSO\">Configuring Ephesoft Transact for SAML SSO<\/a>.<\/p>\n<h2><a name=\"_Toc524956741\"><\/a>SSL\/TLS Setup: Configuring the Ephesoft Transact JavaAppServer (Tomcat)<\/h2>\n<p>As an example of SSL and TLS setup, this section describes how to use self-signed certificates from the previous chapter and to generate them for testing purposes. If you are using CA certificates in a production environment, provide the details shared by your Certifying Authority.<\/p>\n<p>To configure the Tomcat Connector using CA\/Self-Signed Keystore and Truststore certificates, perform the following steps:<\/p>\n<ol>\n<li>Make a backup copy of the existing XML file located in the <em>[Ephesoft_Directory]<\/em>\/JavaAppServer\/conf folder.<\/li>\n<li>Open the XML file in edit mode, and locate the existing HTTP\/HTTPS connector, as shown in the snapshot.<\/li>\n<\/ol>\n<figure id=\"attachment_15964\" aria-describedby=\"caption-attachment-15964\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-a-existing-https-connector.png\"><img decoding=\"async\" class=\"size-large wp-image-15964\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-a-existing-https-connector-1024x251.png\" alt=\"\" width=\"1024\" height=\"251\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-a-existing-https-connector-1024x251.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-a-existing-https-connector-300x73.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-a-existing-https-connector-768x188.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-a-existing-https-connector.png 1405w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15964\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Existing HTTP\/HTTPS Connector<\/span><\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 30px\">3. Comment the existing connector (default port 8080) and create a new connector by manually adding the following properties in the <strong>server.xml<\/strong> file:<\/p>\n<table style=\"height: 368px\" width=\"598\">\n<tbody>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">protocol:<\/td>\n<td width=\"332\"><strong>org.apache.coyote.http11.Http11NioProtocol<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">port:<\/td>\n<td width=\"332\"><strong>8443 (change port number if required)<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">maxThreads:<\/td>\n<td width=\"332\"><strong>2000<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">clientAuth:<\/td>\n<td width=\"332\"><strong>false<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">scheme:<\/td>\n<td width=\"332\"><strong>https<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">keepAliveTimeout:<\/td>\n<td width=\"332\"><strong>-1<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">connectionTimeout:<\/td>\n<td width=\"332\"><strong>900000<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">secure:<\/td>\n<td width=\"332\"><strong>true<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">SSLEnabled:<\/td>\n<td width=\"332\"><strong>true<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">sslProtocol:<\/td>\n<td width=\"332\"><strong>TLS<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">sessionTimeout:<\/td>\n<td width=\"332\"><strong>30<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">truststoreFile:<\/td>\n<td width=\"332\"><strong>(truststore file generated previously)<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">truststorePass:<\/td>\n<td width=\"332\"><strong>&lt;password for trustore&gt;<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">keystoreFile:<\/td>\n<td width=\"332\"><strong>(keystore files generated previously)<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">keystorePass:<\/td>\n<td width=\"332\"><strong>&lt;password for keystore&gt;<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 10px\" width=\"195\">maxKeepAliveRequests:<\/td>\n<td width=\"332\"><strong>200<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<pre style=\"padding-left: 30px\">&lt;Connector protocol=\"org.apache.coyote.http11.Http11NioProtocol\"\r\nport=\"8443\" maxThreads=\"2000\" clientAuth=\"false\" scheme=\"https\"\r\nkeepAliveTimeout=\"-1\" connectionTimeout=\"900000\" compression=\"on\"\r\nnoCompressionUserAgents=\"gozilla, traviata\"\r\ncompressableMimeType=\"text\/html,text\/xml,text\/css,text\/javascript,image\/jpg,image\/ico,image\/png,image\/jpeg,image\/tiff,image\/tif\"\r\nsecure=\"true\" SSLEnabled=\"true\" sslProtocol=\"TLS\" sessionTimeout=\"30\"\r\ntruststoreFile=\"enter trust store complete path\" truststorePass=\"enter truststore password\"\r\nkeystoreFile=\"enter key store complete path\" keystorePass=\"enter keystore password\"\r\nmaxKeepAliveRequests=\"200\" maxPostSize=\"4194304\" \/&gt;<\/pre>\n<p><strong>Note: <\/strong>Ensure that you replace the path of the certificates with the actual location of the certificates.<\/p>\n<figure id=\"attachment_15965\" aria-describedby=\"caption-attachment-15965\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-b-cert-settings.png\"><img decoding=\"async\" class=\"size-large wp-image-15965\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-b-cert-settings-1024x151.png\" alt=\"\" width=\"1024\" height=\"151\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-b-cert-settings-1024x151.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-b-cert-settings-300x44.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-b-cert-settings-768x113.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-2-b-cert-settings.png 1162w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15965\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Certificate Settings<\/span><\/em><\/figcaption><\/figure>\n<h2><a name=\"_Toc524956742\"><\/a><a name=\"_Toc519774756\"><\/a>SSL\/TLS Setup: Configuring Ephesoft Transact Files<\/h2>\n<p>The following files need to be configured in cases where you are setting up Ephesoft Transact files for SSL\/TLS:<\/p>\n<ul>\n<li>EPHESOFT_HOME\/Application\\WEB-INF\\classes\\META-INF\\dcma-batch\\<a href=\"#_dcma-batch.properties\">dcma-batch.properties<\/a><\/li>\n<li>EPHESOFT_HOME\/Application\\WEB-INF\\classes\\META-INF\\dcma-workflows\\<a href=\"#_dcma-workflows.properties\">dcma-workflows.properties<\/a><\/li>\n<li>EPHESOFT_HOME\/Application\/WEB-INF\/<a href=\"#_web.xml_1\">xml<\/a><\/li>\n<\/ul>\n<h3><a name=\"_Toc524956743\"><\/a>dcma-batch.properties<\/h3>\n<p>Modify the <strong>base_http_url<\/strong> to include the https protocol, correct port and hostname.<\/p>\n<figure id=\"attachment_15966\" aria-describedby=\"caption-attachment-15966\" style=\"width: 523px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-1-modifying-batch.base_.png\"><img decoding=\"async\" class=\"size-full wp-image-15966\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-1-modifying-batch.base_.png\" alt=\"\" width=\"523\" height=\"23\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-1-modifying-batch.base_.png 523w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-1-modifying-batch.base_-300x13.png 300w\" sizes=\"(max-width: 523px) 100vw, 523px\" \/><\/a><figcaption id=\"caption-attachment-15966\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>Modifying <strong>batch.base_http_url<\/strong><\/em><\/span><\/figcaption><\/figure>\n<h3><a name=\"_Toc524956744\"><\/a>dcma-workflows.properties<\/h3>\n<p>Modify the <strong>wb.hostURL<\/strong> to include the https protocol, correct port and correct host.<\/p>\n<figure id=\"attachment_15967\" aria-describedby=\"caption-attachment-15967\" style=\"width: 400px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-2-modifying-wb.hostURL.png\"><img decoding=\"async\" class=\"size-full wp-image-15967\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-2-modifying-wb.hostURL.png\" alt=\"\" width=\"400\" height=\"25\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-2-modifying-wb.hostURL.png 400w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-2-modifying-wb.hostURL-300x19.png 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a><figcaption id=\"caption-attachment-15967\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>Modifying <strong>wb.hostURL<\/strong><\/em><\/span><\/figcaption><\/figure>\n<h3><a name=\"_Toc524956745\"><\/a>web.xml<\/h3>\n<ul>\n<li>Make a backup copy of the existing web.xml file.<\/li>\n<li>Modify the following &lt;context-param&gt; entries:<\/li>\n<\/ul>\n<table width=\"642\">\n<tbody>\n<tr>\n<td width=\"192\"><strong>Parameter Name<\/strong><\/td>\n<td width=\"450\"><strong>Updated Value<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"192\">\n<pre>port<\/pre>\n<\/td>\n<td width=\"450\">Enter the value matching the value in <strong>server.xml<\/strong>. Update this only if you have updated the port number.<\/p>\n<p><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-a-enter-port-value.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-15968\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-a-enter-port-value.png\" alt=\"\" width=\"367\" height=\"79\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-a-enter-port-value.png 367w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-a-enter-port-value-300x65.png 300w\" sizes=\"(max-width: 367px) 100vw, 367px\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"192\">\n<pre>protocol<\/pre>\n<\/td>\n<td width=\"450\">Enter <strong>HTTPS<\/strong>.<\/p>\n<p><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-b-enter-protocol-value.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-15969\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-b-enter-protocol-value.png\" alt=\"\" width=\"358\" height=\"89\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-b-enter-protocol-value.png 358w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-b-enter-protocol-value-300x75.png 300w\" sizes=\"(max-width: 358px) 100vw, 358px\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li>The Logout URL needs to be of the following format:<\/li>\n<\/ul>\n<pre style=\"padding-left: 60px\"><strong>https:\/\/{hostname}:{port-number}\/dcma\/saml\/logout<\/strong><\/pre>\n<figure id=\"attachment_15970\" aria-describedby=\"caption-attachment-15970\" style=\"width: 659px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-c-Logout-URL.png\"><img decoding=\"async\" class=\"size-full wp-image-15970\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-c-Logout-URL.png\" alt=\"\" width=\"659\" height=\"91\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-c-Logout-URL.png 659w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/5-3-3-c-Logout-URL-300x41.png 300w\" sizes=\"(max-width: 659px) 100vw, 659px\" \/><\/a><figcaption id=\"caption-attachment-15970\" class=\"wp-caption-text\"><strong><em><span style=\"color: #808080\">Logout URL<\/span><\/em><\/strong><\/figcaption><\/figure>\n<h1 id=\"Configuring_Ephesoft_Transact_for_SAML_SSO\"><a name=\"_Toc524956746\"><\/a>Configuring Ephesoft Transact for SAML SSO<\/h1>\n<h2><a name=\"_Toc524956747\"><\/a>Introduction to SAML<\/h2>\n<p>Ephesoft uses Spring Security SAML. Refer to the following resource for more information:<\/p>\n<ul>\n<li><a href=\"https:\/\/projects.spring.io\/spring-security-saml\/\">https:\/\/projects.spring.io\/spring-security-saml\/<\/a><\/li>\n<\/ul>\n<p>This section provides an overview of the Security Assertion Markup Language (SAML), with additional information where it applies to Ephesoft Transact.<\/p>\n<ul>\n<li><strong>SAML Overview<\/strong> \u2014 Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.<\/li>\n<li><strong>Identity Provider Overview<\/strong> \u2014 \u201cAn identity provider offers user authentication as a service. Relying party applications, such as web applications, outsource the user authentication step to a trusted identity provider. Such a relying party application is said to be federated, that is, it consumes federated identity. An identity provider is \u201ca trusted provider that lets you use single sign-on (SSO) to access other websites.\u201d SSO enhances usability by reducing password fatigue. It also provides better security by decreasing the potential attack surface.