Using Single Sign On (SSO)
- This feature might not be available to all customers.
- The activity-based SLO feature is not supported. Therefore, use the saml_landingpage property in the gax.properties file to configure the logout URL.
- Once SSO is enabled and after logging into GAX, the Change Password link may not work. You can manage the user passwords in the IdP-based user account directory.
You can set up Genesys Administrator Extension to use Single Sign On (SSO), so that users can use existing credentials (for example, a corporate login and password) to access GAX. When these users log out of GAX, they are simultaneously logged out of other SSO-supported applications.
GAX uses SAML2 to enable SSO.
By default, SSO is not enabled in GAX. To enable this feature, refer to the following procedure.
- On the host machine, open the GAX_HOME folder (the folder in which you installed GAX) and create a sub-folder called saml.
- Open the saml folder and create a sub-folder called sp.
- Access the metadata file from the IdP (identity provider). Open the gax.properties file in the GAX_HOME/conf folder and set the saml_idp_metadata option to one of the following:
- http://location—The web location of the IdP metadata file.
- filename—The path and file name of the IdP metadata file of the local machine.
- Download the Service Provider metadata file from GAX by opening a browser and navigating to the following location: http://host:port/gax/saml/metadata, where host:port is the IP name and port number for the GAX installation.
You must use the host name or IP address to access the metadata file. You cannot specify localhost
- Copy the downloaded metadata file, sp.xml, to the following folder on the host machine: GAX_HOME\saml\sp.
- Upload the sp.xml metadata file to the IdP server. The following is an example of a typical location on the IdP server: /home/ubuntu/idp/metadata/my_sp.xml.
- Log in to the IdP server and edit the conf/relying-party.xml file by adding the following metadata provider:
<metadata:MetadataProvider id="uniqueID" xsi:type="metadata:FilesystemMetadataProvider"
You must use a unique ID for metadata:MetadataProvider id
- Restart the IdP server.
- On the host machine, edit the gax.properties file in the GAX_HOME folder and specify options for the following properties:
- saml_entityid—Your unique ID for IdP. This is the same ID specified in relying-party.xml.
- saml_landingpage—The SSO landing page.
- saml_jksfilelocation—The location/path of the custom Java KeyStore (.jks) file. If this is not configured, the JKS file in the classpath is used.
- saml_jkspassword—The custom KeyStore password. It is required when the saml_jksfilelocation option is set for a custom JKS file.
- saml_signingkeyname—The custom key file name. It is required when the saml_jksfilelocation option is set for a custom JKS file.
- saml_signingkeypassword—The custom key file password. It is recommended to set the same password as saml_jkspassword and it is an optional parameter.
- Restart GAX.
If SSO is enabled, but the metadata of the Service Provider (GAX) or IdP is incorrect, GAX logs the error and directs the user to the non-SAML login page
This page was last modified on 31 July 2018, at 21:55.