Installing And Setting Up OpenSSO To Use As Your SAML 2.0 IDP With ServiceNow

jason_petty · ‎04-05-2013

I work a lot with customers setting up their SAML SSO solution. There have been a number of IDPs that the customers I have worked with use and I hardly ever get to see that side of the configuration. I wanted to understand what they had to do in order to set up their IDP to work with ServiceNow. I have documented the steps that I took to install and configure OpenAM (Formerly known as OpenSSO) to work with ServiceNow as my SAML 2.0 IDP. These instructions assume you are setting up your own virtual machine locally.

Setup Your Virtual Machine's Host file

Bring up a Linux VM in your favorite hypervisor
Set your host name in your network settings to something you can use in your hosts file like openamtest
Modify your /etc/hosts file to have an entry like this:
1. 192.168.1.106 openamtest.org openamtest

Install Open DJ

Download OpenDJ-2.4.6 from Here (Get the ZIP file)
Unzip the file
Run "./setup --cli"
1. Put in an LDAP syntax for the root user for your LDAP Directory (cn=Directory Manager)
2. 1. What would you like to use as the initial root user DN for the Directory Server? [cn=Directory Manager]:
3. Set to port to something like 1389
4. 1. On which port would you like the Directory Server to accept connections from LDAP clients? [1389]:
5. Set the Administration Connector port to 4444
6. 1. On which port would you like the Administration Connector to accept connections? [4444]:
7. Create the base DNs of the server
8. 1. Do you want to create base DNs in the server? (yes / no) [yes]:
9. Provide the base DN:
10. 1. Provide the base DN for the directory data: [dc=example,dc=com]:
11. Only Create Base Entry:
12. 1. Options for populating the database:
    
    1) Only create the base entry
    2) Leave the database empty
    3) Import data from an LDIF file
    4) Load automatically-generated sample data
    
    Enter choice [1]: 1
13. Don't enable SSL:
14. 1. Do you want to enable SSL? (yes / no) [no]:
15. Don't enable Start TLS:
16. 1. Do you want to enable Start TLS? (yes / no) [no]:
17. Chose Yes to start server when configuration is complete:
18. 1. Do you want to start the server when the configuration is completed? (yes / no) [yes]:
19. When you see the setup summary, choose "Set up server with parameters above":
20. 1. Setup Summary
    =============
    LDAP Listener Port: 1389
    Administration Connector Port: 4444
    LDAP Secure Access: disabled
    Root User DN: cn=Directory Manager
    Directory Data: Create New Base DN dc=example,dc=com.
    Base DN Data: Only Create Base Entry (dc=example,dc=com)
    
    Start Server when the configuration is completed
    
    What would you like to do?
    
    1) Set up the server with the parameters above
    2) Provide the setup parameters again
    3) Print equivalent non-interactive command-line
    4) Cancel and exit
    
    Enter choice [1]:
21. After it is done, you will see this:
22. 1. Configuring Directory Server ..... Done.
    Creating Base Entry dc=example,dc=com ..... Done.
    Starting Directory Server ........ Done.
    
    To see basic server configuration status and configuration you can launch /opt/OpenDJ-2.4.6/bin/status
Install Tomcat
1. Download Tomcat 7 from Here (Get the Zip File)
2. Unzip the file
3. CD to the apache/bin directory
4. Do a chmod 755 * in that folder
5. Modify the catalina.sh file and put in this line somewhere
6. 1. JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"
7. Run "./startup.sh"
Install OpenAM (Formerly known as OpenSSO)
1. Download OpenAM 10.0.1 from Here (Get the Zip File)
2. Unzip the file
3. Copy the opensso/deployable-war/opensso.war to the apache/webapps directory
4. 1. It will automatically deploy the war file and extract it to a folder in the webapps directory
5. Go to http://ipaddressOfVm:8080/opensso/config/options.htm
6. Click on Create New Configuration
7. Type in a password on the first screen twice that you want to set
9. On the next screen, make sure your ip address is in the first field like this:
10. 1. http://192.168.1.102:8080
  2. Cookie Domain should be 192.168.1.102
  3. Leave the rest default
11. On the next screen, leave everything default and click next
13. On the next screen, Choose OpenDJ as the type
14. 1. Hostname is localhost
  2. Set the right port 1389
  3. Set the Context to dc=example,dc=com like you did when setting up OpenDJ
  4. Type in a password
  5. Click next
15. Leave the next option set to no and click next
17. Type in a password twice - it has to be different than the one you set in step 6 then click Next
19. Click the Create Configuration button and let it run the configuration
21. When the configuration finishes, click "proceed to login" or just login at this address: http://ipaddressOfVm:8080/opensso/
22. 1. username: amAdmin
  2. password: your password you set up in step 6 above
23. Create Users in your IDP
24. 1. Click on Access Control tab
  3. Click on the link "(Top Level Realm)" in the list of realms
  5. Click on Subjects tab
  7. Click on the New button
  9. Put in the id, First Name, Last Name, Password twice and then click OK
  11. Now open the details of that user you just created and put in an email that will match a user in ServiceNow
  13. Save
  14. Click "Back to Subjects" button
  15. Click "Back to Access Control" button
25. Increase the buffer length so signing won't fail
26. 1. Click on Configuration tab
  3. Click on Global sub-tab
  4. Click on SAMLv2 Service Configuration property
  6. Add a 0 to the end of the Buffer Length value (last value)
  8. Save
  9. Click "Back to Service Configuration" button
27. Create your IDP
28. 1. Click on Common Tasks Tab
  2. Click on "Create Hosted Identity Provider"
  4. Set the Signing key to "test"
  5. Type in the "Circle of Trust" field a name you want to name your IDP like "OpenSSOIdP"
  7. Click Configure
  8. Click Finish
29. Get settings from OpenAM and set all your settings in your ServiceNow instance
30. 1. Click on Federation tab
  2. In the "Entity Providers" section, click on the hyperlink of your IDP's ip address
  4. Click on the Services tab
  5. Copy the appropriate values from here to your ServiceNow instance
  7. Set the values in your ServiceNow instance
  9. Click the "Back" button
  10. Put the certificate in ServiceNow (This is the certificate for OpenSSO)
  11. ```
  -----BEGIN CERTIFICATE-----
  MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
  bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
  ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
  CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
  BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
  AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
  RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
  Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
  QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
  cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
  /FfwWigmrW0Y0Q==
  -----END CERTIFICATE-----
```
31. Create your SP
32. 1. Click on the Metadata module in ServiceNow
  2. Copy it and save it to a file for later
  3. Click on the Common Tasks tab
  4. Click on "Register Remote Service Provider"
  6. Click on the File radio button
  7. Click "Upload..." button"
  9. Browse to the file from step 2
  10. Click "Upload File" button
  12. Click "Configure" button
  13. Click "OK" button when it pops up the successfully configured SP dialog
Try to Login to ServiceNow