\u201d<\/li>\n<\/ul>\n<p style=\"text-align: right\"><em>Source \u2014 <\/em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Identity_provider\"><em>Wikipedia<\/em><\/a><em> (8\/28\/18)<\/em><\/p>\n<ul>\n<li><strong>Service Provider Overview<\/strong> \u2014 In SAML, a service provider \u201cis a system entity that receives and accepts authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).\u201d<\/li>\n<\/ul>\n<p style=\"text-align: right\">Source \u2014 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Service_provider_(SAML)\"><em>Wikipedia<\/em><\/a><em> (8\/28\/18)<\/em><\/p>\n<h2><a name=\"_Toc524956748\"><\/a>SAML v2 Support in Ephesoft Transact<\/h2>\n<p>Ephesoft Transact supports Spring Security-based SAML SSO. The important components for configuring SSO are as follows:<\/p>\n<ul>\n<li><strong>applicationContext-security.xml<\/strong>: User can configure all Spring Security-related beans from this XML.<\/li>\n<li><strong>SAML IdP<\/strong>: A third-party IdP (Identity Provider) is required to configure the AuthenticationHandler. Metadata from Ephesoft is required to be registered with the IdP.<\/li>\n<li><strong>JKS Keystore<\/strong>: A Keystore needs to be set up for general authentication.<\/li>\n<li><strong>Logout URL<\/strong>: This parameter is required to redirect the user to a page when they click on the Ephesoft logout button.<\/li>\n<li><strong>Mode<\/strong>: This parameter can have two values; <strong>AUTHENTICATION_ONLY<\/strong> and <strong>AUTHENTICATION_AUTHORIZATION<\/strong>. Based on this parameter, Ephesoft Authorization is used.\n<ul>\n<li>If the <strong>AUTHENTICATION_ONLY<\/strong> parameter is used, then the provided username is used for authorization using configured connectivity.<\/li>\n<li>If <strong>AUTHENTICATION_AUTHORIZATION<\/strong> is used, Ephesoft looks for Roles and IsSuperAdmin attributes in the SAML Response. The attribute names that are passed through SAML response are configurable.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1 id=\"Configurations_for_Integrating_SAML-Enabled_Spring_Security_Framework\"><a name=\"_Toc524956749\"><\/a><a name=\"_Toc519774758\"><\/a>Configurations for Integrating SAML-Enabled Spring Security Framework<\/h1>\n<h2><a name=\"_Toc524956750\"><\/a>Introduction<\/h2>\n<p>This section provides the details to configure Ephesoft Transact for SAML SSO. If Ephesoft Transact has already been configured, skip to the section, <a href=\"#_Configuration_in_ADFS\">Configuring the ADFS Server<\/a>.<\/p>\n<p>The following files need to be configured:<\/p>\n<ul>\n<li><strong>EPHESOFT_HOME\/Application\/<a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#applicationcontext-xml\">applicationContext.xml<\/a><\/strong><\/li>\n<li><strong>EPHESOFT_HOME\/Application\/WEB-INF\/<a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#web-xml-1\">web.xml<\/a><\/strong><\/li>\n<li><strong>EPHESOFT_HOME\/application\/WEB-INF\/classes\/security\/<a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#samlkeystore-jks\">samlKeystore.jks<\/a><\/strong><\/li>\n<li><strong>EPHESOFT_HOME\/Application\/WEB-INF\/classes\/META-INF\/<a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#applicationcontext-security-xml\">applicationContext-security.xml<\/a><\/strong><\/li>\n<\/ul>\n<h2><a name=\"_Toc524956751\"><\/a><a name=\"_Toc519774759\"><\/a>applicationContext.xml<\/h2>\n<ul>\n<li>Uncomment the <strong>applicationContext-security.xml<\/strong> resource in <strong>applicationContext.xml<\/strong> to use SAML SSO.<\/li>\n<\/ul>\n<figure id=\"attachment_15971\" aria-describedby=\"caption-attachment-15971\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-2-uncomment-applicationContext-security.png\"><img decoding=\"async\" class=\"wp-image-15971 size-large\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-2-uncomment-applicationContext-security-1024x314.png\" alt=\"\" width=\"1024\" height=\"314\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-2-uncomment-applicationContext-security-1024x314.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-2-uncomment-applicationContext-security-300x92.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-2-uncomment-applicationContext-security-768x236.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-2-uncomment-applicationContext-security.png 1221w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15971\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Uncommenting <strong>applicationContext-security.xml<\/strong><\/span><\/em><\/figcaption><\/figure>\n<h2><a name=\"_Toc524956752\"><\/a><a name=\"_Toc519774760\"><\/a>web.xml<\/h2>\n<ul>\n<li>Uncomment the <strong>springSecurityFilterChain<\/strong> and its filter mapping.<\/li>\n<li>Comment out the following elements in the web.xml file:\n<ul>\n<li><strong>SessionTimeoutFilter <\/strong>and its filter mapping<\/li>\n<li><strong>SessionTimeoutServlet <\/strong>and its filter mapping<\/li>\n<li>All security-constraints and <strong>login-config<\/strong> nodes<\/li>\n<li>The <strong>session-config<\/strong> node needs to be commented out in the <strong>xml<\/strong> file.<\/li>\n<\/ul>\n<\/li>\n<li>Configure the logout URL according to the server details.\n<ul>\n<li>The logout URL needs to follow this form:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 90px\"><strong>https:\/\/{hostname}:port\/dcma\/saml\/logout<\/strong><\/p>\n<ul>\n<li>The\u00a0<strong style=\"font-family: monospace, serif;font-size: 1em\">authenticationFilter<\/strong> and its mapping must be prior in sequence to the\u00a0<strong>authorizationFilter\u00a0<\/strong>in the filter chain.<\/li>\n<\/ul>\n<figure id=\"attachment_15972\" aria-describedby=\"caption-attachment-15972\" style=\"width: 711px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-a-application-filter.png\"><img decoding=\"async\" class=\"wp-image-15972 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-a-application-filter.png\" alt=\"\" width=\"711\" height=\"615\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-a-application-filter.png 711w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-a-application-filter-300x259.png 300w\" sizes=\"(max-width: 711px) 100vw, 711px\" \/><\/a><figcaption id=\"caption-attachment-15972\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Authentication Filter<\/span><\/em><\/figcaption><\/figure>\n<ul>\n<li>Select the appropriate value for <strong>authenticationType<\/strong> as per the following logic:\n<ul>\n<li><strong>1<\/strong>: If only the username will be passed along as attribute in the SAML message, and authorization will be determined by Ephesoft Transact.<\/li>\n<li><strong>2<\/strong>: If the username, group and isSuperAdmin values will be passed along as attributes in the SAML message.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_15973\" aria-describedby=\"caption-attachment-15973\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-b-authentication-type.png\"><img decoding=\"async\" class=\"size-large wp-image-15973\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-b-authentication-type-1024x102.png\" alt=\"\" width=\"1024\" height=\"102\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-b-authentication-type-1024x102.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-b-authentication-type-300x30.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-b-authentication-type-768x76.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3-b-authentication-type.png 1135w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15973\" class=\"wp-caption-text\"><em>Authentication Type<\/em><\/figcaption><\/figure>\n<pre>If authenticationType=1 (i.e. Authentication Only), roles need to be defined as per the property defined in <strong>user-connectivity.properties<\/strong> (&lt;Ephesoft_Installation_directory&gt;\\Application\\WEB-INF\\classes\\META-INF\\dcma-user-connectivity\\user-connectivity.properties). The <strong>user.connection<\/strong> property defines where the roles will be mapped.<\/pre>\n<pre>If user.connection=0, roles for the user will be mapped in LDAP\r\nuser.connection=1, <span style=\"color: #008000\"><u>roles for the user will be mapped in AD<\/u><\/span>\r\nuser.connection=2, roles for the user will be mapped in <strong>tomcat-users.xml<\/strong>(&lt;Ephesoft_Installation_directory&gt;\\JavaAppServer\\conf\\tomcat-users.xml)<\/pre>\n<pre>If authenticationType=2 (i.e. Authentication and Authorization are done by IdP) and the group is not received from ADFS server, then, by default the system will use the group defined in <em>default_group<\/em> property of <strong>application.properties <\/strong>(&lt;Ephesoft_Installation_directory&gt;\\Application\\WEB-INF\\classes\\META-INF\\application.properties)<strong>.<\/strong><\/pre>\n<figure id=\"attachment_15974\" aria-describedby=\"caption-attachment-15974\" style=\"width: 830px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3c-user-connection-properties.png\"><img decoding=\"async\" class=\"wp-image-15974 size-full\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3c-user-connection-properties.png\" alt=\"\" width=\"830\" height=\"51\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3c-user-connection-properties.png 830w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3c-user-connection-properties-300x18.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-3c-user-connection-properties-768x47.png 768w\" sizes=\"(max-width: 830px) 100vw, 830px\" \/><\/a><figcaption id=\"caption-attachment-15974\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">User Connection Properties<\/span><\/em><\/figcaption><\/figure>\n<p><strong>Note<\/strong>: <span style=\"color: #008000\"><u>Mapping roles for the user in AD<\/u><\/span> is a feature that is only available in Ephesoft Transact 4.5.0.2 and later releases.<br \/>\nThis AD role-mapping function is not supported in releases prior to Release 4.5.0.2.<\/p>\n<h3><a name=\"_Toc524956753\"><\/a>Multiple Group Support in web.xml<\/h3>\n<p>By default, when using SSO, Ephesoft Transact presumes that every user will be associated with a single group. To enable a single user with multiple groups for <strong>authentication Type = 2<\/strong>, certain configuration changes are required.<\/p>\n<p>Follow the steps in <a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/saml-sso-multiple-groups-support\/\">SAML SSO | Multiple Groups Support<\/a> to make such configurations for multiple groups.<\/p>\n<h2><a name=\"_Toc524956754\"><\/a><a name=\"_Toc519774761\"><\/a>samlKeystore.jks<\/h2>\n<p>A Java Keystore (JKS) is a repository of security certificates. SAML exchanges involve usage of cryptography for signing and encryption of data. This keystore will contain a <strong><em>certificate and private key<\/em><\/strong> that will be used to digitally sign the SAML messages and to encrypt their content.<\/p>\n<p>A default keystore with the name samlKeystore.jks is provided in the application. However, the user can also create a custom keystore.<\/p>\n<h3><a name=\"_Toc524956755\"><\/a>Create a private key<\/h3>\n<ol>\n<li>Open the command prompt at keytool path and run the following command for generating the private key for customKeystore.<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\"><strong>C:\\Program Files\\Java\\jdk1.7.XXXX\\bin&gt;keytool.exe -genkeypair -alias \u201calias for private key\u201d -keypass \u201cpassword for key\u201d -keystore \u201cpath to keystore\u201d<\/strong><\/p>\n<ol start=\"2\">\n<li>Enter<strong> \u201cnalle123\u201d<\/strong>.<\/li>\n<li>Complete the following prompts as applied to your organization.<\/li>\n<\/ol>\n<p style=\"padding-left: 30px\">After confirming all the added information, the private key will be added to the keystore.<\/p>\n<ul>\n<li>Place this newly created customKeystore.jks file at the following location:<\/li>\n<\/ul>\n<p style=\"padding-left: 60px\"><strong>\u201cEPHESOFT_HOME\/application\/WEB-INF\/classes\/security\/\u201d<\/strong><\/p>\n<p style=\"padding-left: 30px\">4. Update the applicationContext-security.xml file as described below.