How to use SSOCircle as IDP for bluemix SSO service?
SSOCircle provides a ready-to-use Identity Provider as per their website. I wanted to mock SAML SSO and integrate it into the Liberty for Java sample application on bluemix.
What I have done so far:
-
Downloaded SSOCircle Public IDP metadata from Metadata Management. Uploaded it to bluemix SSO via the file upload button and typed https://idp.ssocircle.com/sso into the text field under Step 1 in SAML Enterprise setup.
-
Downloaded SAML metadata in Step 2 in SAML Enterprise setup and imported into SSOCircle. The FQDN I used is https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com .
Edit ** Modified url https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=https://ssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com/idaas/mtfim/sps/idaas/ saml20 as Martin recommended
After integration. I pointed my browser to https://cruzgsjava1.mybluemix.net , then clicked Sign in with SAML Enterprise.
I was redirected to https://idp.ssocircle.com/sso/UI/Login?module=peopleMembership&goto=https%3A%2F%2Fidp.ssocircle.com%2Fsso%2Fidpssoinit%3FmetaAlias%3D%2Fssocircle%326spEntps % 2F% 2Fssocruzgstest-8iotczj2sk-cabc.iam.ibmcloud.com% 2Fidaas% 2Fmtfim% 2Fsps% 2Fidaas% 2Fsaml20 . I logged in and encountered the error
source to share
Your url is not correct. I haven't seen clear documentation at ssocircle.com, but I did find some samples from which I could deduce the correct URL pattern (hopefully). This is what I am using for testing:
https://idp.ssocircle.com/sso/idpssoinit?metaAlias=/ssocircle&spEntityID=<your SP entity ID>;
You can find out your SP bean ID by loading the service provider metadata in step 2 and check the "entityID" attribute of the root "md: EntityDescriptor" element.
source to share
SSOCircle url is correct. The error is happening on the bluemix site. According to the IBM Knowledge Center, FBTSML236E says the trace log will show that the operation failed.
Most likely, no validation of the assertion signature is performed. The SSOCircle signing certificate is not itself signed, but signed by its own CA. It could be that bluemix checks the entire certificate chain and needs a CA certificate for this reason. You can get it from the SSOCircle website after logging in and then under "My Certificate Status" you will find a link to the CA certificate.
If that doesn't fix the problem. Check with IBM how the SAML response is validated. SSOCircle public IDP signs SAML assertion by default. It is possible that bluemix has different requirements (for example, signing a SAML response)
source to share