How to Configure SAML SSO Login for Zena

Zena has implemented SAML service provider stack and supports Service Provider(SP) initiated SAML SSO.

To configure SAML SSO for Zena with a SAML Identity Provider(IDP):

  1. Add Zena as an application in your SAML Identity Provider (Microsoft Active Directory, Okta, Auth0, OneLogin etc.)
  2. Configure Zena as a SAML Service Provider/Relying Party in the SAML Identity Provider. Use the URL: https://<Your_ClientMgr_Hostname/IP>:7980/oc_main/zenaweb/saml2_response_handler in the Assertion Consumer URL/SAML Reply URL field.
  3. Add username/givenname and e-mail as mandatory attributes in SAML assertions.

    4. Once the above steps are completed, the IDP is ready to accept SAML authentication requests from Zena and send SAML Assertions back. Zena has been added as a SAML relying party in the IDP. In other words, Zena is one of the SAML Service Providers that depends on the IDP for authentication. Now, Zena needs to be configured with details about the IDP to complete the SAML SSO configuration.

    Configure Zena with SAML Identity Provider(IDP) details:

  1. Ensure that the username and e-mail of users in Zena matches correctly with their username and e-mail in the SAML Identity Provider. Users from SAML IDP are mapped to Zena Users using these two attributes in the SAML Assertion. The single sign on request will fail if the username or e-mail differs between Zena and the SAML IDP.
  2. Add the following options to the ASG-Zena\clientmgr\config\servers.xml file on the plugins section for which SAML SSO should be configured.

    3. SSO_ENABLED="YES"

    SSO_LOGIN_URL="https://<LOGIN URL from application registration page in the IDP>"

    SSO_ACS_URL="https://<ClientManager_HostName/IP>:7980/oc_main/zenaweb/saml2_response_handler" - IDP sends SAML Assertion response back and then redirects here

    SSO_IDP_PUBLICKEY_CERT="<SSL/TLS Certificate downloaded from the application registration page in the IDP>" - Used to verify the signature in the SAML Assertion response from IDP to Zena

    SSO_KEYSTORE="<Path to local Java Keystore file>" - Used to sign SAML requests from Zena to IDP

    SSO_KEYSTORE_PASSWD="<Keystore password for the above Java Keystore>"

    SSO_KEY_PASSWD="key password for the above Java Keystore" - optional

    SSO_KEYSTORE_ALIAS="<alias of the certificate in the Java Keystore>" - optional

  3. Restart the Client Manager using the ZenaStat command line utility.
  4. Now, login into the WebClient from a browser – https://<ClientManager_Hostname/IP>:7980/zena/index.html
  5. Click “SIGN IN”. A pop-up should appear redirecting you to sign in with the SAML Identity Provider.
  6. Sign in into the SAML Identity Provider. The pop-up window should disappear and your original browser tab will now sign you into the Zena Web Client as the user you signed-in with in the SAML Identity Provider.