<\/p>\n<p><strong>Note: <\/strong>Ephesoft recommends that you record separately the alias for the private key created and the corresponding password. These are required for an upcoming task.<\/p>\n<h2><a name=\"_Toc524956756\"><\/a><a name=\"_Toc519774762\"><\/a><a name=\"_Toc461198357\"><\/a>applicationContext-security.xml<\/h2>\n<ol>\n<li>In the bean \u201c<strong>epheSamlFilter\u201d<\/strong>, update the value of the constructor argument which you have added in IdP, as per the below logic. The third constructor argument must be true for superadmin access, otherwise this must be false. If this is from IdP, a claim name can be passed to indicate whether the user is superadmin or not. That claim name can be specified here.<\/li>\n<\/ol>\n<ul>\n<li>Index=0: Path of Username Attribute passed in SAML message.<\/li>\n<li>Index=1: Path of Group Attribute passed in SAML message.<\/li>\n<li>Index=2: Path of IsSuperAdmin Attribute passed in SAML message.<\/li>\n<\/ul>\n<p><strong>Note<\/strong>: If you are using <strong>authenticationType=2<\/strong>, the constructor <strong>arg 2<\/strong> should be <strong>false<\/strong>. Otherwise, it grants access to all users as super admin.<\/p>\n<pre>&lt;bean id=\"epheSamlFilter\" class=\"com.ephesoft.dcma.webapp.SamlFilter\"&gt;\r\n&lt;constructor-arg index=\"0\" value=\"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name\"\/&gt;\r\n&lt;constructor-arg index=\"1\" value=\"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role\"\/&gt;\r\n&lt;constructor-arg index=\"2\" value=\"true\"\/&gt;\r\n&lt;\/bean&gt;<\/pre>\n<ol start=\"2\">\n<li>In the beans \u201c<strong>successRedirectHandler\u201d<\/strong> and \u201c<strong>failureRedirectHandler\u201d<\/strong>, the user can set URLs for successful and failed authentications respectively. By default, it is configured as <strong><em>\/home.html. <\/em><\/strong><\/li>\n<li>In the bean \u201c<strong>keyManager\u201d<\/strong>, the constructor arguments need to be populated according to the following logic:<\/li>\n<\/ol>\n<ul>\n<li><strong><em>First constructor argument<\/em><\/strong>: the path of keystore needs to be added here (Default: classpath:security\/samlKeystore.jks). If you have created new keystore, specify that keystore.<\/li>\n<li><strong><em>Second constructor argument<\/em><\/strong>: the password of keystore needs to be added here (Default: nalle123).<\/li>\n<li><strong><em>Third constructor argument:<\/em><\/strong> the private key and corresponding password created in the previous section need to be added in the map constructor (Default: <strong>&lt;entry key=&#8221;apollo&#8221; value=&#8221;nalle123&#8243; \/&gt;<\/strong>).<\/li>\n<li><strong><em>Fourth constructor argument:<\/em><\/strong> the private key to be used needs to be provided here (Default: <strong>apollo<\/strong>).<\/li>\n<\/ul>\n<p><strong>Note<\/strong>: You can add more than one private key in the map constructor in the third argument. Just mention which key you need to use for the current scenario in the fourth argument.<\/p>\n<p><strong>Note<\/strong>: Java keystore Information and respective keystore passwords can be encrypted. The complete procedure is described in <a href=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/security-configuration\/how-to-encrypt-passwords-in-ephesoft-files\/\">How to Encrypt Passwords in Ephesoft Files.<\/a><\/p>\n<p>To use encryption, you also need to uncomment the following commented bean set in the <strong>applicationContext-security.xml<\/strong> file.<\/p>\n<figure id=\"attachment_15975\" aria-describedby=\"caption-attachment-15975\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-a-certStorePassowrdDecryptor.png\"><img decoding=\"async\" class=\"size-large wp-image-15975\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-a-certStorePassowrdDecryptor-1024x576.png\" alt=\"\" width=\"1024\" height=\"576\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-a-certStorePassowrdDecryptor-1024x576.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-a-certStorePassowrdDecryptor-300x169.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-a-certStorePassowrdDecryptor-768x432.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-a-certStorePassowrdDecryptor.png 1032w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15975\" class=\"wp-caption-text\"><em><span style=\"color: #808080\"><strong>certStorePasswordDecryptor<\/strong> Bean<\/span><\/em><\/figcaption><\/figure>\n<p>Here, in the beans \u201c<strong>certStorePasswordDecryptor\u201d<\/strong> and \u201c<strong>certPasswordDecryptor\u201d,<\/strong> replace the string <strong>\u201cEncryptedPassword\u201d<\/strong> with your encrypted password value, keeping the quotation marks (example: <strong>\u201cnROcbAKcSGR7CsxrlNVZSA==\u201d<\/strong>).<\/p>\n<p>Then, comment out the similar bean \u201c<strong>keyManager\u201d<\/strong> right below the above-mentioned lines:<\/p>\n<figure id=\"attachment_15976\" aria-describedby=\"caption-attachment-15976\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-b-comment-out-keyManager.png\"><img decoding=\"async\" class=\"size-large wp-image-15976\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-b-comment-out-keyManager-1024x486.png\" alt=\"\" width=\"1024\" height=\"486\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-b-comment-out-keyManager-1024x486.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-b-comment-out-keyManager-300x142.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-b-comment-out-keyManager-768x364.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-b-comment-out-keyManager.png 1033w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15976\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Commenting Out <strong>keyManager<\/strong><\/span><\/em><\/figcaption><\/figure>\n<ol start=\"4\">\n<li>Update the \u201c<strong>metadataGeneratorFilter\u201d<\/strong> bean as shown below. Perform these steps to configure the metaGeneratorFilter.<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\">a. This task requires the <strong>entityId<\/strong>, which the customer must provide to Ephesoft. The customer security administrator typically provides the <strong>entityID<\/strong>.<\/p>\n<p style=\"padding-left: 10px\">An <strong>entityID<\/strong> is a globally unique name for a SAML entity. Specific requirements for the <strong>entityId<\/strong> differ according to the requirements of the specific identity provider.<\/p>\n<p style=\"padding-left: 10px\">Update the <strong>entityId<\/strong> with the value that pertains to the user&#8217;s metadata, which is to be uploaded at the identity provider (IdP).<\/p>\n<p style=\"padding-left: 10px\">Update the <strong>entityBaseURL<\/strong> with hostname and port number values. This will be the public DNS address, and contains <strong>https:\/\/ <\/strong>at the beginning and <strong>\/dcma<\/strong> at the end.<\/p>\n<pre>&lt;bean id=<strong>\"metadataGeneratorFilter\"<\/strong> class=<strong>\"org.springframework.security.saml.metadata.MetadataGeneratorFilter\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;bean class=<strong>\"org.springframework.security.saml.metadata.MetadataGenerator\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"entityId\"<\/strong> value=<strong>\"urn:super:ephesoft:ggn\"<\/strong> \/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"requestSigned\"<\/strong> value=<strong>\"true\"<\/strong> \/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"entityBaseURL\"<\/strong> value=<strong>\"<u>http:\/\/{hostname}:{portNumber}\/dcma<\/u>\"<\/strong> \/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"extendedMetadata\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;bean class=<strong>\"org.springframework.security.saml.metadata.ExtendedMetadata\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"signMetadata\"<\/strong> value=<strong>\"true\"<\/strong> \/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"idpDiscoveryEnabled\"<\/strong> value=<strong>\"false\"<\/strong> \/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/property&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n&lt;\/bean&gt;<\/pre>\n<p>Configure the \u201c<strong>metadata\u201d<\/strong> Metadata configuration can be done in one of the following ways:<\/p>\n<p style=\"text-align: left;padding-left: 60px\">a. Save IdP metadata in a file and place it in the following folder:<\/p>\n<p style=\"padding-left: 90px\"><strong>\u201cEPHESOFT_HOME\/application\/WEB-INF\/classes\/security\u201d<\/strong><\/p>\n<p style=\"padding-left: 60px\">b. Update the bean as shown below and specify the classpath as \u201c<em>\/security\/&lt;filename.xml&gt;<\/em>\u201d.<\/p>\n<p style=\"padding-left: 60px\">c. To disable signature verification, set the <strong>metadataTrustCheck<\/strong> property to <strong>false<\/strong>.<\/p>\n<pre style=\"padding-left: 10px\">&lt;bean id=<strong>\"metadata\"<\/strong> class=<strong>\"org.springframework.security.saml.metadata.CachingMetadataManager\"<\/strong>&gt;\r\n<strong>\u00a0<\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0 <\/strong>&lt;bean class=<strong>\"org.springframework.security.saml.metadata.ExtendedMetadataDelegate\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;bean class=<strong>\"org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;bean class=<strong>\"java.util.Timer\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;bean class=<strong>\"org.opensaml.util.resource.ClasspathResource\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg value=<strong>\"\/security\/FederationMetadata.xml\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"parserPool\"<\/strong> ref=<strong>\"parserPool\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n&lt;bean class=<strong>\"org.springframework.security.saml.metadata.ExtendedMetadata\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"requireLogoutResponseSigned\"<\/strong> value=<strong>\"true\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"metadataTrustCheck\"<\/strong> value=<strong>\"false\"<\/strong>\/&gt;\r\n<strong>\u00a0 <\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0<\/strong>&lt;\/constructor-arg&gt;\r\n&lt;\/bean&gt;<\/pre>\n<p style=\"padding-left: 30px\">d. Using the IdP metadata URL, modify the \u201c<strong>metadata\u201d<\/strong> bean and use <strong>ExtendedMetadataDelegate<\/strong> and <strong>HttpMetadataProvider<\/strong> as shown below. Also, define the <strong>metadataTrustCheck<\/strong> as <strong>false<\/strong> to skip signature validation. Update the metadata URL to the IdP metadata URL that is provided in the following code:<\/p>\n<p style=\"padding-left: 60px\"><strong>https:\/\/<\/strong>&lt;<em>ADFSServer<\/em>&gt;<strong>\/FederationMetadata\/2007-06\/FederationMetadata.xml<\/strong><\/p>\n<pre style=\"padding-left: 10px\">&lt;bean id=<strong>\"metadata\"<\/strong> class=<strong>\"org.springframework.security.saml.metadata.CachingMetadataManager\"<\/strong>&gt;\r\n<strong>\u00a0<\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0 <\/strong>&lt;list&gt;\r\n<strong>\u00a0\u00a0 <\/strong>&lt;bean class=<strong>\"org.springframework.security.saml.metadata.ExtendedMetadataDelegate\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;bean class=<strong>\"org.opensaml.saml2.metadata.provider.HTTPMetadataProvider\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;value type=<strong>\"java.lang.String\"<\/strong>&gt;<strong>https:\/\/ADFSServer\/FederationMetadata\/2007-06\/FederationMetadata.xml<\/strong>&lt;\/value&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong> \u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;!