You configure the WFC-ACS service by developing a configuration for OAuth communications and a configuration for SAML connectivity.
Create a Realm
The configuration requires creating a realm that contains both the Oauth configuration and the SAML configuration. The Oauth configuration is used by Workforce Connect applications and the SAML configuration is used to connect to the SAML server.
Configure the realm with two endpoints:
OpenID Endpoint (OAuth): from the ACS service perspective this is called the Client.
SAML2.0 IdP Endpoint: from the ACS service perspective this is called the Identity Provider.
Create the OAuth Client
The OAuth client communicates with the PTT Pro server and the Profile Manager using the OAuth protocol.
Configure the Client ID, Protocol (OAuth), Access Type (Confidential), and Redirect URI.
Configure the credentials. Select a client authentication of Client ID and secret (automatically generated), which correspond to the PTT Pro JSON parameters of
oClientId
and
oAuthClientSecret
.
Map the
username
parameter to
unique_username
, which is what the WFC system uses.
Create the Identity Provider
The identity provider communicates with the SAML server using the SAML protocol.
Obtain the SAML descriptor file.
Configure the Single Sign-On Service URL.
Configure security settings such as Signature Validation (enable), the Signature Algorithm (RSA256), and the Validating x 509 Certificate.
Map the User ID entity from the IdP (SAML protocol) to the client (OAuth protocol).
Create a default authentication to automatically launch the IdP authentication.
Export certificates to the IdP and to the PTT Pro server.
Export the ACS SAML certificates to the SAML server.
Copy the certificate into a
.pem
file to the SAML server.
Import the
.pem
file into SAML server.
Export the ACS Realm certificate to the PTT Pro server and copy the certificate into the PTT Pro OAuth configuration.
