SAML
An overview and configuration guide of the SAML service provider connection type.

Introduction

SAML allows identity providers to pass authorisation credentials to service providers. With this, you can use one set of credentials to log into many different websites. Your service (set up in service providers) can consume SAML assertions from the selected identity providers.

URL Configuation

Get Broker Metadata - when pressed you will get the broker metadata xml.
Configuration fields:
    Name - name of the connection - REQUIRED
    Application URL - URL of service provider
    Metadata URL - provide valid URL of the service provider metadata - REQUIRED
    Select a LoA contract - drop down menu for default and specific LoA contracts (for more details about level of assurance contracts, see Level of Assurance Contracts) - REQUIRED
    Select Attribute Filter - select an attribute filter (see Attribute Filters)
    Response Attribute Mapping - the user can choose to customise the name of the attributes received in the response body. You can provide none or multiple name-to-name mappings.
Note:
The default cacheDuration of the metadata is 4 hours. That means that, if you update the metadata, it could take up to 4 hours before the broker uses the new metadata.
If you consider this is too long, it is possible to change this by using cacheDuration in the metadata file, as specified in the OASIS SAML documentation here.
The highest value supported is 4 hours and the lowest value supported is 5 minutes. That means that, in case a cacheDuration larger than 4 hours is specified, it will refresh every 4 hours. Likewise, if a duration smaller than 5 minutes is specified, it will refresh every 5 minutes.
On the EntityDescriptor you can add (an optional) attribute cacheDuration:
1
<attribute name="cacheDuration" type="duration" use="optional"/>
Copied!
the duration should be formatted as described here
So in order to set the metadata cacheduration for 30 minutes, add the following attribute:
1
cacheDuration="PT30M"
Copied!
Example EntityDescriptor with cacheDuration:
1
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
2
cacheDuration="PT1H"
3
entityID="someEntityId">
4
...
5
</md:EntityDescriptor>
Copied!

Form Configuration

Get Broker Metadata - when pressed you will get the broker metadata xml.
Upload Service Provider Metadata - in this section you need to upload a valid metadata XML file for the service provider.
Configuration fields:
    Name - name of the connection - REQUIRED
    Application URL - URL of service provider
    Entity ID - unique identifier for the service provider - REQUIRED
    Want Assertions Signed checkbox - when checked the assertions will be signed
    Assertion Customer Service - at least one assertion consuming service should be configured. You should provide a location URL and a binding type (REDIRECT/ POST/ARTIFACT) - REQUIRED
    Single Logout Service - You can configure multiple services or none. You should provide a location URL and a binding type (REDIRECT/ POST/ARTIFACT)
    Artifact Resolution Service - You should provide a location URL, a binding type and an index. You can have multiple services or none.
    Attribute Consuming Service - You need to provide a name, index, description (OPTIONAL) and at least one attribute
    Certificate - here you can add several certificates. When uploading a valid certificate, information about those certificates is displayed (issuer, expiration date, etc.). At least one certificate should be configured
    Client Organisation - you should provide organization name, display name and URL
    Hosting Party Organisation - you should provide organisation name, display name and URL
    Contact People - provide details about the contact people in your organization (type of contact person - technical, support, etc., name, phone number, etc.)
    Select a LoA contract - drop down menu for default and specific LoA contracts (for more details about level of assurance contracts, see Level of Assurance Contracts) - REQUIRED
    Select Attribute Filter - select an attribute filter (see Attribute Filters)
    Response Attribute Mapping - the user can choose to customise the name of the attributes received in the response body. You can provide none or multiple name-to-name mappings.
Last modified 1mo ago