-- Timeout for metadata loading in ms --&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;value type=<strong>\"int\"<\/strong>&gt;<strong>5000<\/strong>&lt;\/value&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <\/strong>&lt;property name=<strong>\"parserPool\"<\/strong> ref=<strong>\"parserPool\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0<\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;bean class=<strong>\"org.springframework.security.saml.metadata.ExtendedMetadata\"<\/strong>&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;property name=<strong>\"requireLogoutResponseSigned\"<\/strong> value=<strong>\"true\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong>&lt;\/constructor-arg&gt;\r\n<strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0 <\/strong>&lt;property name=<strong>\"metadataTrustCheck\"<\/strong> value=<strong>\"false\"<\/strong>\/&gt;\r\n<strong>\u00a0\u00a0 <\/strong>&lt;\/bean&gt;\r\n<strong>\u00a0 <\/strong>&lt;\/list&gt;\r\n<strong>\u00a0<\/strong>&lt;\/constructor-arg&gt;\r\n&lt;\/bean&gt;<\/pre>\n<ol start=\"6\">\n<li><strong>SHA-256 Support<\/strong>: By default, the application is configured to provide SAML configuration with SHA-1. To configure SHA-256, comment the bean for SHA-1 and uncomment SHA-256 bean.<\/li>\n<\/ol>\n<figure id=\"attachment_15977\" aria-describedby=\"caption-attachment-15977\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a style=\"background-color: #ffffff;font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif\" href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-c-sha-settings.png\"><img decoding=\"async\" class=\"wp-image-15977 size-large\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-c-sha-settings-1024x174.png\" alt=\"\" width=\"1024\" height=\"174\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-c-sha-settings-1024x174.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-c-sha-settings-300x51.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-c-sha-settings-768x131.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-5-c-sha-settings.png 1123w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15977\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">SHA Settings<\/span><\/em><\/figcaption><\/figure>\n<h2>Testing at the SSOCircle<\/h2>\n<p>Perform the following steps to test Ephesoft at the SSOCircle (IdP).<\/p>\n<ol>\n<li>Create an account at the SSOCircle and log in.<\/li>\n<li>Add the service provider\u2019s metadata in the SSOCircle.<\/li>\n<\/ol>\n<p style=\"padding-left: 30px\">You can download Ephesoft metadata using the following path:<\/p>\n<p style=\"padding-left: 60px\"><strong>http:\/\/<\/strong>{<span style=\"color: #808080\"><em>ephesoft_ip<\/em><\/span>}:{<em><span style=\"color: #808080\">port<\/span><\/em>}<strong>\/dcma\/saml\/metadata\u00a0<\/strong><\/p>\n<ul>\n<li>The <strong>entityID<\/strong> should be the FQDN that is registered at the SSOCircle.<\/li>\n<li>The SSOCircle metadata is available from the following sample XML file: <a href=\"http:\/\/idp.ssocircle.com\/idp-meta.xml\">idp-meta.xml.<\/a><\/li>\n<\/ul>\n<h2><a name=\"_Toc524956758\"><\/a>Configuring Ephesoft Transact and ADFS<\/h2>\n<h3><a name=\"_Toc524956759\"><\/a>Configuring Ephesoft Transact for the ADFS Server<\/h3>\n<p>Before completing these steps, ensure that the following prerequisites are in place:<\/p>\n<ul>\n<li>Ensure that Ephesoft Transact has already been configured on HTTPS.<\/li>\n<li>Ensure that the Ephesoft Transact server is running prior to downloading metadata.<\/li>\n<li>In the case that a broken page is displayed while downloading Ephesoft metadata, this means that the Ephesoft server did not start correctly. Resolve any errors that caused a failure by using the following log file:<\/li>\n<li>&lt;<em>Ephesoft_HOME<\/em>&gt;<strong>\/Application\/logs\/dcma-all.log<\/strong><\/li>\n<\/ul>\n<p>Follow these steps to configure ADFS settings on Ephesoft Transact:<\/p>\n<h4><a name=\"_Toc524956760\"><\/a>Obtain the ADFS Metadata<\/h4>\n<ol>\n<li>Download the ADFS metadata from the default URL:<\/li>\n<\/ol>\n<p><strong>https:\/\/<\/strong>&lt;<em>ADFSServer<\/em>&gt;<strong>\/FederationMetadata\/2007-06\/FederationMetadata.xml\u00a0<\/strong><\/p>\n<p>No Ephesoft-related configuration is required for downloading the ADFS metadata.<\/p>\n<ol start=\"2\">\n<li>Copy the downloaded metadata at the following path:<\/li>\n<\/ol>\n<p><em>[Ephesoft_Directory]<\/em>\/Application\/WEB-INF\/classes\/security<\/p>\n<h4><a name=\"_Toc524956761\"><\/a>Import the ADFS Certificates to Ephesoft Transact<\/h4>\n<p>To export the certificate from ADFS, view the section <a href=\"#Exporting_the_Certificate_from_the_ADFS_Server\">Exporting the Certificate from the ADFS Server<\/a>.<\/p>\n<p>To import ADFS certificates, use the following command:<\/p>\n<pre>keytool.exe -importcert -alias adfssigning -keystore samlKeystore.jks -file adfsCertificate.cer<\/pre>\n<h3><a name=\"_Toc524956762\"><\/a>Configuring the ADFS Server for Ephesoft Transact<\/h3>\n<p>Follow these steps to set up the ADFS Server for operation with Ephesoft Transact.<\/p>\n<ol>\n<li>Download the Ephesoft Transact metadata from the following path:<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\"><strong>https:\/\/<\/strong>&lt;<em><span style=\"color: #808080\">ephesoft_ip:port<\/span><\/em>&gt;<strong>\/dcma\/saml\/metadata<\/strong><\/p>\n<ol start=\"2\">\n<li>Add the <strong>Relying Party Trust <\/strong>with the following steps:<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\">a. In ADFS, navigate to the following folder:<\/p>\n<p style=\"padding-left: 90px\"><strong>AD FS\\Trust Relationships<\/strong><\/p>\n<p style=\"padding-left: 60px\">b. Right-click the <strong>Relying Party Trusts <\/strong>folder under <strong>ADFS\\Trust Relationships<\/strong>. The following snapshot illustrates this navigation.<\/p>\n<figure id=\"attachment_15978\" aria-describedby=\"caption-attachment-15978\" style=\"width: 392px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-a-relying-party-trusts.png\"><img decoding=\"async\" class=\"wp-image-15978 \" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-a-relying-party-trusts.png\" alt=\"\" width=\"392\" height=\"294\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-a-relying-party-trusts.png 654w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-a-relying-party-trusts-300x225.png 300w\" sizes=\"(max-width: 392px) 100vw, 392px\" \/><\/a><figcaption id=\"caption-attachment-15978\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em><strong>Relying Party Trusts<\/strong> Folder<\/em><\/span><\/figcaption><\/figure>\n<p style=\"padding-left: 60px\">c. From the popup menu, click <strong>Add Relying Party Trust\u2026<\/strong><\/p>\n<p style=\"padding-left: 90px\">The <strong>Add Relying Party Trust Wizard<\/strong> appears.<\/p>\n<figure id=\"attachment_15979\" aria-describedby=\"caption-attachment-15979\" style=\"width: 644px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-b-add-relying-party-trust-wizard.png\"><img decoding=\"async\" class=\" wp-image-15979\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-b-add-relying-party-trust-wizard-1024x829.png\" alt=\"\" width=\"644\" height=\"521\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-b-add-relying-party-trust-wizard-1024x829.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-b-add-relying-party-trust-wizard-300x243.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-b-add-relying-party-trust-wizard-768x622.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-b-add-relying-party-trust-wizard.png 1100w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><\/a><figcaption id=\"caption-attachment-15979\" class=\"wp-caption-text\"><strong><span style=\"color: #808080\"><em>Add Relying Party Trust Wizard<\/em><\/span><\/strong><\/figcaption><\/figure>\n<ol start=\"4\">\n<li>Choose (select) the <strong>Import data about Relying Party from a file<\/strong> option and select the metadata XML file saved in step 1.<\/li>\n<li>Provide a display name and click <strong>Next<\/strong> by choosing the default setting.<\/li>\n<\/ol>\n<figure id=\"attachment_15981\" aria-describedby=\"caption-attachment-15981\" style=\"width: 667px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-d-enter-display-name.png\"><img decoding=\"async\" class=\" wp-image-15981\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-d-enter-display-name-1024x824.png\" alt=\"\" width=\"667\" height=\"537\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-d-enter-display-name-1024x824.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-d-enter-display-name-300x242.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-d-enter-display-name-768x618.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-2-d-enter-display-name.png 1093w\" sizes=\"(max-width: 667px) 100vw, 667px\" \/><\/a><figcaption id=\"caption-attachment-15981\" class=\"wp-caption-text\"><em><span style=\"color: #808080\">Entering a Display name<\/span><\/em><\/figcaption><\/figure>\n<ol start=\"5\">\n<li>Click <strong>Finish<\/strong> to complete this part of the setup. The <strong>Edit Claim Rules <\/strong>dialog should open automatically. Alternatively, you can right click the added relying party name and select <strong>Edit Claim Rules\u2026.<\/strong><\/li>\n<li>Add the following claims.<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\">a. <strong>NameId<\/strong>: Sends the <strong>Name ID<\/strong>.<\/p>\n<p style=\"padding-left: 90px\">i. Rule Name:<strong> NameId<\/strong><\/p>\n<p style=\"padding-left: 90px\">ii. Choose <strong>\u201cSAM-Account-Name\u201d<\/strong> as the <strong>LDAP Attribute<\/strong> and <strong>\u201cName ID\u201d<\/strong> as the Outgoing claim type.<\/p>\n<p style=\"padding-left: 60px\">b. <strong>FirstName<\/strong>: Sends name details.<\/p>\n<p style=\"padding-left: 90px\"><strong>i. Rule Name: FirstName<\/strong><\/p>\n<p style=\"padding-left: 90px\">ii. Choose <strong>\u201cSAM-Account-Name\u201d<\/strong> as the <strong>LDAP Attribute<\/strong> and <strong>\u201cName\u201d<\/strong> as Outgoing claim type.<\/p>\n<p style=\"padding-left: 60px\">c. <strong>Group<\/strong>: Sends group details.<\/p>\n<p style=\"padding-left: 90px\">Define this rule as per your configuration. For example, the user can be a member of multiple groups. The service provider expects a single group \u2014 namely \u2018<strong>Enterprise\u2019<\/strong>.<\/p>\n<p style=\"padding-left: 90px\">Sending all groups will be irrelevant to the service provider.<\/p>\n<p style=\"padding-left: 90px\">A filter can be defined for this scenario by the two following rules:<\/p>\n<p style=\"padding-left: 120px\">i. This rule retrieves all groups and adds them as an incoming claim for the next rule.<br \/>\nThe output of this claim will be used by the next rule for processing.<br \/>\nAdd Rule Name as \u2018Get all groups user belongs\u2019.<br \/>\nDefine the Custom Rule as follows:<\/p>\n<pre style=\"padding-left: 90px\">c:[Type == \"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/windowsaccountname\", Issuer == \"AD AUTHORITY\"]\r\n\r\n=&gt; add(store = \"Active Directory\", types = (\"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role\"), query = \";tokenGroups;{0}\", param = c.Value);<\/pre>\n<p style=\"padding-left: 120px\">ii. Filtering Groups \u2014 Define a filter to restrict groups sent in claims.<\/p>\n<p style=\"padding-left: 150px\">\u2014 Select the <strong>Pass Through or Filter an Incoming Claim<\/strong><\/p>\n<p style=\"padding-left: 150px\">\u2014 Add the <strong>Rule Name<\/strong> as <strong>Filter Groups<\/strong>.<\/p>\n<p style=\"padding-left: 150px\">\u2014 In the field, <strong>Pass through all claims that start with specific value<\/strong>, specify <strong>Enterprise<\/strong>.<\/p>\n<p style=\"padding-left: 150px\">The group claim rules need to be configured only if authenticationType=2 is set in the web.xml file.<\/p>\n<p style=\"padding-left: 150px\">In the <strong>web.xml<\/strong> file, if the authenticationType is 1 (that is \u2014 SSO Authentication Only), then Authorization will be handled by Ephesoft Transact.<br \/>\nADFS just needs to send the username as a claim to Transact.