Versions Compared

Version Old Version 41 New Version Current
Changes made by

Ylva Andersson

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated link.
Info

This article includes updates for Identity Manager 5.0.1.

...

  1. Click +New to add an authentication profile.

    1. Select a Profile type.

    2. For SAML profiles, the Priority will be assigned automatically.

    3. Click Save + Edit.

      A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.

  2. For all authentication profiles there is a Processes tab. Select from the drop-down list, which process that shall run after a successful login in Identity Manager Operator. Read more in section section “Configure post-login process” in Set up authentication profile in Identity Manager#Configure post-login processManager.

  3. To edit an existing identity template, double-click on its name.

...

  1. Prepare the required SAML configuration files. For file examples, refer to Enable two-factor authentication to Identity Manager clients via SAML federation.

    1. You need one metadata file for each Service Provider, that is, one file for Identity Manager Operator, one file for Smart ID Self-Service and one file for other Service Providers that you configure.

    2. You also need the metadata file of your Identity Provider and a keystore containing all the keys you would like to use for encryption or signing.

  2. Go to the SAML Configuration tab and do the following settings:

    1. In Identity Provider Configuration:

      1. Upload a Configuration file 
        Here you can upload and delete the metadata file for an identity provider. The metadata file must contain only one identity provider configuration and no service provider configurations.

      2. Select an Attribute Type
        This is the identifying element of a SAML response. Despite the name, it can contain other elements than attributes. It can have two values, Name ID and Attribute Statement. Name ID refers to the subject of a SAML response, Attribute Statement refers to attributes associated with the subject of a SAML response.

      3. Enter Attribute Name
        This field is only active when Attribute Statement is selected as Attribute Type. It can be any arbitrary value.

    2. In Keystore Configuration:

      1. Upload a Configuration file
        Here you can upload and delete key store file. The key store file must contain the certificates and the private key used for signing and decryption. A key store is mandatory.  When a key store is uploaded, the key store's password must be entered. Objects in the key store, if protected with a password, must have the same password as the key store itself.

      2. Available key aliases
        List of the aliases that mark private keys in the key store.

    3. In Service Provider Configurations:

      1. Click on the + button to add a service provider. 

      2. This view lists the aliases of the service providers. Any arbitrary number of service providers is allowed but at least one service provider is required. An uploaded service provider must use only private keys available in the key store. If you upload a service provider metadata file that violates the SAML metadata schema, this triggers an error message.

    4. In Service Provider Details:

      1. Alias
        In this context, Alias refers to the location and thus the service provider to use when sending the SAML response to the application for processing. An Alias is mandatory.

        This is an example of an excerpt from a typical metadata file that defines the Assertion Consumer Service responsible for processing the SAML response. The Alias in this case is "explorer".

        Example: Excerpt from a metadata file

        Code Block
        ...
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://hostname:8080/prime_explorer/saml/SSO/alias/explorer" index="0" isDefault="true"/>
...

      2. Configuration File
        Click on the upload symbol and select the metadata file. 

        This field is mandatory. The metadata file must contain only one service provider configuration and no identity provider configurations. If the file is deleted and re-uploaded, Alias must be reset according to the metadata file.

      3. Alias for Signing Key
        The alias from the key store for the private key to use for signing. This field is mandatory.

      4. Alias for Encryption Key
        The alias from the key store for the private key to use for encryption purposes. This field is mandatory.

  3. Go to the Core Object Configuration tab and do the following settings:

    1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.

    2. In User name field, select the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.

    3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager Operator or Smart ID Self-Service.

    Optional:

  4. Go to the Authentication Method tab and do the following settings:

    1. In Authentication Method, click + to add the reference (AuthnContextClassRef) for the authentication method you want to add. You can find the reference in the Identity Provider, or in the SAML response. If a role has no AuthnContextClassRef assigned, the authentication method check will be skipped.

      This is an example of an AuthnContextClassRef snippet in a SAML response. (The value here is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport):  

      Example: SAML response

      Code Block
      <saml:AuthnContext>
 <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
</saml:AuthnContext>

      These AuthnContextClassRef examples are based on OASIS Standard documentation. See https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf for more information.

