IdP Configuration Cheatsheet
The SD Elements SAML metadata file contains all the essential information to the configure the IdP.
SD Elements works with all identity providers that are SAML 2.0 compliant, such as AD FS. Relay State is supported and used if the SP-Initiated authentication type is selected.
Service Provider Details (SD Elements)
Entity ID
The entity ID for SD Elements is: https://<SDE-INSTANCE>/sso/saml2/metadata/
Assertion Consumer Service
Endpoint that supports the profiles of the Authentication Request protocol. Used by the identity provider to respond to an Authentication Request.
| Binding | Location | Response Location |
|---|---|---|
HTTP-POST |
None |
Single Logout Service
Endpoints that support the Single Logout profiles. Used by the identity provider to initiate a Logout Request to terminate the user’s session.
| Binding | Location | Response Location |
|---|---|---|
HTTP-Redirect |
None |
|
HTTP-POST |
None |
SAML Attributes
| Name | Description | Required |
|---|---|---|
User’s email |
Yes |
|
firstname |
User’s first name |
No |
lastname |
User’s last name |
No |
Public Certificates
Certificates for verifying signatures or encrypting responses can be found in the service provider’s metadata file.
Name ID Format
The default name ID format used by SD Elements is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
Configurable in the SSO Settings form for SAML by selecting one of the supported formats from the menu.
Signing Authentication Requests
Only applicable for the SP-Initiated authentication type. When checked, SD Elements will sign all authentication requests to the identity provider.
Configurable in the SSO Settings form for SAML.
Signing Logout Requests
Only applicable for the SP-Initiated authentication type. When checked, SD Elements will sign all logout requests to the identity provider.
Configurable in the SSO Settings form for SAML.
Require Signed Responses
When checked, SD Elements will require all SAML responses from the identity provider to be signed. Signing only the SAML assertion will still cause the response to be rejected by SD Elements.
Configurable in the SSO Settings form for SAML.
Identity Provider Details
Single Sign-On Service
Endpoints that support the profiles of the Authentication Request protocol. Used by the service provider to initiate an Authentication Request. SD Elements supports both HTTP-Redirect and HTTP-POST bindings to the endpoints.
Single Logout Service
Endpoints that support the Single Logout profiles. At least one endpoint must be provided when using the SP-Initiated authentication type. Used by the service provider to initiate a Logout Request.
SD Elements supports both HTTP-Redirect and HTTP-POST bindings to the endpoints.
Name ID
User’s email address. This field is not used by SD Elements unless the SAML_USE_NAME_ID_AS_USERNAME setting is specified.
Recipient
Required in the SAML Response. This should be the service provider’s assertion consumer service URL.
Public Certificates
Required in the identity provider’s metadata file to allow the service provider to verify signed responses.