You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 8
Next »
This article describes how to add and set up a SAML 2.0 federation in Smart ID Digital Access component.
Prerequisites
Before adding new SAML 2.0 federations, make sure you have completed the following tasks:
- Use server certificates when creating signatures. This is a requirement when acting as an identity provider. Server certificates are added using a wizard, see Add certificates in Digital Access.
- Use access point DNS names in SAML federations. Add these DNS names in the DNS Name tab, found in Global resource settings in Digital Access section.
- Note that there are three different licensed features when using SAML "Identity Federation", "Advanced Identity Federation" and "SAML Extension - Identity Provider Discovery".
- CA certificates shall be installed. They are used for verifying the signing certificate of requests and replies. These are automatically added if specified by imported metadata.
- If you are configuring an identity provider, at least one authentication method must have been configured.
Step-by-step instruction
Log in to Digital Access Admin
- Log in to Digital Access Admin with an administrator account.
Add SAML federation
- In Digital Access Admin, go to Manage Resource Access.
- Click SAML Federation > Add SAML Federation...
- Enter Display Name and select a role: Acting as Service Provider and/or Acting as Identity Provider. When selecting a role a new tab will appear.
- In Metadata Import Settings you can specify that metadata shall be fetched and published automatically in stead of manually. These settings are only accessible when licensed for feature "Advanced Identity Federation". For more information, click the ?-sign. The metadata is fetched automatically from the URL defined in Download URL and the integrity of the metadata is verified using the Signature Verification Key.
- Write the correct url in the Download URL field.
- Optional: Schedule the auto import according to the setting in Cache Duration.
- Optional: Enter an expiration date for the metadata in the Valid Until field.
- Upload the signing key of the metadata file in the Signature Verification Key.
- Save the SAML federation and click Publish. The publish link needs is to be clicked manually the first time, to activate automatic import.
- If Acting as Service Provider was selected, go to the Export tab.
A SAML Discovery Service allows users to select any identity provider in the federation. The benefit of using a common discovery service is that users will see the same list of identity providers regardless which service is being accessed. When enabling SAML Discovery Service, the service provider will redirect the user to the discovery service, that presents a list of identity providers. The user selects preferred identity provider and the discovery service returns selected identity provider to the service provider. The service provider will validate the response and figure out to which identity provider the authentication request should be sent.- Select a unique Entity ID to be exported in SAML metadata.
- Select server certificate, for help click the ?-sign.
- Select Access Point DNS Name to enable SAML on a specific host-name.
- Check Discovery Enabled if the system shall provide a login link for SAML Discovery. If enabled, also provide the URL to the SAML Discovery Service. For help click the ?-sign.
- Use the Metadata Extensions check boxes to specify extensions to be added to the entity descriptor.
- Click Download metadata to download metadata. This is used to inform external entities about this systems exported capabilities.
- Go to the Role Service Provider tab. Here, you specify the entities that should be included in the SAML federation and how to interact with each one of them. Edit default values that will be applied to new Identity Providers imported by SAML 2.0 metadata. For more information, click the ?-sign.
- Click Add when done.
- If Acting as Identity Provider was selected, go to the Export tab.
- Select a unique Entity ID to be exported in SAML metadata.
- Add a unique API Path to the standard resource administration service, to enable clients to manage the service providers for this identity provider. This setting is only visible when licensed for feature "SAML API". For more information, click the ?-sign.
- Select server certificate, for help click the ?-sign.
- Select Access Point DNS Name to enable SAML on a specific host-name.
- Use the Metadata Extensions check boxes to specify extensions to be added to the entity descriptor.
- Click Download metadata to download metadata. This is used to inform external entities about this systems exported capabilities.
- Go to the Role Identity Provider tab. Here, you specify the entities that should be included in the SAML federation and how to interact with each one of them. Edit default values that will be be applied to new Service Providers imported by SAML 2.0 metadata. For more information, click the ?-sign.
- Click Add when done.
Enable use of SAML discovery service
Add, or edit a SAML Federation with SAML role Service Provider enabled.
Select the Export tab.
Check Discovery Enabled and enter correct URL to the discovery service
Choose an Access Point DNS Name; otherwise the Discovery Response Extension will not be included in the metadata downloaded in the next step.
Select to Download metadata.
Save the SAML federation when done, then click Publish.