You can configure SAML as required.
General
Use SAML
Description
Specifies whether an SAML-based login is allowed.
Key
com.aris.umc.saml.active
Valid input
true, false
Binding
Description
Specifies the binding used for sending authentication requests to the identity provider. Defines how the redirecting of the authentication is performed. The options are Redirect or POST.
Key
com.aris.umc.saml.binding
Selected input
POST, Redirect
Example
POST
Identity provider ID
Description
Specifies the ID of the identity provider.
Key
com.aris.umc.saml.identity.provider.id
Valid input
String
Service provider ID
Description
Specifies the ID of the service provider.
Key
com.aris.umc.saml.service.provider.id
Valid input
String
Example
UMC@<yourarisserver>
Where <yourarisserver> is the actual name of your server.
Single sign-on URL
Description
Specifies the end point of the identity provider that is used for single sign-on.
Key
com.aris.umc.saml.identity.provider.sso.url
Valid input
URL
Example
https://yourserver:8443/openam/SSOPOST/metaAlias/MSAD/idp
Single logout URL
Description
Specifies the end point of the identity provider that is used for single log-out.
Key
com.aris.umc.saml.identity.provider.logout.url
Valid input
URL
Example
https://yourserver:8443/openam/IDPSloPOST/metaAlias/MSAD/idp
Signature
Enforce signing of assertions
Description
Enforces that SAML assertions must be signed. If set, all assertions received by the application must be signed. Assertions sent by the application are signed.
Key
com.aris.umc.saml.signature.assertion.active
Valid input
true, false
Enforce signing of requests
Description
Enforces that the SAML authentication requests must be signed. If set, all requests received by the application must be signed. Requests sent by the application are signed.
Key
com.aris.umc.saml.signature.request.active
Valid input
true, false
Enforce signing of responses
Description
Enforces that the SAML response must be signed. If set, all responses received by the application must be signed. Responses sent by the application are signed.
Key
com.aris.umc.saml.signature.response.active
Valid input
true, false
Enforce signing of metadata
Description
Enforces that the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.
Key
com.aris.umc.saml.signature.metadata.active
Valid input
true, false
Signature algorithm
Description
Specifies the algorithm for the signature. The algorithm can be selected from the list.
Key
com.aris.umc.saml.signature.algorithm
Valid input
String
Keystore
Keystore
Description
Specifies the location of the keystore file used for validating SAML assertions. Specify all values for the keystore and then upload the keystore file.
Key
com.aris.umc.saml.keystore.location
Valid input
File with extension .jks or .keystore.
Alias
Description
Specifies the alias name that is used to access the keystore.
Key
com.aris.umc.saml.keystore.alias
Valid input
String
Password
Description
Specifies the password that is used to access the keystore.
Key
com.aris.umc.saml.keystore.password
Valid input
String
Type
Description
Specifies the type of the keystore to be used. The keystore type can be selected from a list.
Key
com.aris.umc.saml.keystore.type
Valid input
List item
Example
JKS
Truststore
Truststore
Description
Specifies the location of the truststore file used for validating SAML assertions. Specify all values for the truststore and then upload the truststore file.
Key
com.aris.umc.saml.truststore.location
Valid input
File with extension .jks or .truststore.
Alias
Description
Specifies the alias to be used for accessing the truststore.
Key
com.aris.umc.saml.truststore.alias
Valid input
String
Password
Description
Specifies the password to be used for accessing the truststore.
Key
com.aris.umc.saml.truststore.password
Valid input
String
Type
Description
Specifies the type of the truststore.
Key
com.aris.umc.saml.truststore.type
Valid input
List item
Example
JKS
User attributes
First name
Description
Specifies the attribute name to be used for reading first names from a SAML assertion.
Key
com.aris.umc.saml.attribute.fname
Valid input
String
Last name
Description
Specifies the attribute name to be used for reading last names from a SAML assertion.
Key
com.aris.umc.saml.attribute.lname
Valid input
String
E-mail address
Description
Specifies the attribute name to be used for reading e-mail addresses from a SAML assertion.
Key
com.aris.umc.saml.attribute.email
Valid input
E-mail address
Telephone number
Description
Specifies the attribute name to be used for reading phone numbers from a SAML assertion.
Key
com.aris.umc.saml.attribute.phone
Valid input
String
Member of
Description
Attribute that references the groups of a user.
Key
com.aris.umc.saml.attribute.memberof
Valid input
String
Example
Main group
User-defined
Description
Comma-separated list of attributes to be imported as user-defined attributes of the user.
Key
com.aris.umc.saml.attribute.userdefined
Valid input
Comma-separated list
Advanced settings
Login using DN
Description
Specifies whether login is to be tried using the fully qualified name instead of the user name.
Key
com.aris.umc.saml.login.mode.dn.active
Valid input
true, false
Decompose DN
Description
Specifies whether the fully qualified name is to be decomposed.
Key
com.aris.umc.saml.login.mode.keyword.active
Valid input
true, false
Keyword
Description
Specifies which part of the fully qualified name is to be used for login.
Key
com.aris.umc.saml.login.mode.keyword.name
Valid input
true, false
Authentication context classes
Description
Specifies the authentication context classes to request, meaning which strength of the authentication is defined. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact.
Key
com.aris.umc.saml.auth.context.class.refs
Valid input
Selection
Example
Passwort/ProtectedTransport
Authentication context comparison
Description
Specifies the authentication context comparison to request, meaning you specify whether other authentication procedures are allowed or not. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact.
Key
com.aris.umc.saml.auth.context.comparison
Valid input
String
NameID format
Description
Specifies in which format the user ID is transferred to ARIS Administration.
Key
com.aris.umc.saml.auth.nameid.format
Valid input
String
Automatically create user
Description
Defines whether or not the user specified in the SAML assertion should be created automatically if the user does not already exist. The following restrictions apply to automatically created users:
The Login attribute is set to the name specified in the assertion.
The distinguished name attribute is set to the name specified in the assertion (only if the name is in an appropriate format).
A manual login is not possible if the password and e-mail attributes are not maintained.
Key
com.aris.umc.saml.login.users.create
Valid input
true, false
Default value
false
Clock skew (in seconds)
Description
Specifies the time offset between identity provider and service provider in seconds. Assertions are accepted if they are received within the permitted time frame.
Key
com.aris.umc.saml.assertion.timeoffset
Valid input
Integer > 0
Allowed service provider URLs
Description
Comma-separated list of service provider URLs that are allowed to request that the user administration initiates the use of SSO.
Key
com.aris.umc.saml.service.provider.urls
Valid input
Comma-separated list
Assertion lifetime (in seconds)
Description
Specifies the maximum lifetime of a SAML assertion in seconds.
Key
com.aris.umc.saml.assertion.ttl
Valid input
Integer > 0
Assertion consumer service URL
Description
Specifies that the Assertion Consumer Service URL used in SAML authentication requests can be overwritten. The URL must be specified in the format of http(s)://hostname/umc/rest/saml/initsso. If no specification is made, the URL is derived from the HTTP request.
Key
com.aris.umc.saml.service.provider.assertion.consumer.url.overwrite
Valid input
URL
Default tenant
Description
Specifies the default tenant that is to be used for the SAML-based login. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual.
Key
com.aris.umc.saml.tenant
Valid input
String