Expand the SAML2 Web SSO Configuration form. The following appears.
SAML configuration information can be entered through one of the following ways:
|Enable SAML2 Web SSO||Selecting this option enables SAML2 Web SSO to be used as an authenticator for users provisioned to the Identity Server.||Selected|
|Default||Selecting the Default checkbox signifies that SAML2 Web SSO is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.||Selected|
|Service Provider Entity Id|
This is the entity Id of the Identity Server. This can be any value but when you configure a service provider in the external IDP you should give the same value as the Service Provider Entity Id.
This is the NameID format to be used in the SAML request. By default, it has
|Select Mode||Select the mode to decide the input method for SAML configuration. You can have manual configuration or Metadata data configuration where an .xml metadata file is uploaded.||Manual configuration (is selected by dafault)|
|Identity Provider Entity Id|
This is basically the <Issuer> value of the SAML2 response from the identity provider you are configuring. This value must be a unique string among identity providers inside the same tenant. This information should be taken from the external Identity provider.
In order to enable the <Issuer> validation in the SAML2 response from the IdP, add following configuration to
|SSO URL||This is the URL that you want to send the SAML request to. This information should be taken from the external Identity provider.|
This is the identity provider's SAML2 ACS URL.
|If not entered, the default ACS URL will be used.|
|Enable Authentication Request Signing||Selecting this checkbox enables you to sign the authentication request. If this is enabled, you must sign the request using the private key of the identity provider.||Selected|
|Enable Assertion Encryption||This is a security feature where you can encrypt the SAML2 Assertions returned after authentication. So basically, the response must be encrypted when this is enabled.||Selected|
|Enable Assertion Signing|
Select Enable Assertion Signing to sign the SAML2 Assertions returned after the authentication. SAML2 relying party components expect these assertions to be signed by the Identity Server.
|Enable Logout||Select Enable Single Logout so that all sessions are terminated once the user signs out from one server.||Selected|
If the external IDP support for logout you can select Enable Logout. Then you can set the URL of the external IDP, where you need to send the logout request, under Logout URL. If you do not set a value for this it will simply return to the SSO URL.
|Enable Logout Request Signing||Selecting this checkbox enables you to sign the logout request.||Selected|
|Enable Authentication Response Signing|
Select Enable Authentication Response Signing to sign the SAML2 responses returned after the authentication.
Specifies the ‘SignatureMethod’ algorithm to be used in the ‘Signature’ element in POST binding and “SigAlg” HTTP Parameter in REDIRECT binding. The expandable Signature Algorithms table below lists the usable algorithms and their respective URIs that will be sent in the actual SAMLRequest.
|Default value is |
Specifies the ‘DigestMethod’ algorithm to be used in the ‘Signature’ element in POST binding. The Digest Algorithms table below lists the usable algorithms and their respective URIs that will be sent in the actual SAMLRequest.
|Default value is |
|Attribute Consuming Service Index||Specifies the ‘AttributeConsumingServiceIndex’ attribute.||By default this would be empty, therefore that attribute would not be sent unless filled.|
|Enable Force Authentication||Enable force authentication or decide from the incoming request. This affects ‘ForceAuthn’ attribute.||Default value is |
|Include Public Certificate||Include the public certificate in the request.||Selected by default.|
|Include Protocol Binding||Include ‘ProtocolBinding’ attribute in the request.||Selected by default.|
|Include NameID Policy||Include ‘NameIDPolicy’ element in the request.||Selecte d by default.|
|Include Authentication Context||Include a new ‘RequestedAuthnContext’ element in the request, or reuse from the incoming request.||Default value is |
|Authentication Context Class|
Choose an Authentication Context Class Reference (AuthnContextClassRef) to be included in the requested authentication context from the Identity Server which specifies the authentication context requirements of authentication statements returned in the response. Authentication Context Class table below lists the usable classes and their respective URIs that will be sent in the SAMLRequest from the Identity Server to trusted IdP.
|Default value is |
|Authentication Context Comparison Level|
Choose the Requested Authentication Context ‘Comparison’ attribute to be sent which specifies the comparison method used to evaluate the requested context classes or statements.
|Default value is “Exact”.|
|SAML2 Web SSO User Id Location||Select whether the User ID is found in 'Name Identifier' or if it is found among claims. If the user ID is found amongthe claims, it can override the User ID Claim URI configuration in the identity provider claim mapping section.||User ID found among claims|
|HTTP Binding||Select the HTTP binding details that are relevant for your scenario. This refers to how the request is sent to the identity provider. HTTP-Redirect and HTTP-POST are standard means of sending the request. If you select As Per Request it can handle any type of request.||HTTP-POST|
|Response Authentication Context Class||Select As Per Response to pass the |
|As Per Response|
|Additional Query Parameters|
This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here. These will be sent along with the SAML request.