MWS SSO using SAML with 3rd Party IDP

, ,
1

Hi Experts,

We have implememted SSO using SAML with 3rd party IDP and is working fine with the URL provided by the IDP team. IDP url looks like below:

https://authgw.**********.com/authgw/idpssoinit?metaAlias=/EUR/IDP_INT_**portal&spEntityID=https://dev01.eu.ad.:443

We are able to logging into the portal If we hit the above URL without asking for any login credentials.

But, we dont want to use the full IDP URL, instead simply we want to use the application frontend URL https://dev01.eu.ad.*:443.

If we use the application frontend URL, it’s asking username & passwrod(i.e, landing on MWS login page istead directly logging into application dashboard page). Do we have to make any configuration changes in MWS to make the SSO work with the application frontend URL. Any inputs would really help.

Regards,
Pradeep.

2

Hi Sai,

please login to MWS with SysAdmin or a user which is a member of the “Admin Role” and check the SAML configuration.
There are 4 parts to be checked:

  • SAML Authentication
  • SAML IDP Configuration
  • SAML SP Registration
  • SAML SSO Configure SP

Eventually you need to add some hosts into the “Redirection Whitelist Administration”.

See MWS Administrators Guide for further informations regarding this.

Regards,
Holger

3

Hi Holger,

Thank you so much for quick response.

We configured the IDP initiated SSO url under the SAML Authentication Administration.

Also I checked Redirection Whitelist Administration I add the IDP server to whitelist but still the application frontend URL not taking SSO.

I found one article in tech community, first the SSO should be initiated at SP and then it redirects to IDP as per the SAML Authentication Administration configuration to make our frontend URL work with SSO.

We are on v10.1, and I don’t see SP initiated SSO option/configuration in MWS.

image
image793×414 50 KB

Please suggest to proceed further.

Regards,
Pradeep.

4

Hi Sai,

by searching Empower for “sso saml idp” I found the following entries:
https://documentation.softwareag.com/webmethods/mywebmethods_server/mws10-4/10-4_MWSw/index.html#page/my-webmethods-server-webhelp%2Fco-configuring_single_sign-on.html%23
https://documentation.softwareag.com/webmethods/mywebmethods_server/mws10-4/10-4_MWSw/index.html#page/my-webmethods-server-webhelp/re-property_setting_for_single_sign-on_using_a_third-party_idp.html

Most likely I might not be able to help you further in this case as we are not using SAML SSO with IDP in our application, only SSO via HTTP-Header-Authentication.

Regards,
Holger

5

Hi Holger,

Thanks for your inputs.

After the detailed analysis, 10.1 only supports IDP initiated SSO. You need to write custom code to achieve the SP initiated SSO.

Where as 10.5 supports both IDP initiated SSO and SP initiated SSO as well. But, doesn’t support RelayState with SP initiated SSO.

RelayState: As a user if you request a protected resource(Specific URL appended with URL query parameters) in MWS with configured SP initiated SSO, after a successful login user should be redirected to same URL instead of taking you to the home page of the application.

So, SAG R&D team raised a feature request to achieve RelayState part. Apart from that SSO with SAML authentication is working fine.

Thank you for your help…!

Regards,
Pradeep.