FAQ

Follow the instructions from bellow for configuring the authentication for the Muse Search Application with Microsoft’s Azure Active Directory, using SAML. In this scenario, the Muse Search Application is the Service Provider (SP), while Azure AD is the Identity Provider (IDP).

1. Generate the Service Provider Metadata

   Access the administration end point for SAML at an URL of the form: https://your_domain/muse/saml/web/metadata where replace your_domain with the actual domain of the Muse installation. Use admin as the username and the configured password. In the Muse SSO Metadata Administration page click on the Generate new service provider button to access the metadata generation page. In the Metadata Generation page, make sure the Signing key and Encryption key values are the proper ones. Fill in an alias value in the Entity alias input. The rest of configurations should be left with the default values. When done click the Generate metadata button. In the Metadata Details page follow the steps listed in section “In order to permanently store the metadata follow these instructions:“. After the restart of the Muse web service, access again the Muse SSO Metadata Administration page, the metadata details for the newly added entity and click the Download entity metadata button to download it.

2. Setup a new application in the Azure Portal

   Access the Azure Portal at: https://portal.azure.com/ and navigate to Azure Active Directory -> Enterprise applications from the menu and click New Application. Add the custom application by accessing Create your own application link and add the name of the application (e.g. Muse Search), making sure the option Integrate any other application you don’t find in the gallery (Non-gallery) is selected. Then chose the application created and select Setup single sign-on from the Manage menu, and then click the “SAML” button to access the configuration guide. In the new page click the Upload metadata file and select the metadata file which was downloaded at the previous step. All necessary values will be loaded in the Basic SAML Configuration, click the Save button to store them. From the Set up Single Sign-On with SAML page, copy the value of App Federation Metadata Url to be used at the next step. Make sure that the necessary user groups and users are configured to access the newly created Azure application. See the below instructions for doing this: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users

3. Generate a new IDP

   Access the Muse SSO Metadata Administration pages (as described at #1) and click the Add new identity provider metadata button. In the Add New IDP Metadata files page, enter the URL copied from the Azure Portal in the Take metadata from URL: input and click the Test IDP metadata button. Next follow the instructions listed in the page to finalize the setup of the new IDP entity.

4. Wire the Muse Search Application for SAML authentication

   Follow the instruction from below to finalize the setup of SAML authentication with Microsoft Azure AD. – Edit the ${MUSE_HOME}/aas/jaas.config file and add at the end of the file the below entry: MuseKnowledge.Azure { com.edulib.ice.security.authentication.ICELoginModulePropertiesExtractor requisite config="${ICE_HOME}/profiles/ICELoginModulePropertiesExtractor.Azure.xml"; com.edulib.ice.security.authentication.ICELoginModule requisite ; }; – Download this file and place it in the following location ${USE_HOME}/profiles/ . Edit the downloaded file, locate the following placeholders: PLACE_HERE_THE_IDP_ENTITY_ID, MuseSearchApplicationID and MuseSearchApplicationPassword and replace them with the appropriate values. – Test the integration using an URL of the form: https://your_domain/muse/servlet/MusePeer/logon/alias/ALIAS?action=logon&userID=MuseKnowledge.Azure&templateFile=passThrough.html&errorTemplate=logon/logon.html&reuseSession=true&idp=IDP_ENTITY_ID where replace your_domain, ALIAS and IDP_ENTITY_ID with the appropriate values.

The access into the Muse Administration Consoles such as the MCAA (Muse Console for Applications Administration) is secured by IP authentication, besides Username/Password.

The access point for the MCAA console is:

http(s)://your_Muse_host:Port/mmc/

There are 2 methods for adding a new IP as an allowed IP address from where the MCAA console can be accessed:

1. From the MCAA console (reommmended). Login into the MCAA console from an already allowed IP address and follow the below steps:

• Access the Users top menu;
• From the Users page access the left menu item – Muse Authentication and Authorization Users;
• In the new page select the mcaa user (or the desired administrator user from the list) and click the left menu item – Edit Access Rules;
• In the Edit Access Rules pop-up page, click an Insert link corresponding to the last entry from the list;
• For the new item that was added, edit the IP value and add the desired IP address. When done click the Update button.

The first step to try to resolve this issue is to update the Source(s) in question. If the installation date and status information still does not display after the Source(s) are updated, it is possible that the XML database is corrupted.
Use our backup & restore utility to recover from this problem. This procedure is detailed under the XMLDB category.

The configuration file for setting the SMTP_HOST, SUPPORT_EMAIL (the email address where problems are reported) and other SMTP characteristics such as port, SSL/TLS, username/password, certificates, is $MUSE_HOME/admin/MuseAdmin.xml. A description for each SMTP property can be found in the comments area of the MuseAdmin.xml file and in the “Muse Administrator.pdf” manual.
The email settings from this file are used for sending a Source Problem Report using a Muse Administrator Console, like Muse Console for Applications Administration or Muse Console for Customer Support.

Notes:

• The SMTP_HOST must be configured to relay emails for the Muse server;
• If the SMTP server uses a secure connection (SSL/TLS) you must provide the necessary certificates. If the SMTP certificate is signed by a known Certificate Authority like Verisign for example, which is in the JDK’s keystore, there is no need to provide the certificate anymore;
• If the SMTP requires authentication then you must provide a working username/password too;
• In order for the changes in the $MUSE_HOME/admin/MuseAdmin.xml file to take effect, the Muse HTTP or Muse Embedded Apache Tomcat server (depending on which is available in your Muse version) must be restarted.

The “An error occured when list personal users for application applicationid: Personal Profile Management System will not be used because it could not be initialized. Probably xmldb location is not properly set. [Connection refused]” error is caused by a wrong port setting in MuseAdmin.xml file.

Please check the $MUSE_HOME/admin/MuseAdmin.xml file, locate the tag and check if the port is the same as the one Muse HTTP server/Apache Tomcat (depending on the Muse version) is running on.