Configuring SAML Single Sign-on

The integration is demonstrated using ForgeRock version 7.2.0.

Configure Identity Provider in ForgeRock

Access ForgeRock console.
On Realms page, select Top Level Realm located in the upper left corner.
Go to Applications in the sidebar, expand Federation, choose Circles of Trust, and press Add Circle of Trust.

Input the name, 'my_circle_of_trust' for instance, then select Create and Save Changes.

Select Entity Providers from Federation in the side bar, select Add Entity Provider, and pick Hosted.

Input 'mdcore' for Entity ID, 'mdcoreidp' for Identity Provider Meta Alias, 'mdcoresp' for Service Provider Meta Alias, and 'my_circle_of_trust' for Circles of Trust, then click Create.

The value of Entity ID, 'mdcore' in this case, will later be used to configure Custom entity ID in MetaDefender Core.

Create SAML directory in MetaDefender Core

Access MetaDefender Core console.
On the dashboard, select User Management from the sidebar.
On User Management page, choose Directories tab and then click on Add Directory in the upper right corner.
On Add Directory page, select SAML for directory type.
Input the name of the new folder, such as 'FORGEROCK_SAML'.
In Service Provider area, toggle Use Custom Entity ID option and type 'mdcore' in Custom entity ID box.
Fill in Host or IP with the address of the machine where MetaDefender Core is located, using 'http://localhost:8008' as an example.
Click the copy button beside Login URL.

The copied login URL will be used subsequently in Location setting of ForgeRock.

The setup in MetaDefender Core is incomplete, please refrain from clicking outside of Add Directory screen.

Configure Service Provider in ForgeRock

In the ForgeRock console, switch to SP for the entity provider 'mdcore'.

Click on Services tab.

Go to Assertion Consumer Service area, choose HTTP-POST binding entry, and tap the edit icon located in the top right.

Input login URL from MetaDefender Core into Location, toggle isDefault switch in the upper left, and press Update.

Remove HTTP-Artifact and PAOS bindings, then press Save Changes.

Select Assertion Processing tab, navigate to Attribute Map, enter 'given_name' and 'givenName' as Key and Value, accordingly.

Press Add and Save Changes.

Complete configuration in MetaDefender Core

Go back to MetaDfender Core, in Add Directory page, navigate to Identity Provider section and click on Fetch URL.
Enter the SAML Metadata URL from ForgeRock into the field beneath Fetch URL, click OK and wait a moment for MetaDefender Core to assign ForgeRock as its IDP.

The structure of the metadata URL is as outlined below:

http://<forgerock_server>:<port>/openam/saml2/jsp/exportmetadata.jsp?entityid=<entity_id>

In which, forgerock_server and port correspond to the host and port of the machine hosting ForgeRock server; entity_id refers to the value of Entity ID configured in ForgeRock. In this guide, ForgeRock is located at 'myforgerock.com:8080' and the Entity ID is 'mdcore'; thus, the metadata URL becomes

http://myforgerock.com:8080/openam/saml2/jsp/exportmetadata.jsp?entityid=mdcore

Populate User identified by field with '${given_name}', as set up in ForgeRock during the earlier step.
Choose the appropriate role for the user in User Role and click Add to finish the process.

On User Management screen, switch on the new directory, 'FORGEROCK_SAML' in this case.

A confirmation dialog box will pop up to verify the action. Upon clicking Enable, all sessions will be terminated instantly, and ForgeRock will be utilized for user authentication.

Test the integration

On the home screen of MetaDefender Core, click Login; the user is redirected to ForgeRock Sign-in page.

Sign in with your ForgeRock account.
If all proceeds smoothly, MetaDefender Core dashboard will appear with the user's identity in the upper right corner.

Otherwise, visit backup login page at <mdcore-host>#/public/backuplogin for trouble shooting.

Last updated on

Was this page helpful?