SAML-P Account Provider
The Identity Hub supports all identity providers that support SAML-P protocol. To allow users to sign in with your SAML-P enabled identity provider:
- Set up and configure a Service Provider (Relying Party) on the identity provider
- Activate a SAML-P Account Provider (see Activate an Account Provider)
- Set the configuration parameters on the SAML-P Account Provider
Configure a SAML-P Account Provider
To configure a SAML-P Account Provider you have two options:
- Supply the metadata of the identity provider via a URL or file.
- Configure the parameters manually.
Supply the metadata of the identity provider via a URL or file.
- In Federation Metadata URL type the URL where the metadata of the identity provider is available or select a file in Federation Metadata file.
- On the General tab set a Name.
- On the Service Provider tab select a Service Provider Certificate and type the certificate password in the Service Provider Certificate Password or
use the checkbox Copy the Signing certificate of the Tenant. - Click Save.
For more information on other configuration parameters see Specific configuration parameters for the SAML-P Account Provider
Configure the parameters manually.
For more information on the configuration parameters see Specific configuration parameters for the SAML-P Account Provider
Configure a Service Provider on the identity provider
Specific configuration steps depend on the type of SAML-P identity provider. After activation of the SAML-P Account Provider the identity provider can use the metadata (Metadata document parameter of the General tab) to configure the Service Provider.
Specific configuration parameters for the SAML-P Account Provider
The following parameters are required as a minimum:
- The Service Provider Certificate on the Service Provider tab.
- The Sign On Endpoint Url on the Identity Provider tab.
For more information on the parameters see the SAML specification
General
| Parameter | Description |
|---|---|
| Metadata document | The URL to the metadata file of the SAML-P Account Provider. |
| Allow processing of external two factor authentication | When the Account Provider during the login flow returns information on whether or not the user performed two factor authentication , the information will be processed only if this flag is set to true and The Identity Hub is responsible for multifactor authentication. If the information indicates the user indeed performed two factor authentication, the two factor authentication performed by The Identity Hub will thus be skipped. |
Warning
When Performs two factor authentication is active, processing of the external two factor authentication does not occur. In that case The Identity Hub assumes the two factor authentication is always performed by the Account Provider.
Service Provider
| Parameter | Description |
|---|---|
| Service Provider Identifier | The unique identifier of the Account Provider available after activation. Will be used as Entity Id. See also Service Provider Entity Id Advanced parameter. |
| Assertion Consumer Endpoint URL | This is always https://www.theidentityhub.com/{tenant}/authenticate/processaccountproviderresponse |
| Assertion Consumer Endpoint Protocol Binding | Http-Post and Http-Artifact binding are supported. |
| Single Log Out Response Endpoint URL | This is always https://www.theidentityhub.com/{tenant}/samlp/signout |
| Service Provider Certificate | The certificate used to sign Authentication Requests and to decrypt Authentication Responses and Assertions. |
Identity Provider
| Parameter | Description |
|---|---|
| Federation Metadata URL | The URL of the metadata of the SAML-P Identity Provider. If provided this URL will be queried for configuration during SAML-P Account Provider activation and also each time the SAML-P Account Provider is edited. |
| Automatically refresh Metadata from URL | Configure this option to refresh the metadata automatically on a daily basis. E.g. to refresh certificate information when updated at the Identity Provider side. |
| Federation Metadata File | The file with the metadata of the SAML-P Identity Provider. If provided will be used to configure the SAML-P Account Provider. |
| Sign On Endpoint URL | Sign On Endpoint URL of the identity provider. |
| Sign On Endpoint Protocol Binding | Http-Post and Http-Redirect binding are supported. |
| Single Log Out Endpoint URL | Sign Log Out Endpoint URL of the identity provider. |
| Sign Log Out Endpoint Protocol Binding | Http-Post and Http-Redirect binding are supported. |
| Artifact Endpoint URL | Artifact Endpoint URL of the identity provider. Required when the Assertion Consumer Endpoint Protocol Binding is set to Http-Artifact. |
| Artifact Endpoint Requires Client Certificate Authentication | To perform client certificate authentication using the Service Provider Certificate when calling the Artifact Endpoint URL. |
| Compensate for IOS/Safari Cookie limits | Safari on IOS imposes limitations on the size of the cookies. To prevent issues The Identity Hub will use Http-Redirect protocols instead of the configured protocols when needed. |
| Unique Identity Assertion Attribute Name | When set The Identity Hub will use the specified Assertion attribute as unique identifier of the authenticated identity. |
| Identity Provider Certificate (Primary) | The primary certificate used by the identity provider to sign the Authentication Responses and Assertions. |
| Identity Provider Certificate (Secondary) | The secondary certificate used by the identity provider to sign the Authentication Responses and Assertions. Used for rollover scenario when the primary certificate is about to expire. Can be set to act as Primary after the latter has expired, which again provides an empty rollover slot. |
Claim Mappings
By default no incoming claims are mapped except
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier claim
To map all incoming claims (even those not specified in the claim mappings) uncheck Remove all incoming claims that are not mapped.
See the Claim Mappings page for a more detailed explanation.
Advanced
| Parameter | Description |
|---|---|
| Secure Hash Algorithm | The hash algorithm to use when encrypting, signing, decrypting based on the Service Provider Certificate. |
| Secondary Secure Hash Algorithm | The hash algorithm to use as an alternative when encrypting, signing, decrypting based on the Service Provider Certificate fails using the Secure Hash Algorithm. |
| Maximum allowed clock skew | Allowed clock skew when validating time constraints for responses received from the identity provider. |
| Name Id Policy Format | The Name Id Policy format to request when sending an Authentication Request to the identity provider. |
| Service Provider Entity Id | The Entity Id used when sending an Authentication Request to the identity provider. Set automatically based on the Service Provider Identifier. If set, takes precedence over the Service Provider Identifier. |
| Authn Context Class Reference | The Authn Context Class Reference used when sending an Authentication Request to the identity provider. |
| Authn Context Comparison | The Authn Context Comparison used when sending an Authentication Request to the identity provider. |
| Assertions must be signed | Whether or not the Assertions in the Authentication Response must be signed. |
| Single log out request must be signed | Whether or not the Single Log Out Request must be signed. |
| Use embedded certificates | Whether or not to use embedded certificates to validate Authentication Responses and Assertions. |
| Sign on response must be signed | Whether or not the Authentication Response must be signed. |
| Single log out response must be signed | Whether or not the Single Log Out Response must be signed. |
| Max-Age | See Account Providers Max-Age |
Related
How To: Leverage ADFS Multi-Factor Authentication
Amazon Account Provider
Activate an Account Provider
Built-in Username and Password Account Provider
Custom Account Providers
Facebook Account Provider
GitHub Account Provider
Google Account Provider
Instagram Account Provider
LinkedIn Account Provider
Microsoft Account Provider
myID.be Account Provider
Office 365 Account Provider
OpenID Connect Account Provider
PayPal Account Provider
StackExchange Account Provider
Twitter Account Provider
WS-Federation Account Provider