(DOCSP-45015): Add SAML signature validation parameters for OM (#505)

davidhou17 · web-flow · commit 924a1e302781 · 2024-11-07T10:26:16.000-05:00
Hi @softprops, this PR that documents the two new configuration parameters for SAML signature validation is ready for your review when you get a chance, thanks! [DOCSP-45015](https://jira.mongodb.org/browse/DOCSP-45015) **Staging links**: - [OM UI settings](https://deploy-preview-505--10gen-docs-ops-manager.netlify.app/reference/config/ui-settings/#mongodb-setting-SAML-Signed-Assertions) - [OM configuration settings](https://deploy-preview-505--10gen-docs-ops-manager.netlify.app/reference/configuration/#authentication-through-saml) ### Self-Review Checklist - [ ] [Define](https://wiki.corp.mongodb.com/display/DE/Taxonomy+tagging+instructions) taxonomy [values](https://wiki.corp.mongodb.com/display/DE/Docs+Taxonomy) at top of page. - [ ] Add genre facets (tutorial or reference), as in this [example PR](10gen/cloud-docs#5042). - [ ] Add programmingLanguage (if necessary). - [ ] Add meta keywords (if necessary). - [x] Resolve any new warnings or errors in the build. - [x] Proofread for spelling and grammatical errors. - [x] Check staging for rendering issues. - [x] Confirm links are working.
diff --git a/source/includes/setting-fileConf-mms.saml.encrypted.assertions.rst b/source/includes/setting-fileConf-mms.saml.encrypted.assertions.rst
@@ -3,7 +3,6 @@
    *Type*: boolean
 
    
-   Indicator as to whether or not the |idp| encrypts the assertions
+   Flag that indicates whether or not the |idp| encrypts the assertions
    it sends to |onprem|.
-   
-
+   
diff --git a/source/includes/setting-fileConf-mms.saml.signedAssertions.rst b/source/includes/setting-fileConf-mms.saml.signedAssertions.rst
@@ -0,0 +1,17 @@
+.. setting:: mms.saml.signedAssertions
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the assertions
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`SAML Signed Assertions`.
+   
diff --git a/source/includes/setting-fileConf-mms.saml.signedMessages.rst b/source/includes/setting-fileConf-mms.saml.signedMessages.rst
@@ -0,0 +1,17 @@
+.. setting:: mms.saml.signedMessages
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the responses
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`SAML Signed Messages`.
+   
diff --git a/source/includes/setting-uiConf-samlEncryptedAssertions.rst b/source/includes/setting-uiConf-samlEncryptedAssertions.rst
@@ -3,7 +3,7 @@
    *Type*: boolean
 
    
-   Indicator as to whether or not the |idp| encrypts the assertions
+   Flag that indicates whether or not the |idp| encrypts the assertions
    it sends to |onprem|.
    
 
diff --git a/source/includes/setting-uiConf-samlSignedAssertions.rst b/source/includes/setting-uiConf-samlSignedAssertions.rst
@@ -0,0 +1,17 @@
+.. setting:: SAML Signed Assertions
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the assertions
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`mms.saml.signedAssertions`.
+   
diff --git a/source/includes/setting-uiConf-samlSignedMessages.rst b/source/includes/setting-uiConf-samlSignedMessages.rst
@@ -0,0 +1,16 @@
+.. setting:: SAML Signed Messages
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the responses
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`mms.saml.signedMessages`.
diff --git a/source/reference/config/ui-settings.txt b/source/reference/config/ui-settings.txt
@@ -183,6 +183,8 @@ SAML
 .. include:: /includes/setting-uiConf-samlSpPemFile.rst
 .. include:: /includes/setting-uiConf-samlSpPemFilePassword.rst
 .. include:: /includes/setting-uiConf-samlEncryptedAssertions.rst
+.. include:: /includes/setting-uiConf-samlSignedAssertions.rst
+.. include:: /includes/setting-uiConf-samlSignedMessages.rst
 .. include:: /includes/setting-uiConf-samlSignatureAlgorithm.rst
 .. include:: /includes/setting-uiConf-samlGlobalOwnerGroup.rst
 .. include:: /includes/setting-uiConf-samlGlobalAutomationGroup.rst
diff --git a/source/reference/configuration.txt b/source/reference/configuration.txt
@@ -365,6 +365,8 @@ Authentication through SAML
 .. include:: /includes/setting-fileConf-mms.saml.ssl.PEMKeyFile.rst
 .. include:: /includes/setting-fileConf-mms.saml.ssl.PEMKeyFilePassword.rst
 .. include:: /includes/setting-fileConf-mms.saml.encrypted.assertions.rst
+.. include:: /includes/setting-fileConf-mms.saml.signedAssertions.rst
+.. include:: /includes/setting-fileConf-mms.saml.signedMessages.rst
 .. include:: /includes/setting-fileConf-mms.saml.signature.algorithm.rst
 .. include:: /includes/setting-fileConf-mms.saml.global.role.owner.rst
 .. include:: /includes/setting-fileConf-mms.saml.global.role.automationAdmin.rst
diff --git a/source/release-notes/changelogs/ops-manager/changelog-onprem-v7.0.rst b/source/release-notes/changelogs/ops-manager/changelog-onprem-v7.0.rst
@@ -7,7 +7,8 @@
 
 - Updates JDK to ``jdk-17.0.13+11``.
 - Supports :ref:`Workload Identity Federation <om-oidc-authentication-workload>` on top of the already existing Workforce Identity Federation. 
-- Supports configuring separate SAML signature validation for responses and assertions so that only one is required through the AppSettings configuration.
+- Supports configuring separate SAML signature validation for responses and assertions so that only one is 
+  required through the :setting:`mms.saml.signedAssertions` and :setting:`mms.saml.signedMessages` settings.
 - Supports ability to set a custom idle session timeout using new application settings, :guilabel:`Idle Session Timeout Mode` and :guilabel:`Idle Session Timeout Max Minutes`.
 - Supports taking :ref:`on-demand snapshots <on-demand-snapshots>` in addition to scheduled snapshots.
 - Removes the |onprem| version number from the login page if you set :setting:`mms.security.show.om.version` to false.
diff --git a/source/release-notes/changelogs/ops-manager/changelog-onprem-v8.0.rst b/source/release-notes/changelogs/ops-manager/changelog-onprem-v8.0.rst
@@ -7,7 +7,8 @@
 
 - Updates JDK to ``jdk-21.0.5+11``.
 - Supports :ref:`Workload Identity Federation <om-oidc-authentication-workload>` on top of the already existing Workforce Identity Federation. 
-- Supports configuring separate SAML signature validation for responses and assertions so that only one is required through the AppSettings configuration.
+- Supports configuring separate SAML signature validation for responses and assertions so that only one is 
+  required through the :setting:`mms.saml.signedAssertions` and :setting:`mms.saml.signedMessages` settings.
 - Supports ability to set a custom idle session timeout using new app settings, :guilabel:`Idle Session Timeout Mode` and :guilabel:`Idle Session Timeout Max Minutes`.
 - Removes the |onprem| version number from the login page.
 - Updates the MongoDB Agent to :ref:`108.0.1.8718-1 <mongodb-108.0.1.8718-1>`.