<\/p>\n<p style=\"padding-left: 10px\"><strong>Note<\/strong>: The constructor argument value, which is cited in the topic <a href=\"#_applicationContext-security.xml\">applicationContext-security.xml<\/a>, can be found in ADFS. While editing claim rules, you can find the claim name by selecting the <strong>View Rule Language<\/strong> button. You can copy the claim name from the shown rule and paste directly from ADFS into the Ephesoft Transact <strong>epheSamlFilter <\/strong>to avoid mistakes.<\/p>\n<ol start=\"7\">\n<li>Open the <strong>Relying Party Trust<\/strong> by double-clicking it. In the <strong>Advanced<\/strong> tab, change <strong>Secure Hash Algorithm<\/strong> to <strong>SHA-1\/SHA-256<\/strong>, to be as configured in Ephesoft Transact.<\/li>\n<\/ol>\n<h3><a name=\"_Toc524956763\"><\/a>Exporting the Certificate from the ADFS Server<\/h3>\n<ol>\n<li>In ADFS, select the <strong>Certificate<\/strong> option under <strong>ADFS\/Service<\/strong>.<\/li>\n<li>Double click the certificate to export. Navigate to the <strong>Details<\/strong> tab, click <strong>Copy to File<\/strong> and save this as a <em>DER-encoded<\/em> certificate in your file system.<\/li>\n<\/ol>\n<p><strong>Note<\/strong>: The exported certificates can be saved to any accessible path on your file system. This exported certificate from ADFS needs to be imported in samlKeystore.<\/p>\n<figure id=\"attachment_15982\" aria-describedby=\"caption-attachment-15982\" style=\"width: 496px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-a-certificate-details-tab.png\"><img decoding=\"async\" class=\" wp-image-15982\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-a-certificate-details-tab.png\" alt=\"\" width=\"496\" height=\"589\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-a-certificate-details-tab.png 561w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-a-certificate-details-tab-253x300.png 253w\" sizes=\"(max-width: 496px) 100vw, 496px\" \/><\/a><figcaption id=\"caption-attachment-15982\" class=\"wp-caption-text\"><em><strong>Certificate &gt; Details<\/strong> Tab<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_15983\" aria-describedby=\"caption-attachment-15983\" style=\"width: 733px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-b-certificate-export-wizard.png\"><img decoding=\"async\" class=\" wp-image-15983\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-b-certificate-export-wizard-1024x807.png\" alt=\"\" width=\"733\" height=\"578\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-b-certificate-export-wizard-1024x807.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-b-certificate-export-wizard-300x236.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-b-certificate-export-wizard-768x605.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-3-b-certificate-export-wizard.png 1104w\" sizes=\"(max-width: 733px) 100vw, 733px\" \/><\/a><figcaption id=\"caption-attachment-15983\" class=\"wp-caption-text\"><strong><em>Certificate Export Wizard<\/em><\/strong><\/figcaption><\/figure>\n<h3><a name=\"_Toc524956764\"><\/a>Successful Configuration<\/h3>\n<p>When accessing the Ephesoft Transact page, the user will be redirected to the ADFS login screen.<\/p>\n<figure id=\"attachment_15984\" aria-describedby=\"caption-attachment-15984\" style=\"width: 835px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-4-adfs-login.png\"><img decoding=\"async\" class=\"wp-image-15984 \" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-4-adfs-login-1024x557.png\" alt=\"\" width=\"835\" height=\"454\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-4-adfs-login-1024x557.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-4-adfs-login-300x163.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-4-adfs-login-768x418.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-7-4-adfs-login.png 1193w\" sizes=\"(max-width: 835px) 100vw, 835px\" \/><\/a><figcaption id=\"caption-attachment-15984\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>ADFS Login Screen<\/em><\/span><\/figcaption><\/figure>\n<p>On successful authentication, the user will be redirected to the Ephesoft Transact page.<\/p>\n<h2><a name=\"_Toc520721920\"><\/a><a name=\"_Toc524956765\"><\/a>Configuring Okta with Ephesoft Transact<\/h2>\n<h3><a name=\"_Toc524956767\"><\/a>Creating the Okta Developer Account<\/h3>\n<p>Perform the following steps to configure Okta for inter-operation with Ephesoft Transact.<\/p>\n<ol>\n<li>Create a developer account at Okta if you have not already done so. You can sign up at <a href=\"https:\/\/www.okta.com\/developer\/signup\">Okta<\/a>.<\/li>\n<\/ol>\n<ol start=\"2\">\n<li>Launch Okta.<\/li>\n<li>Click the <strong>Admin<\/strong> tab and click <strong>Add Applications<\/strong>.<\/li>\n<\/ol>\n<figure id=\"attachment_15985\" aria-describedby=\"caption-attachment-15985\" style=\"width: 807px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-a-okta-admin-applications-screen.png\"><img decoding=\"async\" class=\"size-full wp-image-15985\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-a-okta-admin-applications-screen.png\" alt=\"\" width=\"807\" height=\"194\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-a-okta-admin-applications-screen.png 807w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-a-okta-admin-applications-screen-300x72.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-a-okta-admin-applications-screen-768x185.png 768w\" sizes=\"(max-width: 807px) 100vw, 807px\" \/><\/a><figcaption id=\"caption-attachment-15985\" class=\"wp-caption-text\"><em><strong>Admin Applications<\/strong> screen<\/em><\/figcaption><\/figure>\n<ol start=\"4\">\n<li>Click the <strong>Create New App <\/strong>button.<\/li>\n<\/ol>\n<figure id=\"attachment_15986\" aria-describedby=\"caption-attachment-15986\" style=\"width: 764px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-b-okta-add-applications.png\"><img decoding=\"async\" class=\"size-full wp-image-15986\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-b-okta-add-applications.png\" alt=\"\" width=\"764\" height=\"334\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-b-okta-add-applications.png 764w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-b-okta-add-applications-300x131.png 300w\" sizes=\"(max-width: 764px) 100vw, 764px\" \/><\/a><figcaption id=\"caption-attachment-15986\" class=\"wp-caption-text\"><strong><i>Create New App<\/i><\/strong><\/figcaption><\/figure>\n<ol start=\"5\">\n<li>Select <strong>SAML 2.0<\/strong> and then click <strong>Create<\/strong>.<\/li>\n<\/ol>\n<figure id=\"attachment_15987\" aria-describedby=\"caption-attachment-15987\" style=\"width: 973px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-c-okta-SAML-20.png\"><img decoding=\"async\" class=\"size-full wp-image-15987\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-c-okta-SAML-20.png\" alt=\"\" width=\"973\" height=\"362\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-c-okta-SAML-20.png 973w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-c-okta-SAML-20-300x112.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-c-okta-SAML-20-768x286.png 768w\" sizes=\"(max-width: 973px) 100vw, 973px\" \/><\/a><figcaption id=\"caption-attachment-15987\" class=\"wp-caption-text\"><em>Select <strong>SAML 2.0<\/strong> for the new app<\/em><\/figcaption><\/figure>\n<ol start=\"6\">\n<li>Configure the settings for the new <strong>SAML 2.0<\/strong><\/li>\n<\/ol>\n<p style=\"padding-left: 60px\">a. Enter <strong>General Settings <\/strong>and click <strong>Next<\/strong>.<\/p>\n<figure id=\"attachment_15988\" aria-describedby=\"caption-attachment-15988\" style=\"width: 864px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-d-okta-general-settings.png\"><img decoding=\"async\" class=\"size-full wp-image-15988\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-d-okta-general-settings.png\" alt=\"\" width=\"864\" height=\"379\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-d-okta-general-settings.png 864w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-d-okta-general-settings-300x132.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-d-okta-general-settings-768x337.png 768w\" sizes=\"(max-width: 864px) 100vw, 864px\" \/><\/a><figcaption id=\"caption-attachment-15988\" class=\"wp-caption-text\"><em><strong>General Settings<\/strong> screen<\/em><\/figcaption><\/figure>\n<ol start=\"7\">\n<li>Enter <strong>SAML Settings<\/strong> and define the following fields.<\/li>\n<\/ol>\n<figure id=\"attachment_15989\" aria-describedby=\"caption-attachment-15989\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-e-okta-SAML-settings.png\"><img decoding=\"async\" class=\"size-large wp-image-15989\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-e-okta-SAML-settings-1024x588.png\" alt=\"\" width=\"1024\" height=\"588\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-e-okta-SAML-settings-1024x588.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-e-okta-SAML-settings-300x172.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-e-okta-SAML-settings-768x441.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-e-okta-SAML-settings.png 1029w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-15989\" class=\"wp-caption-text\"><em><strong>SAML Settings<\/strong> screen<\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 90px\">a. <strong>Single sign on URL <\/strong>should be of the following form:<\/p>\n<p style=\"padding-left: 120px\"><strong>http:\/\/<\/strong>{<em>hostname<\/em>}:{<em>portNo<\/em>}<strong>\/dcma\/saml\/SSO<\/strong><\/p>\n<p style=\"padding-left: 90px\">b. <strong>Audience URI (SP Entity ID) <\/strong>should be any unique Entity ID. Please note down its value as it will be needed while configuring Ephesoft Transact.<\/p>\n<p style=\"padding-left: 90px\">c. In <strong>Attribute Statements, <\/strong>the<strong> username<\/strong> must be added. It is necessary for authorization in Ephesoft Transact. Note down the attribute name you have given in <strong>Name tag<\/strong> as it is necessary in a later task, while configuring Ephesoft Transact.<\/p>\n<p style=\"padding-left: 30px\">8. Click <strong>Show Advanced Settings<\/strong> and check (enable) <strong>Enable Single Logout<\/strong>. Define additional settings as follows:<\/p>\n<figure id=\"attachment_15990\" aria-describedby=\"caption-attachment-15990\" style=\"width: 809px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-f-okta-advanced-settings.png\"><img decoding=\"async\" class=\"size-full wp-image-15990\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-f-okta-advanced-settings.png\" alt=\"\" width=\"809\" height=\"741\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-f-okta-advanced-settings.png 809w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-f-okta-advanced-settings-300x275.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-f-okta-advanced-settings-768x703.png 768w\" sizes=\"(max-width: 809px) 100vw, 809px\" \/><\/a><figcaption id=\"caption-attachment-15990\" class=\"wp-caption-text\"><em><strong>Advanced Settings<\/strong> in SAML 2.0 setup<\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 90px\">a. <strong>Single Logout URL <\/strong>\u2014 must be in the following form:<\/p>\n<p style=\"padding-left: 120px\">http:\/\/&lt;hostname&gt;:&lt;port&gt;\/dcma\/saml\/SingleLogout<\/p>\n<p style=\"padding-left: 90px\">b. <strong>SP Issuer <\/strong>\u2014 the issuer for the service provider and must be in the following form:<\/p>\n<p style=\"padding-left: 120px\">http:\/\/&lt;hostname&gt;:&lt;port&gt;\/dcma\/saml\/metadata<\/p>\n<p style=\"padding-left: 90px\">c. <strong>Signature Certificate <\/strong>\u2014 use the following steps to upload the public key certification exported from the samlKeystore.jks file:<\/p>\n<p style=\"padding-left: 120px\">i. Click <strong>Next<\/strong>.<\/p>\n<p style=\"padding-left: 120px\">ii. In <strong>Step 3 Feedback<\/strong>, check (enable) the setting for: <strong>I&#8217;m an Okta customer adding an internal app.<\/strong><\/p>\n<p style=\"padding-left: 120px\">iii. Click <strong>Finish<\/strong>.