​IAM / ​Projects / Shibboleth / Service Integrations / Cherwell IT Service Management

Cherwell is to replace HPSC for Support tickets, change management, etc.

Audio conference 5 August 2014 with Sean Armstrong and Kevin Jacobson: Cherwell supports SAML authentication. Cherwell can provision internal accounts 'on the fly' from attributes in SAML assertion.

​https://cherwellsupport.com/webhelp/CSM_Webhelp_4.3_EN/index.htm#5379.htm

describes integration for institution-based authentication using SAML with explicit reference to Shibboleth.

Kevin Jacobson is primary vendor contact.

Attribute release policy for Cherwell in $IDP_HOME/conf/attribute-filter.xml

<AttributeFilterPolicy id="releaseToCherwellServiceManager">
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://ualaska.cherwellondemand.com" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>
    <AttributeRule attributeID="uaUsername">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="bannerID">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="displayname">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="onemail">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

Additional encoder for the UA Username to be encoded as a NameID with the format needed by Cherwell in $IDP_HOME/conf/attribute-resolver.xml

<!-- Add an encoder that makes the uaUsername a NameID in format requested by Cherwell - note EDIR dependence here -->
<resolver:AttributeEncoder xsi:type="SAML2StringNameID" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
           nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos" />
    </resolver:AttributeDefinition>

Initially the NameID was being encrypted in the SAML subject, and Cherwell was unable to decrypt that NameID” Cherwell returned the message in response to the SAML assertion from the UA IdP:

SAML authentication failed: Required NameID format not supported. SAML status codes: urn:oasis:names:tc:SAML:2.0:status:Responder,urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy

To avoid encryption of the NameID, I removed specific existing configuration phrases in $IDP_HOME/conf/relying-party.xml as follows:

        <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
                              includeAttributeStatement="true"
                              assertionLifetime="PT5M0.000S"
                              assertionProxyCount="0" 
                              signResponses="conditional"
                              signAssertions="never" 
                              encryptAssertions="conditional" />
         <!-- removed 2014-09-24:  encryptNameIds="conditional" -->
        
        <ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" 
                              assertionLifetime="PT5M0.000S"
                              assertionProxyCount="0" 
                              signResponses="conditional"
                              signAssertions="never"
                              encryptAssertions="conditional" />
         <!-- removed 2014-09-24:  encryptNameIds="conditional" -->

Cherwell metadata provided and added to $IDP_HOME/metadata/sp-metadata.xml

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://ualaska.cherwellondemand.com" ID="_694ac3e1-e7b4-4a10-ae8b-d302d8c648b4">
        <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <Reference URI="#_694ac3e1-e7b4-4a10-ae8b-d302d8c648b4">
                                <Transforms>
                                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                                <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default md saml ds xs xsi"/>
                                        </Transform>
                                </Transforms>
                                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <DigestValue>LbV9RU+E+vVOvzM0sTpUxbNdDLU=</DigestValue>
                        </Reference>
                </SignedInfo>
                <SignatureValue>...</SignatureValue>
                <KeyInfo>
                        <X509Data>...</X509Data>
                </KeyInfo>
        </Signature>
        <md:SPSSODescriptor ID="_436db0a0-3135-4f6d-92ed-7121c263987b" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
                <md:KeyDescriptor>
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                <X509Data>
                                        <X509Certificate>...</X509Certificate>
                                </X509Data>
                        </KeyInfo>
                </md:KeyDescriptor>
                <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
                <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</md:NameIDFormat>
                <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ualaska.cherwellondemand.com/cherwellservice/Saml/Assertion.aspx" index="1" isDefault="true"/>
        </md:SPSSODescriptor>
</md:EntityDescriptor>