An expert makes SSO in TRIRIGA easy for you
When configuring single sign-on (SSO) in TRIRIGA with SAML, Websphere Liberty is the clear choice. All you need is access to Tririga and the the ability to modify files within the operating system. You should make sure TRIRIGA is shut down before making changes.
Configure SAML
First, enable the SAML feature. Navigate to: {tririgaInstallDir}/wlp/bin. Then run the command installUtility install samlWeb-2.0 which installs the feature in Websphere Liberty. If you get a message saying it’s already installed, that is perfectly ok!
Next, enable the feature for use by navigating to: {tririgaInstallDir}/wlp/usr/servers/tririgaServer. Open the web.xml file and add the following line within the feature manager:
<feature>samlWeb-2.0</feature>
Then add the following tag under the feature manager:
<samlWebSso20
id="defaultSP"
httpsRequired="false"
nameIDFormat="unspecified"
spCookieName="okta_SAML_idp"
forceAuthn="true"
authFilterRef="samlAuthFilter"
idpMetadata="${server.config.dir}/resources/security/idpMetadata.xml">
</samlWebSso20>
The last step for configuring Liberty to use SAML is to provide your IDP xml data. Rename your existing IDP xml file to idpMetadata.xml and place it in the following location:
{tririgaInstallDir}/wlp/usr/servers/tririgaServer/resources/security
Note that the ACS URL for Websphere Liberty is https://{IP Or DNS name}:8443/ibm/saml20/defaultSP/acs. The ACS URL is the service provider endpoint where the identity provider will redirect to with its response for authentication.
You can also get the metadata for Websphere Libery at https://{IP Or DNS name}:8443/ibm/saml20/defaultSP/samlmetadata
At this point, you have enough information to configure your IDP.
Configure TRIRIGA
First, modify the TRIRIGAWEB.properties, changing the SSO= property from N (the default) to Y. Next modify the alternate resource directory and index files. Set these properties to your specific TRIRIGA install directory:
ALTERNATE_RESOURCE_DIRECTORY={tririgaInstallDir}/userfiles/alt
ALTERNATE_INDEX_HTML=index.html
Make a backup of the index.html file located in this directory then add the following javascript to it:
<!--##### BEGIN SSO MODIFIED #####-->
function redirectSSO() {
window.location = 'https://dev-665558.oktapreview.com/app/nonedev665558_tririgatest_1/exkf5qdctkTUcmJyZ0h7/sso/saml';
}
function getParameter(paramName) {
var searchString = window.location.search.substring(1),i, val,
params = searchString.split('&');
for (i=0;i<params.length;i++) {
val = params[i].split('=');
if (val[0] == paramName) {
return val[1];
}
}
return false;
}
var urlString = window.location.href;
if(urlString.indexOf('https://73.155.159.82') >= 0) {
if(getParameter('sso') != 'samlsps' && getParameter('sso') != 'disabled') {
redirectSSO();
}
}
<!--##### END SSO MODIFIED #####-->
This code snippet has two items that are in bold type and underlined. The first url in the block (window.location = ) is the IDP SSO login url. Replace this with your specific IDP SSO login url. The second url is what the end users will use to access TRIRIGA. Replace this with your specific information. This javascript caused a redirect to the SAML SSO URL when a user goes to the specific TRIRIGA url.
Save your changes and start TRIRIGA. This should allow for SAML SSO to begin working. If, for some reason, it does not, please review the IBM TRIRIGA requestTest.jsp page to make sure that you are getting credential information passed to the application.
Contact us or email me directly at chris@llama.io with any questions or if you’d like us to help set up your SSO.
Thank you for stopping by and reading!