<\/p>\n<figure id=\"attachment_15991\" aria-describedby=\"caption-attachment-15991\" style=\"width: 895px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-g-okta-select-reason.png\"><img decoding=\"async\" class=\"size-full wp-image-15991\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-g-okta-select-reason.png\" alt=\"\" width=\"895\" height=\"580\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-g-okta-select-reason.png 895w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-g-okta-select-reason-300x194.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-g-okta-select-reason-768x498.png 768w\" sizes=\"(max-width: 895px) 100vw, 895px\" \/><\/a><figcaption id=\"caption-attachment-15991\" class=\"wp-caption-text\"><em>Select a reason for this SAML 2.0 app<\/em><\/figcaption><\/figure>\n<ol start=\"9\">\n<li>Once the configuration is completed successfully, the following screen appears with <strong>Sign On <\/strong>settings:<\/li>\n<\/ol>\n<figure id=\"attachment_15992\" aria-describedby=\"caption-attachment-15992\" style=\"width: 828px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-h-okta-sign-on.png\"><img decoding=\"async\" class=\"size-full wp-image-15992\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-h-okta-sign-on.png\" alt=\"\" width=\"828\" height=\"465\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-h-okta-sign-on.png 828w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-h-okta-sign-on-300x168.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-h-okta-sign-on-768x431.png 768w\" sizes=\"(max-width: 828px) 100vw, 828px\" \/><\/a><figcaption id=\"caption-attachment-15992\" class=\"wp-caption-text\"><em>Sign On settings for the SAML 2.0 App<\/em><\/figcaption><\/figure>\n<ol start=\"10\">\n<li>Copy the URL. This is required later when configuring Ephesoft Transact.<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\">Because Okta metadata is hosted at https, the public key needs to be imported in JRE cacerts. Perform the following steps to import the public key into cacerts:<\/p>\n<p style=\"padding-left: 90px\">a. Navigate to the https URL of the Okta app.<\/p>\n<p style=\"padding-left: 90px\">b. Press <strong>Ctrl+Shift+I<\/strong> (the letter <strong>I<\/strong> as in India) and navigate to the <strong>Security<\/strong><\/p>\n<figure id=\"attachment_15993\" aria-describedby=\"caption-attachment-15993\" style=\"width: 890px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-i-okta-security-tab.png\"><img decoding=\"async\" class=\"size-full wp-image-15993\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-i-okta-security-tab.png\" alt=\"\" width=\"890\" height=\"507\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-i-okta-security-tab.png 890w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-i-okta-security-tab-300x171.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-i-okta-security-tab-768x438.png 768w\" sizes=\"(max-width: 890px) 100vw, 890px\" \/><\/a><figcaption id=\"caption-attachment-15993\" class=\"wp-caption-text\"><em><strong>Security<\/strong> tab<\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 90px\">c. Click <strong>View Certificate<\/strong>. Browse to the <strong>Details<\/strong> Click <strong>Copy to File<\/strong>.<\/p>\n<p>Save this as a DER-encoded certificate in your file system.<\/p>\n<figure id=\"attachment_15994\" aria-describedby=\"caption-attachment-15994\" style=\"width: 484px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-j-okta-certificate-details.png\"><img decoding=\"async\" class=\"size-full wp-image-15994\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-j-okta-certificate-details.png\" alt=\"\" width=\"484\" height=\"517\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-j-okta-certificate-details.png 484w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-j-okta-certificate-details-281x300.png 281w\" sizes=\"(max-width: 484px) 100vw, 484px\" \/><\/a><figcaption id=\"caption-attachment-15994\" class=\"wp-caption-text\"><em><strong>Certificate &gt; Details<\/strong> screen<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_15995\" aria-describedby=\"caption-attachment-15995\" style=\"width: 667px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-k-okta-certificate-export-wizard.png\"><img decoding=\"async\" class=\"size-full wp-image-15995\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-k-okta-certificate-export-wizard.png\" alt=\"\" width=\"667\" height=\"522\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-k-okta-certificate-export-wizard.png 667w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-k-okta-certificate-export-wizard-300x235.png 300w\" sizes=\"(max-width: 667px) 100vw, 667px\" \/><\/a><figcaption id=\"caption-attachment-15995\" class=\"wp-caption-text\"><strong><em>Certificate Export Wizard<\/em><\/strong><\/figcaption><\/figure>\n<figure id=\"attachment_15996\" aria-describedby=\"caption-attachment-15996\" style=\"width: 671px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-l-okta-file-to-export.png\"><img decoding=\"async\" class=\"size-full wp-image-15996\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-l-okta-file-to-export.png\" alt=\"\" width=\"671\" height=\"530\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-l-okta-file-to-export.png 671w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-2-l-okta-file-to-export-300x237.png 300w\" sizes=\"(max-width: 671px) 100vw, 671px\" \/><\/a><figcaption id=\"caption-attachment-15996\" class=\"wp-caption-text\"><em>Selecting the file save location<\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 90px\">d. Import this certificate in cacerts.<\/p>\n<p style=\"padding-left: 120px\">i. Navigate to <strong>{InstallDir}\\Dependencies\\jdk\\bin<\/strong> and open the command prompt here.<\/p>\n<p style=\"padding-left: 120px\">ii. Run the following command to import the Okta certificate in cacerts.<\/p>\n<pre style=\"padding-left: 150px\">{<em>InstallDir<\/em>}\\<strong>Dependencies\\jdk\\bin&gt;keytool.exe -import -file \"path to downloaded okta certificate\"<\/strong> -keystore {<em>InstallDir<\/em>}\r\n\\\\Dependencies\\jdk\r\n\\jre\\lib\\security\\cacerts<\/pre>\n<h3><a name=\"_Toc524956768\"><\/a>Assigning People in the Okta Account to Ephesoft Transact<\/h3>\n<p>Perform the following steps to assign people to Ephesoft Transact, which will give them permission to use the application.<\/p>\n<ol>\n<li>Click the <strong>People<\/strong> tab and click <strong>Assign to People<\/strong>.<\/li>\n<\/ol>\n<figure id=\"attachment_15997\" aria-describedby=\"caption-attachment-15997\" style=\"width: 928px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-a-okta-admin-people.png\"><img decoding=\"async\" class=\"size-full wp-image-15997\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-a-okta-admin-people.png\" alt=\"\" width=\"928\" height=\"322\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-a-okta-admin-people.png 928w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-a-okta-admin-people-300x104.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-a-okta-admin-people-768x266.png 768w\" sizes=\"(max-width: 928px) 100vw, 928px\" \/><\/a><figcaption id=\"caption-attachment-15997\" class=\"wp-caption-text\"><em><span style=\"color: #808080\"><strong>Admin People<\/strong> tab in SAML 2.0 setup<\/span><\/em><\/figcaption><\/figure>\n<p style=\"padding-left: 60px\">The screen displays the people who are currently in your directory.<\/p>\n<figure id=\"attachment_15998\" aria-describedby=\"caption-attachment-15998\" style=\"width: 897px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-b-okta-view-current-people.png\"><img decoding=\"async\" class=\"size-full wp-image-15998\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-b-okta-view-current-people.png\" alt=\"\" width=\"897\" height=\"520\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-b-okta-view-current-people.png 897w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-b-okta-view-current-people-300x174.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-b-okta-view-current-people-768x445.png 768w\" sizes=\"(max-width: 897px) 100vw, 897px\" \/><\/a><figcaption id=\"caption-attachment-15998\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>Viewing current people for the SAML 2.0 app<\/em><\/span><\/figcaption><\/figure>\n<ol start=\"2\">\n<li>Click <strong>Assign<\/strong> for the user you want to assign. Enter the <strong>username<\/strong> to set the login requirement. This user is now assigned to Ephesoft Transact.<\/li>\n<\/ol>\n<figure id=\"attachment_15999\" aria-describedby=\"caption-attachment-15999\" style=\"width: 688px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-c-okta-viewing-usernames.png\"><img decoding=\"async\" class=\"size-full wp-image-15999\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-c-okta-viewing-usernames.png\" alt=\"\" width=\"688\" height=\"426\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-c-okta-viewing-usernames.png 688w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-3-c-okta-viewing-usernames-300x186.png 300w\" sizes=\"(max-width: 688px) 100vw, 688px\" \/><\/a><figcaption id=\"caption-attachment-15999\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>Viewing usernames for the app<\/em><\/span><\/figcaption><\/figure>\n<ol start=\"3\">\n<li>Click <strong>Done<\/strong> to close this screen, or repeat these steps to assign additional people.<\/li>\n<\/ol>\n<h3><a name=\"_Toc524956769\"><\/a>Adding People to the Okta Account<\/h3>\n<p>Perform the following steps to add additional people to your Okta account.<\/p>\n<ol>\n<li>Click <strong>Directory<\/strong> and then select <strong>People<\/strong>.<\/li>\n<\/ol>\n<figure id=\"attachment_16000\" aria-describedby=\"caption-attachment-16000\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-a-okta-directory-people.png\"><img decoding=\"async\" class=\"size-large wp-image-16000\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-a-okta-directory-people-1024x243.png\" alt=\"\" width=\"1024\" height=\"243\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-a-okta-directory-people-1024x243.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-a-okta-directory-people-300x71.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-a-okta-directory-people-768x182.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-a-okta-directory-people.png 1029w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16000\" class=\"wp-caption-text\"><em><span style=\"color: #808080\"><strong>Directory &gt; People<\/strong> navigation<\/span><\/em><\/figcaption><\/figure>\n<ol start=\"2\">\n<li>Click <strong>Add Person<\/strong> and then enter details.<\/li>\n<\/ol>\n<figure id=\"attachment_16001\" aria-describedby=\"caption-attachment-16001\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-b-okta-add-person.png\"><img decoding=\"async\" class=\"size-large wp-image-16001\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-b-okta-add-person-1024x197.png\" alt=\"\" width=\"1024\" height=\"197\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-b-okta-add-person-1024x197.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-b-okta-add-person-300x58.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-b-okta-add-person-768x148.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-4-b-okta-add-person.png 1030w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16001\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em><strong>Add Person<\/strong> to provide details as prompted<\/em><\/span><\/figcaption><\/figure>\n<h3><a name=\"_Toc524956770\"><\/a>Configuring Ephesoft Transact to Operate with Okta<\/h3>\n<p>To configure Ephesoft Transact for operation with Okta, edit or set up the <strong>applicationContext.xml <\/strong>and <strong>web.xml <\/strong>files, as would be required if setting them up for other identity providers (IdPs).<\/p>\n<ol>\n<li>In the <strong>tomcat-users.xml <\/strong>file, add the <strong>username<\/strong>, <strong>password,<\/strong> and <strong>role<\/strong> for the user.