Single Sign-On (SSO) (Deprecated)

GMS version 8.5.219.03 and later enables you to use Single Sign-on (SSO) and SSO Logout (SLO) with the GMS Service Management UI. This page describes the settings needed to configure GMS to use your existing SSO infrastructure.

Login

Initiates Security Assertion Markup Language (SAML) login procedure.

http://<gmshost>:<gmsportport>/genesys/admin/

All authenticated Genesys users defined in Configuration Manager can access the GMS Service Management UI. GMS requires a valid user defined in Configuration Manager in order to allow administration tasks. Genesys Config Server must be configured to use external authentication functionality; Config Server users must be defined to use external authentication, pointing to the authentication system (LDAP, and so on).

Logout

Close the browser or remove browser cookies.

Deployment

SSO deployment requires the following steps:

Start

1. Uncomment the SAML parameter in the launcher.xml file.
2. Create keystore.
3. Create server-settings.yaml file and configure the following settings:
   • adminUrl
   • caCertificate
   • jksPassword
   • encryptionKeyName
   • signingKeyName
   • identityProviderMetadata: idp-metadata.xml
4. Start GMS.
   • Generate GMS metadata.
   • Update Identity Provider (IdP) information with GMS metadata.

End

Launcher.xml

Uncomment the following parameter in launcher.xml:

  <parameter name="saml-settings" displayName="saml-settings" mandatory="false">
    <description><![CDATA[GMS Server SAML init]]></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
  	<format type="string" default="server-settings.yaml" />
    <validation></validation>   
  </parameter> 

Generating Security Keys

To generate a keystore, you can use the keytool utility that is included with Java SDK. To generate a JKS keystore, use the following command:

keytool -genkey -keystore keystore.jks -alias <encryptionKeyName>  -keypass <signingKeyName> -storepass <jksPassword> -dname <distinguished_name>

For example:

keytool -keystore /security/keystore.jks -alias genesys -keypass genesys -storepass genesys -dname "CN=gms.genesys.local, OU=R&D, O=Genesys, L=France, S=Finistere, C=FR"

server-settings.yaml

Security Keys

In order to enable SAML, you must specify the following mandatory properties in the general section into server-settings.yaml:

• adminUrl (mandatory) - The URL will be used as a unique entity ID in SP metadata.
• caCertificate (mandatory) - A path to a key storage in JKS format containing all necessary keys.
• jksPassword (mandatory) - A password for the key storage specified above.

SAML Settings Section

In order to enable SAML, you must specify the following mandatory properties in the samlSettings section into server-settings.yaml:

• encryptionKeyName
• signingKeyName
• identityProviderMetadata

Settings

Note: You can use the same key for signing and encryption.

Identity Provider

Example

adminUrl: http://<gmshost>:<gmsportport>/genesys/admin
caCertificate: c:/GMS//keystore.jks
jksPassword: password
samlSettings:
    encryptionKeyName: client
    signingKeyName: client
    identityProviderMetadata: idp-metadata.xml

Generating GMS Metadata

GMS metadata (SP metadata) are available at the following URL:

http://<gmshost>:<gmsportport>/genesys/saml/metadata

Use this file to update your IdP server.