IdP Configuration Cheatsheet

The SD Elements SAML metadata file contains all the essential information to the configure the IdP.

SD Elements works with all identity providers that are SAML 2.0 compliant, such as AD FS. Relay State is supported and used if the SP-Initiated authentication type is selected.

Service Provider Details (SD Elements)

Entity ID

The entity ID for SD Elements is: https://<SDE-INSTANCE>/sso/saml2/metadata/

Assertion Consumer Service

Endpoint that supports the profiles of the Authentication Request protocol. Used by the identity provider to respond to an Authentication Request.

Binding Location Response Location

HTTP-POST

https://<SDE-INSTANCE>/sso/saml2/acs/

None

Single Logout Service

Endpoints that support the Single Logout profiles. Used by the identity provider to initiate a Logout Request to terminate the user’s session.

Binding Location Response Location

HTTP-Redirect

https://<SDE-INSTANCE>/sso/saml2/ls/

None

HTTP-POST

https://<SDE-INSTANCE>/sso/saml2/ls/post/

None

SAML Attributes

Name Description Required

email

User’s email

Yes

firstname

User’s first name

No

lastname

User’s last name

No

Public Certificates

Certificates for verifying signatures or encrypting responses can be found in the service provider’s metadata file.

Name ID Format

The default name ID format used by SD Elements is urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

Configurable in the SSO Settings form for SAML by selecting one of the supported formats from the menu.

Signing Authentication Requests

Only applicable for the SP-Initiated authentication type. When checked, SD Elements will sign all authentication requests to the identity provider.

Configurable in the SSO Settings form for SAML.

Signing Logout Requests

Only applicable for the SP-Initiated authentication type. When checked, SD Elements will sign all logout requests to the identity provider.

Configurable in the SSO Settings form for SAML.

Require Signed Responses

When checked, SD Elements will require all SAML responses from the identity provider to be signed. Signing only the SAML assertion will still cause the response to be rejected by SD Elements.

Configurable in the SSO Settings form for SAML.

Identity Provider Details

Single Sign-On Service

Endpoints that support the profiles of the Authentication Request protocol. Used by the service provider to initiate an Authentication Request. SD Elements supports both HTTP-Redirect and HTTP-POST bindings to the endpoints.

Single Logout Service

Endpoints that support the Single Logout profiles. At least one endpoint must be provided when using the SP-Initiated authentication type. Used by the service provider to initiate a Logout Request.

SD Elements supports both HTTP-Redirect and HTTP-POST bindings to the endpoints.

Name ID

User’s email address. This field is not used by SD Elements unless the SAML_USE_NAME_ID_AS_USERNAME setting is specified.

Recipient

Required in the SAML Response. This should be the service provider’s assertion consumer service URL.

Public Certificates

Required in the identity provider’s metadata file to allow the service provider to verify signed responses.

results matching ""

    No results matching ""