<\/li>\n<\/ol>\n<ul>\n<li>This is a required setting for authentication and authorization in Ephesoft Transact.<\/li>\n<li>The <strong>username<\/strong> should be the first name of the Okta user.<\/li>\n<\/ul>\n<ol start=\"2\">\n<li>In the <strong>applicationContext-security.xml<\/strong> file, make the following changes:<\/li>\n<\/ol>\n<ul>\n<li>In the <strong>epheSamlFilter<\/strong> bean, add the name of the attribute that you added in Okta.<\/li>\n<\/ul>\n<figure id=\"attachment_16002\" aria-describedby=\"caption-attachment-16002\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-a-okta-epheSamlFilter-bean.png\"><img decoding=\"async\" class=\"size-large wp-image-16002\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-a-okta-epheSamlFilter-bean-1024x219.png\" alt=\"\" width=\"1024\" height=\"219\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-a-okta-epheSamlFilter-bean-1024x219.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-a-okta-epheSamlFilter-bean-300x64.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-a-okta-epheSamlFilter-bean-768x164.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-a-okta-epheSamlFilter-bean.png 1073w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16002\" class=\"wp-caption-text\"><em><span style=\"color: #808080\"><strong>epheSamlFilter<\/strong> bean<\/span><\/em><\/figcaption><\/figure>\n<ul>\n<li>In the <strong>metadataGeneratorFilter<\/strong> bean, enter <strong>entityID<\/strong> as configured in Okta.<\/li>\n<\/ul>\n<figure id=\"attachment_16003\" aria-describedby=\"caption-attachment-16003\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-b-okta-metadataGenerator-Filter-bean.png\"><img decoding=\"async\" class=\"size-large wp-image-16003\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-b-okta-metadataGenerator-Filter-bean-1024x358.png\" alt=\"\" width=\"1024\" height=\"358\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-b-okta-metadataGenerator-Filter-bean-1024x358.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-b-okta-metadataGenerator-Filter-bean-300x105.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-b-okta-metadataGenerator-Filter-bean-768x269.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-b-okta-metadataGenerator-Filter-bean.png 1074w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16003\" class=\"wp-caption-text\"><em><span style=\"color: #808080\"><strong>metadataGeneratorFilter<\/strong> bean<\/span><\/em><\/figcaption><\/figure>\n<ul>\n<li>In the <strong>metadata<\/strong> bean, add the URL of the Okta metadata which was copied to an Ephesoft folder location while adding Ephesoft Transact in Okta (a previous procedure).<\/li>\n<\/ul>\n<figure id=\"attachment_16004\" aria-describedby=\"caption-attachment-16004\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-c-okta-metadata-bean.png\"><img decoding=\"async\" class=\"size-large wp-image-16004\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-c-okta-metadata-bean-1024x364.png\" alt=\"\" width=\"1024\" height=\"364\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-c-okta-metadata-bean-1024x364.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-c-okta-metadata-bean-300x107.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-c-okta-metadata-bean-768x273.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-c-okta-metadata-bean.png 1032w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16004\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em><strong>metadata<\/strong> bean<\/em><\/span><\/figcaption><\/figure>\n<ul>\n<li>By default, the application is configured to provide SAML configuration with <strong>SHA-1<\/strong>.<\/li>\n<li>For additional information about configuring SHA, refer to the earlier topic:\n<ul>\n<li><a href=\"#applicationContext-security.xml\">applicationContext-security.xml<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<figure id=\"attachment_16005\" aria-describedby=\"caption-attachment-16005\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-d-okta-certStorePasswordDecryptor-bean.png\"><img decoding=\"async\" class=\"size-large wp-image-16005\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-d-okta-certStorePasswordDecryptor-bean-1024x576.png\" alt=\"\" width=\"1024\" height=\"576\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-d-okta-certStorePasswordDecryptor-bean-1024x576.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-d-okta-certStorePasswordDecryptor-bean-300x169.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-d-okta-certStorePasswordDecryptor-bean-768x432.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-d-okta-certStorePasswordDecryptor-bean.png 1032w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16005\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em><strong>certStorePasswordDecryptor<\/strong> bean<\/em><\/span><\/figcaption><\/figure>\n<ul>\n<li>Here, in the beans \u201c<strong>certStorePasswordDecryptor\u201d<\/strong> and \u201c<strong>certPasswordDecryptor\u201d,<\/strong> replace the string \u201c<strong>EncryptedPassword\u201d<\/strong> with your encrypted password value, keeping the quotation marks (example: \u201cnROcbAKcSGR7CsxrlNVZSA==\u201d).<\/li>\n<\/ul>\n<p>Also, comment out the similar <strong>keyManager<\/strong> bean, which is immediately below the above-mentioned lines:<\/p>\n<figure id=\"attachment_16006\" aria-describedby=\"caption-attachment-16006\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-e-okta-keyManager-bean.png\"><img decoding=\"async\" class=\"size-large wp-image-16006\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-e-okta-keyManager-bean-1024x486.png\" alt=\"\" width=\"1024\" height=\"486\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-e-okta-keyManager-bean-1024x486.png 1024w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-e-okta-keyManager-bean-300x142.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-e-okta-keyManager-bean-768x364.png 768w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-e-okta-keyManager-bean.png 1033w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption id=\"caption-attachment-16006\" class=\"wp-caption-text\"><em><span style=\"color: #808080\"><strong>keyManager<\/strong> bean<\/span><\/em><\/figcaption><\/figure>\n<ol start=\"3\">\n<li>Save all above changes in the <strong>applicationContext-security.xml <\/strong><\/li>\n<li>Start the Ephesoft Transact server.<\/li>\n<\/ol>\n<p style=\"padding-left: 60px\">On hitting any of the Ephesoft Transact URLs, the user will be redirected to the Okta Sign In page.<\/p>\n<figure id=\"attachment_15957\" aria-describedby=\"caption-attachment-15957\" style=\"width: 958px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-f-okta-sign-in-screen.png\"><img decoding=\"async\" class=\"size-full wp-image-15957\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-f-okta-sign-in-screen.png\" alt=\"\" width=\"958\" height=\"435\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-f-okta-sign-in-screen.png 958w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-f-okta-sign-in-screen-300x136.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/7-8-5-f-okta-sign-in-screen-768x349.png 768w\" sizes=\"(max-width: 958px) 100vw, 958px\" \/><\/a><figcaption id=\"caption-attachment-15957\" class=\"wp-caption-text\"><span style=\"color: #808080\"><em>Okta <strong>Sign In<\/strong> screen<\/em><\/span><\/figcaption><\/figure>\n<ol start=\"5\">\n<li>With successful Okta authentication, the user will be redirected to the Ephesoft Transact login page.<\/li>\n<\/ol>\n<h1 id=\"Exporting_the_Self-signed_Certificate_from_Keystore\"><a name=\"_Toc524956771\"><\/a>Exporting the Self-signed Certificate from Keystore<\/h1>\n<ul>\n<li>Open the Key Tool in the command prompt. (Key tool is available in the JDK.)<\/li>\n<li>Execute the following command:<\/li>\n<\/ul>\n<pre><strong>keytool -export -alias<\/strong> &lt;<em>name of the entry to process<\/em>&gt; <strong>-storepass <\/strong>&lt;<em>password of keystore<\/em>&gt; <strong>-file<\/strong> &lt;<em>ephesoft.cer<\/em>&gt; <strong>-keystore<\/strong> &lt;<em>path to keystore file<\/em>&gt;<\/pre>\n<h1 id=\"Troubleshooting_SAML_2.0_SSO_in_Ephesoft_Transact\"><a name=\"_Toc524956772\"><\/a>Troubleshooting SAML 2.0 SSO in Ephesoft Transact<\/h1>\n<h2><a name=\"_Toc524956774\"><\/a>General Troubleshooting Tasks<\/h2>\n<p>General troubleshooting may entail one or more of the following configuration issues or activities:<\/p>\n<table style=\"height: 1662px\" width=\"732\">\n<tbody>\n<tr>\n<td width=\"162\"><strong>Error:<\/strong><\/td>\n<td width=\"474\"><strong>Description and Resolution<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>1. Server Startup issues<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 This issue that may occur on server startup. Errors are observed with the PKIX path building having failed:<\/p>\n<p style=\"padding-left: 30px\">sun.security.provider.certpath.<br \/>\nSunCertPathBuilderException:<br \/>\nunable to find valid certification path to requested target<\/p>\n<p><strong>Resolution <\/strong>\u2014 This issue originates with the misconfiguration of certificates.<\/p>\n<ul>\n<li>Your https endpoint certificates presented by the IdP could not be verified.<\/li>\n<li>Please validate if the IdP certificates have been imported properly in cacerts.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>2. IdP Login Page not displaying<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 With this issue, the user is not redirected to the IdP login page upon opening any screen.<\/p>\n<p><strong>Resolution <\/strong>\u2014 In the<strong> web.xml<\/strong> file, determine if the springSecurityFilterChain is not commented. Also, verify that the filter and its mapping precede the authenticationFilter.<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>3. Access Denied screen is shown despite successful authentication<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 With this issue, the user is getting successfully authenticated with IdP. Although the user has privilege to access the screen, the <strong>Access Denied<\/strong> page is shown in error.<\/p>\n<p><strong>Resolution <\/strong>\u2014 In the <strong>web.xml <\/strong>file, verify if the authenticationFilter and its mapping is defined prior to the authorizationFilter.<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>4. User is redirected to a broken page<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 With this issue, the user gets successfully authenticated on the IdP, but is redirected to a broken page.<\/p>\n<p><strong>Resolution<\/strong> \u2014 The broken page is displayed in cases where there are some missing configurations.<\/p>\n<ul>\n<li>Verify that the entityBaseURL property is specified in the metadataGeneratorFilter.<\/li>\n<li>If ADFS is configured, verify that the NameID claim is being passed in SAML message. This is mandatory to be passed for ADFS.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>5. No redirection to the SSO Login screen upon login to Transact, with Access Denied message<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 With this issue, and after configuring SSO, the Ephesoft Transact page is not redirected to the SSO login page. An <strong>Access Denied<\/strong> error is displayed.<\/p>\n<p><strong>Resolution<\/strong> \u2014\u00a0Follow these steps as a possible resolution to this issue:<\/p>\n<p>1. Verify that the <strong>applicationContext-security.xml<\/strong> resource is uncommented in the applicationContext.xml file (&lt;Ephesoft Installation Directory&gt;\\Application). The following snapshot illustrates this configuration:<\/p>\n<figure id=\"attachment_16794\" aria-describedby=\"caption-attachment-16794\" style=\"width: 856px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-01.png\"><img decoding=\"async\" class=\"size-full wp-image-16794\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-01.png\" alt=\"\" width=\"856\" height=\"53\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-01.png 856w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-01-300x19.