MWS SSO using SAML with 3rd Party IDP

Sai_Pradeep · September 10, 2020, 1:18pm

Hi Experts,

We have implememted SSO using SAML with 3rd party IDP and is working fine with the URL provided by the IDP team. IDP url looks like below:

https://authgw.**********.com/authgw/idpssoinit?metaAlias=/EUR/IDP_INT_**portal&spEntityID=https://dev01.eu.ad.:443

We are able to logging into the portal If we hit the above URL without asking for any login credentials.

But, we dont want to use the full IDP URL, instead simply we want to use the application frontend URL https://dev01.eu.ad.*:443.

If we use the application frontend URL, it’s asking username & passwrod(i.e, landing on MWS login page istead directly logging into application dashboard page). Do we have to make any configuration changes in MWS to make the SSO work with the application frontend URL. Any inputs would really help.

Regards,
Pradeep.

Holger_von_Thomsen · September 10, 2020, 5:23pm

Hi Sai,

please login to MWS with SysAdmin or a user which is a member of the “Admin Role” and check the SAML configuration.
There are 4 parts to be checked:

SAML Authentication
SAML IDP Configuration
SAML SP Registration
SAML SSO Configure SP

Eventually you need to add some hosts into the “Redirection Whitelist Administration”.

See MWS Administrators Guide for further informations regarding this.

Regards,
Holger

Sai_Pradeep · September 11, 2020, 6:50am

Hi Holger,

Thank you so much for quick response.

We configured the IDP initiated SSO url under the SAML Authentication Administration.

Also I checked Redirection Whitelist Administration I add the IDP server to whitelist but still the application frontend URL not taking SSO.

I found one article in tech community, first the SSO should be initiated at SP and then it redirects to IDP as per the SAML Authentication Administration configuration to make our frontend URL work with SSO.

We are on v10.1, and I don’t see SP initiated SSO option/configuration in MWS.

Please suggest to proceed further.

Regards,
Pradeep.

Holger_von_Thomsen · September 11, 2020, 11:39am

Hi Sai,

by searching Empower for “sso saml idp” I found the following entries:
https://documentation.softwareag.com/webmethods/mywebmethods_server/mws10-4/10-4_MWSw/index.html#page/my-webmethods-server-webhelp%2Fco-configuring_single_sign-on.html%23
https://documentation.softwareag.com/webmethods/mywebmethods_server/mws10-4/10-4_MWSw/index.html#page/my-webmethods-server-webhelp/re-property_setting_for_single_sign-on_using_a_third-party_idp.html

Most likely I might not be able to help you further in this case as we are not using SAML SSO with IDP in our application, only SSO via HTTP-Header-Authentication.

Regards,
Holger

Sai_Pradeep · November 23, 2020, 6:15am

Hi Holger,

Thanks for your inputs.

After the detailed analysis, 10.1 only supports IDP initiated SSO. You need to write custom code to achieve the SP initiated SSO.

Where as 10.5 supports both IDP initiated SSO and SP initiated SSO as well. But, doesn’t support RelayState with SP initiated SSO.

RelayState: As a user if you request a protected resource(Specific URL appended with URL query parameters) in MWS with configured SP initiated SSO, after a successful login user should be redirected to same URL instead of taking you to the home page of the application.

So, SAG R&D team raised a feature request to achieve RelayState part. Apart from that SSO with SAML authentication is working fine.

Thank you for your help…!

Regards,
Pradeep.