Secure Assertion Markup Language (SAML)

SD Elements can be configured for SAML authentication. It supports version 2.0 of the protocol including IdP and SP-initiated requests. Users are automatically provisioned in the application upon login, unless otherwise configured. For more details on how SP-Initiated and IdP-Initiated authentication differ, see SP-Initiated SSO and IdP-Initiated SSO. The following sections lay out in order what will be required. Note that successful SAML setup involves configuration on both SD Elements (the Service Provider) and your Identity Provider (IdP).

Configure SAML for Single Sign-on

The following sections will help you configure SAML for Single Sign-on.

Prerequisites:

  • The application user is a Super User.

  • Domain settings for SD Elements are correctly configured, as they will produce the ACS URLs. These will be used to create the SD Elements entity ID and assertion consumer service (ACS) URLs.

  • PEM-format certificate and private key pair for signing, and optionally another pair for encryption, of SAML assertions from SD Elements.

  • Identity Provider (IdP) metadata file.

SAML certificate and private key

SD Elements supports the use of separate certificates and private keys for signing and encrypting SAML assertions. By default, SD Elements auto-generates SAML certificates and private keys for signing and encrypting SAML assertions.

Users may still upload certificates and private keys if they wish, following the guide below.

How to generate SAML certificate and private key (Optional)

Steps:

  1. Download the script using wget.

  2. Verify the hash of the self-signed SAML certificate using the following hash:

$ sha256sum samlcert.sh
d8cedbd336e89c2d6d9328c4ee80dc2ad7d46332d635cdf30e555a1375b81994 samlcert.sh

  1. Edit line 6 of the script to update the output file location to one on your system.

  2. Run the script to create the certificate and private key files:

bash samlcert.sh

  1. Use the resulting certificate and private key files (server.crt and server.key respectively) in the SD Elements UI to obtain SD Elements Service Provider metadata.

Obtain the SD Elements Service Provider metadata file

Steps:

  1. Select Authentication from the SD Elements settings menu.

  2. Select SAML as the SSO type.

  3. Click Choose File under Upload Identity Provider Metadata File and select the IdP metadata file.

  4. Click Choose File under SAML X509 cert and select the SAML certificate file you generated.

  5. Click Choose File under SAML private key and select the SAML private key file you generated.

  6. (Optional) Click Choose File under Separate SAML private key for encryption and select the encryption file corresponding to your private key file.

  7. (Optional) Click Choose File under Separate SAML X509 cert for encryption and select the encryption file corresponding to your certificate file.

  8. Click Save.

  9. Download sde_metadata.xml by using the SD Elements metadata file link. This file doesn’t contain proprietary or sensitive information, and can be shared with your Identity Provider administration team as needed.

If you don’t intend to configure SAML yet and only wanted to obtain its Service Provider metadata file, select SSO Type: None and click Save, otherwise SAML authentication will be enabled. To access SD Elements with a local account (such as superuser) if this occurs, add /accounts/login/ to the SD Elements URL in order to log in and deactivate SAML.

Complete the SAML configuration

You should still be on the Authentication settings page with SAML selected as the SSO type.
Steps:

  1. Upload the Identity Provider metadata file by clicking Choose File within the Upload Identity Provider Metadata File section and choosing the appropriate file.

  2. Select an option for Authentication Type.

    • (Recommended) If SP Initiated is selected, decide on a value for Sign Authentication Requests.

    • (Optional) If IdP Initiated is selected, provide values for Login URL and Logout URL.

    • (Optional) Require Signed Responses (indicates if the Service Provider is expecting signed responses from the Identity Provider).

    • (Optional) Sign Authentication Requests (only applicable for SP-initiated authentication to indicate if the Authentication Requests sent by this Service Provider should be signed).

    • (Optional) Sign Logout Requests (only applicable for SP-initiated authentication to indicate if the Logout Requests sent by this Service Provider should be signed).

  3. Click Save.

results matching ""

    No results matching ""