The Security Assertion Markup Language (SAML) is an open standard for sharing security information about identity, authentication and authorization across different systems. 


SAML is an important component of many Single Sign-On (SSO) systems that allow users to access multiple applications or services from a single login process. Identity and authentication levels are shared across different systems using the SAML protocol to request, receive and format that data. 


SAML is used to share security credentials across one or more networked systems. SAML is designed to accomplish two things: authentication and authorization. 


ADSS Web RA uses SAML to move information about user identities from an identity provider to a service provider. SAML authenticates end users who are logged into a primary service provider to another service provider. 


Create a SAML Identity Provider 


  1. Expand External Services > Connectors from the left menu.
  2. Click from the grid header. 
  3. A screen will appear to add the connector details. The connector screen consists of two screens, i.e. Basic Information and Details. Specify the basic information, choose the Provider as SAML Identity Provider and click Next to provide the respective connector details. See the below table for fields description.
  4. Click Finish. A new connector will be saved and displayed in the list.


Basic Information

Field

Description

Name

Specify a unique name for this connector, i.e. My SAML Authenticator. This connector will be used in the Global Settings > Default Connectors. 

Provider

Select SAML Identity Provider as a provider for this connector.

Active

Select this check box to make this connector active. Inactive connectors cannot be configured in the Global Settings.



Field

Description

Browser IdP meta data

Administrator needs to upload the meta data XML format file provided by their IdP, for instance azure IdP for SAML. It will contain all the necessary information and after uploading the file system will parse it and auto complete the following fields: 

  1. HTTP POST Login URL.
  2. HTTP POST Logout URL.
  3. HTTP Redirect Login URL.
  4. HTTP Redirect Logout URL.

HTTP POST Login URL

This URL will be used if Binding Type is POST and authenticate with the IdP using the POST method approach.

HTTP POST Logout URL

This URL will be used if Binding Type is POST and logout from the IdP using the POST method approach.

HTTP Redirect Login URL

This URL will be used if Binding Type is Redirect and authenticate with the IdP using the Redirect method approach.

HTTP Redirect Logout URL

This URL will be used if Binding Type is Redirect and logout from the IdP using the Redirect method approach.

Binding Type

There are two types of binding for IdP authentication:

  1. Post
  2. and Redirect. 

An administrator can select one of them.  Authentication with IdP will be according to the binding type selected by the administrator. If a user does not select anything, the system will select Redirect by default. 

Signature Algorithm

Certificates used in SAML request and response uses following signature algorithms for SAML authentication:-

  1. SHA 1 
  2. SHA 256

System will select SHA 256 by default if a user does not select anything. 

IdP Signing Certificate

This certificate will be used by ADSS Web RA to verify the response from IdP.

Request Signing Certificate ( PKCS12 )

This is the PFX file. ADSS Web RA can extract the certificate and it's key from the PFX and sign the request using this key. It can be verified by the IdP.

Request Signing Certificate Password

Password of the uploaded PFX so ADSS Web RA can extract the required information as mentioned above.

Require Signed assertion

If checkbox is true, WEBRA will verify assertions in response as signed assertions.

Authentication Request Signed

If checkbox is true, WEBRA will send SAML request with signature to verify at IdP end.