      Examples: AuthnContextClassRef

      Code Block
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
      Note

      Custom string can also be configured as an AuthnContextClassRef. See the Identity Provider configuration.

    2. Map the added authentication method to a role by selecting the role you want to use and checking the check box for the authentication method.

      Note

      By mapping authentication methods to roles, you will restrict a user of certain roles depending on the authentication method used to log in. This adds an extra layer of security. If no authentication method is configured, all roles are allowed to be assigned to the user regardless of how the user is authenticated with the Identity Provider.

Configure SAML SSO LDAP profile

  1. Go to the SAML Configuration tab.

    1. Do the same settings as described above under heading "Configure SAML SSO Core Object profile".

  2. Go to the LDAP Configuration tab.

    1. If you have already a configured LDAP profile, copy the information to here. See heading "Configure LDAP profile" above.

      Note

      The Direct binding and With password comparison selection are NOT used for the SAML SSO LDAP profile.

  3. Go to the LDAP Group Permissions tab.

    1. See under heading "Configure LDAP profile" above.

      Optional:

  4. Go to the Authentication Method tab and do the following settings:

    1. In Authentication Method, click + to add the reference (AuthnContextClassRef) for the authentication method you want to add. You can find the reference in the Identity Provider, or in the SAML response. If a role has no AuthnContextClassRef assigned, the authentication method check will be skipped.

      This is an example of an AuthnContextClassRef snippet in a SAML response. (The value here is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport): 

      Example: SAML response

      Code Block
      <saml:AuthnContext>
 <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
</saml:AuthnContext>

      These AuthnContextClassRef examples are based on OASIS Standard documentation. See https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf for more information.

      Examples: AuthnContextClassRef

      Code Block
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
      Note

      Custom string can also be configured as an AuthnContextClassRef. See the Identity Provider configuration.

    2. Map the added authentication method to a role by selecting the role you want to use and checking the check box for the authentication method.

      Note

      By mapping authentication methods to roles, you will restrict a user of certain roles depending on the authentication method used to log in. This adds an extra layer of security. If no authentication method is configured, all roles are allowed to be assigned to the user regardless of how the user is authenticated with the Identity Provider.

Configure SAML SSO Group profile

...

  1. Go to the SAML Configuration tab.

    1. Do the same settings as described above under heading "Configure SAML SSO Core Object profile".

  2. Go to the SAML Group Mapping tab

    1. Specify the attribute name in the SAML response which will contain the user's groups.
      Example with "my-groups":

      Example SAML response

      Code Block
      <saml:Attribute Name="my-groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
   <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
   <saml:AttributeValue xsi:type="xs:string">another-role-of-your-user</saml:AttributeValue>
</saml:Attribute>

      For more information see https://www.samltool.com/generic_sso_res.php .

    2. (copied from LDAP:)

    3. Map the groups from the SAML response to internal Identity Manager roles:

      1. Click + to add a group to the Groups list

      2. Select the roles that should be assigned to that group in the Roles list.

    4. Click Save.

      Optional:

  3. Go to the Authentication Method tab and do the following settings:

    1. In Authentication Method, click + to add the reference (AuthnContextClassRef) for the authentication method you want to add. You can find the reference in the Identity Provider, or in the SAML response. If a role has no AuthnContextClassRef assigned, the authentication method check will be skipped.

      This is an example of an AuthnContextClassRef snippet in a SAML response. (The value here is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport): 

      Example: SAML response

      Code Block
      <saml:AuthnContext>
 <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
</saml:AuthnContext>

      These AuthnContextClassRef examples are based on OASIS Standard documentation. See https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf for more information.

      Examples: AuthnContextClassRef

      Code Block
      urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract
      Note

      Custom string can also be configured as an AuthnContextClassRef. See the Identity Provider configuration.

    2. Map the added authentication method to a role by selecting the role you want to use and checking the check box for the authentication method.

      Note

      By mapping authentication methods to roles, you will restrict a user of certain roles depending on the authentication method used to log in. This adds an extra layer of security. If no authentication method is configured, all roles are allowed to be assigned to the user regardless of how the user is authenticated with the Identity Provider.

Configure post-login process

...