Enabling SSL for SAML or OIDC authentication

To set up Validate tools to use a secure SSL or HTTPS connection, follow the instructions in Using a secure Validate Server connection.

Additionally, if you are using a self-signed certificate, you need to add your certificate to either the Validate JVM or your machine's trusted keystore.

Import certificate to Validate JVM or other trusted keystore

An example command for importing a certificate to your Validate JVM is shown below:

<install_dir>/_jvm/bin/keytool -import -alias <alias_name> -file <path_to_certificate>/server.crt -keystore <install_dir>/_jvm/lib/security/cacerts

Tips and best practices

Use the following tips if you encounter issues while setting up your secure server:

  • Once SSL is enabled, remember to update the redirect URLs on your IdP. Ensure that all redirect URLs that relate to the Validate Server are qualified with HTTPS.

  • (For OIDC only): The redirect URL in your auth.properties should also be set correctly with HTTPS. For example:

    spring.security.oauth2.client.registration.<realm>.redirect-uri=https://url:1234/kwauthgateway/login/oauth2/code/kwopenid

Troubleshooting

  • The server start command refuses to complete and you are unable to use kwservice stop to stop the server.

    Workaround: This may happen when the SSL server is incorrectly configured. Manually stop the server and restart it again once properly configured.

  • You are getting a Validate error at the last step of authentication, and klocwork.log contains the following error: "No subject alternative DNS name matching <host> found."

    Workaround: Ensure that 'klocwork.host' specified in the 'pr/config/admin.conf' matches the CN in the Validate SSL certificate. The host is usually the FQDN of the Validate host.

  • You are getting an "Assertion [ASSERTION_ID] is missing a subject" error.

    Workaround: Ensure the SAML assertion’s Subject element includes a NameID containing the user’s unique identifier (configured on the idP side).