| Info |
|---|
This article is valid for Smart ID 20.11 and later. |
...
Element | Attribute | Description | ||
|---|---|---|---|---|
EntityDescriptor | The common root element for definitions of IDP and SP. | |||
entityID | By convention, a symbolic URL can be used both for an IDP and a SP but any identifier is allowed. The number of characters is limited to 1024. | |||
xmlns:md | Namespace definition of SAML V2.0 metadata. | |||
KeyDescriptor | Provides information about the cryptographic key(s) an entity uses for signing and encryption. The contents, including the certificate, follow the XML Signature standard. | |||
use | Allowed values are "signing" and "encryption". This attribute is optional. If it is not used the assumption is that the same certificate is used for both signing and encryption. | |||
NameIDFormat | Elements indicate what SAML name identifier formats the service supports. | |||
SPSSODescriptor: | Element for the definition of a SP. | |||
protocolSupportEnumeration | Support for the SAML V2.0 protocol namespace. | |||
AuthnRequestsSigned | Indicates if the SAML request sent by the SP must be signed. This attribute is optional. Defaults to "false" if not set. | |||
WantAssertionsSigned | Indicates if the Assertion elements in the SAML response must be signed. This attribute is optional. Defaults to "false" if not set. | |||
| ||||
AssertionConsumerService | The service the SP defines to process the SAML response. | |||
Binding | Mapping of the SAML protocol message onto a standard communication protocol. Value "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" required. | |||
Location | The URI under which the endpoint is reachable. Must include the path /saml/SSO/alias/<alias>. | |||
index | A unique integer of the endpoint for reference in a protocol message. | |||
...
Go to Manage Resource Access > SAML Federation.
Click Add SAML Federation....
Enter a Display Name, for example
IDENTITYMANAGER.Check Acting as Identity Provider.
Uncheck Import metadata automatically.
Go to the Export tab.
Give a unique Entity ID: for example
https://hag.local/idp.Select the Signing Certificate, for example
SAML IdP Signing.Go to the Role Identity Provider tab and click Add service provider...
Verify that SAML 2.0 is checked.
Upload SAML 2.0 metadata, click Choose file and select the file that was created before (for example IdM_saml_metadata.xml). Click Next.
Confirm the message about the signer certificate by clicking Yes.
Click Finish Wizard.
Click on the created service provider, to open it.
The Display Name and Entity ID is now updated according to the metadata file.Note Entity ID must be unique within the federation, for example https://<idmhost>/sp.
Service Provider URL is where the IdP will redirect the user after successful authentication, so this must be an exact match with the SP domain, in this case https://<idmhost>/saml/SSO
Example: https://<idmhost>/saml/SSO
<idmhost> must be the same as the url that was called initially. To be sure that the SAML request and response belong together, the communication must go to the same url and protocol (http or https), and both IdP and SP must be synchronized in terms of time.
To set up NTP in Digital Access, see Deploy Digital Access component.
Disable Require signed authentication request
Go to the Assertion Settings tab.
In Subject > Select source of subject: select E-mail. This is the unique identifier Identity Manager uses in standard cases, and will be used when Digital Access sends a SAML ticket to Identity Manager.
Go to the tab Manage Access Rules.
Select any suitable access rule or leave it as Any Authentication.
Click Finish Wizard and then Add.
Repeat the same steps to add Smart ID Self-Service as an additional service provider.
...