The following systems must be set up:
The following certificates must be created. See Create certificates for more information:
To have a secure communication between Hybrid Access Gateway and PRIME server certificates needs to be provided by each server.
To be able to use authentication with SAML, Hybrid Access Gateway needs an SSL server certificate. For demo use cases it’s sufficient to create a self-signed certificate including private keys. Skip these steps if a real server certificate exists.
Since SAML communicates in two directions, a server certificate of PRIME is also required. Skip these steps if a real server certificate exists.
Hybrid Access Gateway requires a key-pair as well as a certificate for the SAML communication.
Nexus PRIME needs to have its own private key. The private key of PRIME must be imported into the following file: /prime_explorer/WEB-INF/classes/samlKeystore.jks.
To create a SAML certificate for PRIME:
Set up authentication profile
Create meta-data files
Since Nexus PRIME will act as service provider, you need to create the corresponding meta-data files for it. You find templates for this within the folder (located in the application's classpath \prime_explorer\WEB-INF\classes\saml_config\). Once the meta-data files for PRIME Explorer and PRIME Self-Service are created, they must be shared with the identity provider, Nexus Hybrid Access Gateway in this case.
The meta-data template contains the following values that needs to be adapted:
Upload meta-data files to Authentication profile
After the meta-data files have been created they must be uploaded to the Authentication Profile in PRIME Designer.
Configure meta-data files
The uploaded meta-data files must be configured with File Properties.
Configure communication between PRIME Explorer and PRIME Self-Service
Upload keystore file
To have a secure communication between Hybrid Access Gateway and PRIME, server certificates must be provided by each server.
Private keys are used to digitally sign SAML messages and encrypt their content. Both parties need their own key-pair that could be created in self-signed mode (for testing purpose) or received from a public key infrastructure (for productive systems).
To enable Hybrid Access Gateway to use the SAML certificate for signing:
If you want to create a DNS name for the Hybrid Access Gateway access point, do the following:
To add service provider:
After the service provider was configured successfully in Hybrid Access Gateway, download the SAML metadata: