Links

SAML

An overview and configuration guide of the SAML service provider connection type.

Introduction

SAML allows identity providers to pass authorisation credentials to service providers. With this, you can use one set of credentials to log into many different websites. Your service (set up in service providers) can consume SAML assertions from the selected identity providers.
There are two configuration options when choosing how to set up the SAML connection with the service provider:
  1. 1.
    URL - Uses a metadata URL to configure the connection.
  2. 2.
    Form - Uses our form to configure the connection.

URL configuration

Get Broker metadata: When you press the
button you will get the broker metadata xml. Please send this to our Technical Support via email.

Configuration fields

  • Name: Name of the connection (required).
  • Application URL: URL of service provider
  • Metadata URL: Provide valid URL of the service provider metadata (required).
  • Select a LoA contract: Drop down menu for default and specific LoA contracts (required). See Level of Assurance Contracts for more information.
  • Select attribute filter: Select an attribute filter. See Attribute Filters for more information.
  • Response attribute mappings: The user can choose to customise the name of the attributes received in the response body. You can provide none or multiple name-to-name mappings.
Note:
The default cacheDuration of the metadata is 4 hours. That means that, if you update the metadata, it could take up to 4 hours before the broker uses the new metadata.
If you consider this is too long, it is possible to change this by using cacheDuration in the metadata file, as specified in the OASIS SAML documentation here.
The highest value supported is 4 hours and the lowest value supported is 5 minutes. That means that, in case a cacheDuration larger than 4 hours is specified, it will refresh every 4 hours. Likewise, if a duration smaller than 5 minutes is specified, it will refresh every 5 minutes.
On the EntityDescriptor you can add (an optional) attribute cacheDuration:
<attribute name="cacheDuration" type="duration" use="optional"/>
The duration should be formatted as described here.
So in order to set the metadata cacheduration for 30 minutes, add the following attribute: cacheDuration="PT30M"

Example EntityDescriptor with cacheDuration

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
cacheDuration="PT1H"
entityID="someEntityId">
...
</md:EntityDescriptor>

Form configuration

Get Broker metadata: When you press the
button you will get the broker metadata xml. Please send this to our Technical Support <[email protected]> via email.
Upload service provider metadata: In this section you need to upload a valid metadata XML file for the service provider.
Configuration fields:
  • Name: Name of the connection (required).
  • Application URL: URL of service provider.
  • Entity ID: Unique identifier for the service provider (required).
  • "Want assertions signed" checkbox: When checked the assertions will be signed.
  • Assertion customer service: At least one assertion consuming service should be configured. You should provide a location URL and a binding type (REDIRECT/ POST/ARTIFACT) (required).
  • Single Logout service: You can configure multiple services or none. You should provide a location URL and a binding type (REDIRECT/ POST/ARTIFACT)
  • Artifact resolution service: You should provide a location URL, a binding type and an index. You can have multiple services or none.
  • Attribute consuming service: You need to provide a name, index, description (OPTIONAL) and at least one attribute
  • Certificate: Here you can add several certificates. When uploading a valid certificate, information about those certificates is displayed (issuer, expiration date, etc.). At least one certificate should be configured
  • Client organisation: You should provide organization name, display name and URL
  • Hosting party organisation: You should provide organisation name, display name and URL
  • Contact people: Provide details about the contact people in your organisation (type of contact person - technical, support, etc., name, phone number, etc.)
  • Select a LoA contract: Drop down menu for default and specific LoA contracts (required). See Level of Assurance Contracts for more information.
  • Select attribute filter: Select an attribute filter. See Attribute Filters for more information.
  • Response attribute mappings: The user can choose to customise the name of the attributes received in the response body. You can provide none or multiple name-to-name mappings.