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-01-768x48.png 768w\" sizes=\"(max-width: 856px) 100vw, 856px\" \/><\/a><figcaption id=\"caption-attachment-16794\" class=\"wp-caption-text\"><span style=\"color: #999999\"><em>Uncommenting applicationContext-security.xml in applicationContext.xml file<\/em><\/span><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>2. Verify that the springSecurityFilterChain filter is uncommented in the <strong>web.xml<\/strong> file located at <em>[Ephesoft_Directory]<\/em>\\Application\\WEB-INF.<\/p>\n<p style=\"padding-left: 30px\">The following snapshot illustrates this configuration:<\/p>\n<figure id=\"attachment_16795\" aria-describedby=\"caption-attachment-16795\" style=\"width: 1003px\" class=\"wp-caption alignleft\"><a href=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-02.png\"><img decoding=\"async\" class=\"size-full wp-image-16795\" src=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-02.png\" alt=\"\" width=\"1003\" height=\"198\" srcset=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-02.png 1003w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-02-300x59.png 300w, https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/9-2-Issue5-02-768x152.png 768w\" sizes=\"(max-width: 1003px) 100vw, 1003px\" \/><\/a><figcaption id=\"caption-attachment-16795\" class=\"wp-caption-text\"><em><span style=\"color: #999999\">springSecurityFilterChain filter in web.xml file<\/span><\/em><\/figcaption><\/figure>\n<p><strong>Note<\/strong>: \u00a0\u00a0The springSecurityFilterChain filter is responsible for redirection to the SSO login page.<\/p>\n<p>3. Ensure that the springSecurityFilterChain filter is the first filter in the web.xml file. If it is placed at the end, move it to be the first filter.<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>6. Broken page does not correspond to the sent message <\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 In this issue, the broken page in the <strong>InResponseToField<\/strong> of the response does not correspond to the sent message.<\/p>\n<p><strong>Resolution<\/strong> \u2014 Verify that the same URL is used for sending the request and receiving the response. Typically, this issue arises when the authentication request is initialized from a localhost address or http scheme, while the response is received at a public hostname or https scheme.<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>7. Broken page appears after idle period<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 In this issue, an application redirect to a broken page is shown after the system is idle for a period of time.<\/p>\n<p><strong>Resolution<\/strong> \u2014 Verify the following settings to resolve this behavior:<\/p>\n<ol>\n<li>Comment the <strong>session-timeout<\/strong> node defined in the <strong>web.xml <\/strong>file.<\/li>\n<li>In the applicationContext-security.xml file, add a property maxAuthenticationAge to the bean class WebSSOProfileConsumerImpl:<\/li>\n<\/ol>\n<ul>\n<li>The <strong>maxAuthentication age<\/strong>(in seconds) determines the maximum session time set for the IdP.<\/li>\n<li>The default value is 7200 seconds.<\/li>\n<li>This value should match the value that was set at the IdP.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>8. SuperAdmin privileges are granted to non-SuperAdmin users<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p><strong>Issue<\/strong> \u2014 In this issue, users that do not have the superadmin role may be granted superadmin privileges.<\/p>\n<p><strong>Resolution<\/strong> \u2014 Verify the index=2 setting in the <strong>epheSamlFilter<\/strong> bean in the <strong>applicationContext-security.xml<\/strong> file Determine if this value is <strong>true<\/strong>.<\/p>\n<ul>\n<li>If set to <strong>true<\/strong>, it grants all users with superadmin privileges.<\/li>\n<li>To resolve this issue, modify the value to either <strong>false<\/strong> or an empty string.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"162\"><strong>9. General Log Monitoring<\/strong><\/td>\n<td width=\"474\">\n<hr \/>\n<p>If there are any issues encountered during configuration or authentication, please check the logs in the following location:<\/p>\n<ul>\n<li><strong>&lt;Ephesoft-Installation-Directory&gt;\/Application\/logs\/dcma-all.log<\/strong><\/li>\n<\/ul>\n<p>Follow the instructions defined inside the logs. If the problem persists, share the following information with Ephesoft Support:<\/p>\n<ul>\n<li>INFO level logs<\/li>\n<li>SAZ file \u2014 Collect the Fiddler trace while accessing your application and authenticating to Azure AD and share this SAZ file.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a name=\"_Toc520462183\"><\/a><a name=\"_Toc520455871\"><\/a><a name=\"_Toc524956775\"><\/a>Logging for SAML Requests<\/h2>\n<p>To obtain more logging information about SAML requests, add the following lines to the <strong>log4j.xml <\/strong>file placed under directory &lt;<em>Ephesoft_HOME<\/em>&gt;<strong>\/Application\/log4j.xml<\/strong>. Adding the following lines will provide INFO-level logs for SAML requests and responses in the <strong>dcma-all.log<\/strong>.<\/p>\n<pre style=\"padding-left: 30px\">&lt;Logger name=\"org.opensaml\"\r\nlevel=\"INFO\" additivity=\"false\"&gt;\r\n&lt;AppenderRef ref=\"CORE\"\/&gt;\r\n&lt;\/Logger&gt;\r\n&lt;Logger name=\"org.springframework.security.saml\"\r\nlevel=\"INFO\" additivity=\"false\"&gt;\r\n&lt;AppenderRef ref=\"CORE\"\/&gt;\r\n&lt;\/Logger&gt;<\/pre>\n<h2><a name=\"_Toc524956776\"><\/a>Getting the Fiddler Trace<\/h2>\n<p>To use Fiddler, which is a free web debugging proxy from Telerik, navigate to the following page for download and installation: <a href=\"https:\/\/www.telerik.com\/download\/fiddler\">Download Fiddler Classic.<\/a><\/p>\n<p><strong>Note:<\/strong>\u00a0Account registration is required.<\/p>\n<p>After you have installed Fiddler, perform the following steps to start the capture:<\/p>\n<ol>\n<li>Go to <a href=\"http:\/\/fiddler2.com\/home\">http:\/\/fiddler2.com\/home<\/a> (.NET2 or .NET4 is fine).<\/li>\n<li>Once installed, go to <strong>Tools<\/strong> &gt; <strong>Fiddler Options<\/strong> &gt; <strong>Https<\/strong><\/li>\n<li>Check Decrypt HTTPS traffic, and click <strong>Yes<\/strong> for the popup screens, as prompted.<\/li>\n<\/ol>\n<p>You will receive a few pop-up screens that are required in order to install the Fiddler root certificate. The Fiddler root certificate allows Fiddler to function as an intermediate agent in the HTTPS session.<\/p>\n<ol start=\"4\">\n<li>Click <strong>Yes <\/strong>to continue.<\/li>\n<li>Click <strong>Clear Cache<\/strong> on the <strong>Fiddler<\/strong><\/li>\n<li>Click <strong>Edit &gt; Remove All Sessions<\/strong>.<\/li>\n<li>Open your favorite browser. Verify it is capturing data in Fiddler.<\/li>\n<li>Reproduce the issue in the browser.<\/li>\n<li>Stop the Fiddler trace once it is done.<\/li>\n<li>Save the Fiddler trace as an SAZ file.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n","protected":false},"featured_media":0,"parent":47681,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","doc_tag":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v19.0 (Yoast SEO v22.1) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1 | Ephesoft Docs<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1\" \/>\n<meta property=\"og:description\" content=\"SSO Overview Single sign-on (SSO) is a mechanism of access control that can be applied on multiple related, but independent [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/\" \/>\n<meta property=\"og:site_name\" content=\"Ephesoft Docs\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-27T14:49:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-a-Viewing-cacert.pem_.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"40 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/\",\"url\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/\",\"name\":\"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1 | Ephesoft Docs\",\"isPartOf\":{\"@id\":\"https:\/\/ephesoft.com\/docs\/#website\"},\"datePublished\":\"2018-09-19T23:48:56+00:00\",\"dateModified\":\"2021-08-27T14:49:07+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/ephesoft.com\/docs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Transact\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"System Configuration\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"User Connectivity\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Single Sign-On Resources\",\"item\":\"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/\"},{\"@type\":\"ListItem\",\"position\":6,\"name\":\"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/ephesoft.com\/docs\/#website\",\"url\":\"https:\/\/ephesoft.com\/docs\/\",\"name\":\"Ephesoft Docs\",\"description\":\"Intelligent Document Processing Made Easy\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/ephesoft.com\/docs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1 | Ephesoft Docs","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1","og_description":"SSO Overview Single sign-on (SSO) is a mechanism of access control that can be applied on multiple related, but independent [&hellip;]","og_url":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/","og_site_name":"Ephesoft Docs","article_modified_time":"2021-08-27T14:49:07+00:00","og_image":[{"url":"https:\/\/ephesoft.com\/docs\/wp-content\/uploads\/2018\/09\/4-2-2-a-Viewing-cacert.pem_.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"40 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/","url":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/","name":"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1 | Ephesoft Docs","isPartOf":{"@id":"https:\/\/ephesoft.com\/docs\/#website"},"datePublished":"2018-09-19T23:48:56+00:00","dateModified":"2021-08-27T14:49:07+00:00","breadcrumb":{"@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/configuring-saml-sso\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ephesoft.com\/docs\/"},{"@type":"ListItem","position":2,"name":"Transact","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/"},{"@type":"ListItem","position":3,"name":"System Configuration","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/"},{"@type":"ListItem","position":4,"name":"User Connectivity","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/"},{"@type":"ListItem","position":5,"name":"Single Sign-On Resources","item":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/"},{"@type":"ListItem","position":6,"name":"Manually Configuring SAML 2.0 SSO for Ephesoft Transact 4.5.0.x and 2019.1"}]},{"@type":"WebSite","@id":"https:\/\/ephesoft.com\/docs\/#website","url":"https:\/\/ephesoft.com\/docs\/","name":"Ephesoft Docs","description":"Intelligent Document Processing Made Easy","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ephesoft.com\/docs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"comment_count":0,"_links":{"self":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/15952"}],"collection":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/types\/docs"}],"replies":[{"embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/comments?post=15952"}],"version-history":[{"count":0,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/15952\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/47681"}],"next":[{"title":"SAML SSO | Multiple Groups Support","link":"https:\/\/ephesoft.com\/docs\/products\/transact\/configurations\/user-connectivity\/single-sign-on-resources\/saml-sso-multiple-groups-support\/","href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/docs\/15055"}],"wp:attachment":[{"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/media?parent=15952"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/ephesoft.com\/docs\/wp-json\/wp\/v2\/doc_tag?post=15952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}