Configuring App Builder as an identity provider¶

App Builder can serve as both a SAML Service Provider (SP) and as a SAML Identity Provider (IdP). This allows one instance of Viny (the IdP) to authenticate users on behalf of another instance (the SP).

There are four main tasks involved:

Generate a signing certificate.
Create a SAML IdP security provider.
Create a SAML SP security provider.
Test

These instructions make the following assumptions:

You have at least two instances of App Builder.
You have administrator access to each App Builder instance.

The instructions below will refer to the following properties:

	Example	Notes
App Builder IdP URL	https://idp.example.com/App Builder/	The application-root URL of the App Builder instance serving as the IdP. Includes the trailing slash.
App Builder SP URL	https://sp.example.com/App Builder/	The application-root URL of the App Builder instance serving as the SP. Includes the trailing slash.
IdP Security Provider Name	App BuilderIdP	Each App Builder security provider is given a logical name. This name is used in the Request Redirect Endpoint (see below).
SP Security Provider Name	App BuilderSP	Each App Builder security provider is given a logical name. This name is used in the Assertion Consumer Service (ACS) URL (see below).This is the name that users will see on the login form.
Request Redirect Endpoint	https://idp.example.com/App Builder/signin-App BuilderIdP	App Builder automatically provisions a Request Redirect Endpoint for SAML IdP security providers. Note that the IdP Security Provider Name (from above) appears in the Request Redirect Endpoint.
Assertion Consumer Service URL	https://sp.example.com/App Builder/signin-App BuilderSP	App Builder automatically provisions an Assertion Consumer Service (ACS) endpoint for SAML SP security providers. Note that the SP Security Provider Name appears in the ACS endpoint.

Generate a signing certificate¶

In SAML Single Sign-On (SSO), trust is established via signing certificates. The process for acquiring a certificate is outside the scope of this document. However, for illustrative purposes, the following commands demonstrate how to generate a compatible certificate using the OpenSSL command-line utility.

The following command generates a PEM-encoded private key (key.pem) and self-signed certificate (cert.pem):

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -nodes -days 1095 -subj "/CN=idp.example.com/O=App BuilderIdP"

You will need the contents of the cert.pem file to configure the App Builder SP security provider.

The following command generates a PKCS#12 archive (cert.pfx) containing both the private key and certificate:

$ openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx

You will be prompted to provide a password. You will need the password to configure the App Builder IdP security provider.

Finally, the following command base64-encodes the PKCS#12 archive:

$ openssl base64 -in cert.pfx -out cert.txt -A

You will need the contents of the cert.txt file to configure the App Builder IdP security provider.

Create a SAML IdP security provider¶

To create a SAML IdP security provider, start by signing into the instance of App Builder which will serve as the IdP.

Navigate to the IDE
Click the Security Providers button
In the User Authentication panel, click the + User Authentication button
Provide the following:
- Name: IdP Security Provider Name, e.g. App BuilderIdP
- Type: SAML Identity Provider
Click the Save button
In the Properties panel, click the + Property button to add each of the following properties:
- AssertionConsumerService: Assertion Consumer Service URL, e.g. https://sp.example.com/App Builder/signin-App BuilderSP.
- Audience: App Builder SP URL, e.g. https://sp.example.com/App Builder/.
- Issuer: App Builder IdP URL, e.g. https://idp.example.com/App Builder/.
- Recipient: Assertion Consumer Service URL, e.g. https://sp.example.com/App Builder/signin-App BuilderSP.
- SigningCertificate: base64-encoded, PKCS#12 archive (see Generate a Signing Certificate).
- SigningCertificatePassword: Signing certificate password (see Generate a Signing Certificate).
In the Claims panel, click the + Claim button to map each of the following properties:
- Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Group: http://schemas.xmlsoap.org/claims/Group
In the Provider panel, click the Edit button
Check the Enabled option
Click the Save button

The steps above include a group claim. The group claim is used to pass group membership to the SP. However, groups are not passed by default. To pass a group, you must add it to the IdP security provider. For example:

Navigate to the IDE
Click the User Management button
Click the Identities button
Select the IdP security provider, e.g. App BuilderIdP
In the Provider Groups panel, click the + Group button
Provide a Name, e.g. Administrators
Select the Group, e.g. Administrators
Click the Save button

Create a SAML SP security provider¶

To create a SAML SP security provider, start by signing into the instance of App Builder which will serve as the SP.

Navigate to the IDE
Click the Security Providers button
In the User Authentication panel, click the + User Authentication button
Provide the following:
- Name: SP Security Provider Name, e.g. App BuilderSP.
- Type: SAML
- User Provisioning: Check to enable user provisioning.
- Show On Login Form: Check to show the authentication provider on the login form.
Click the Save button
In the Properties panel, click the + Property button to add each of the following properties:
- Audience: App Builder SP URL, e.g. https://sp.example.com/App Builder/.
- Issuer: App Builder IdP URL, e.g. https://idp.example.com/App Builder/.
- Recipient: Assertion Consumer Service URL, e.g. https://sp.example.com/App Builder/signin-App BuilderSP.
- RequestRedirectEndpoint: Request Redirect Endpoint, e.g. https://idp.example.com/App Builder/signin-App BuilderIdP.
- SigningCertificate: PEM-encoded certificate (see Generate a Signing Certificate).
In the Claims panel, click the + Claim button to map each of the following properties:
- Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Group: http://schemas.xmlsoap.org/claims/Group
In the Provider panel, click the Edit button
Check the Enabled option
Click the Save button

The steps above include a group claim. The group claim is used to map claims to security provider groups. However, security provider groups are not mapped to App Builder security groups by default. To map a security provider group to an App Builder security group:

Navigate to the IDE
Click the User Management button
Click the Identities button
Select the SP security provider, e.g. App BuilderSP
In the Provider Groups panel, click the + Group button
Provide a Name, e.g. Administrators
Select the Group, e.g. Administrators
Click the Save button

Test¶

To test, start by launching a browser in Incognito/Private mode.

Navigate to the App Builder SP URL, e.g. https://sp.example.com/App Builder/.
On the login form, click the option to sign in with the App Builder SP, e.g. App BuilderSP. You will be redirected to the App Builder IdP login form.
Sign into the App Builder IdP instance. You will be redirected back to the App Builder SP.

If the test was successful, you will be signed into the App Builder SP instance.

Troubleshooting¶

If the "Sign in with..." option is missing from the login form, the App Builder SP security provider is either not enabled or the Show On Login Form option was not checked.

If you receive a 404 Not Found error after clicking "Sign in with..." button on the login form, this may indicate that the App Builder IdP Security Provider is not enabled, is misnamed or is improperly configured. To prevent service disruption, App Builder will disable the security provider at runtime if it detects a misconfiguration.