Customize SAML settings

You can customize your system configuration as required. You carry out this part of the configuration in ARIS Administration.

Prerequisite

You have the Technical configuration administrator function privilege.

Procedure

  1. Click Configuration Configuration.

  2. Click the arrow next to SAML.

  3. Click a configuration category. The following categories are available:

    General

    Use SAML

    Specifies whether an SAML-based login is allowed. This corresponds to the following property: com.aris.umc.saml.active

    Binding

    Specifies the binding used for sending authentication requests to the identity provider. Defines how the redirecting of the authentication is performed. The options are Redirect or POST. This corresponds to the following property: com.aris.umc.saml.binding

    Identity provider ID

    Specifies the ID of the identity provider. This corresponds to the following property: com.aris.umc.saml.identity.provider.id

    Service provider ID

    Specifies the ID of the service provider. This corresponds to the following property: com.aris.umc.saml.service.provider.id

    Single sign-on URL

    Specifies the end point of the identity provider that is used for single sign-on. This corresponds to the following property: com.aris.umc.saml.identity.provider.sso.url

    Single logout URL

    Specifies the end point of the identity provider that is used for single log-out. This corresponds to the following property: com.aris.umc.saml.identity.provider.logout.url

    Signature

    Enforce signing of assertions

    Enforces that SAML assertions must be signed. If set, all assertions received by the application must be signed. Assertions sent by the application are signed. This corresponds to the following property: com.aris.umc.saml.signature.assertion.active

    Enforce signing of requests

    Enforces that the SAML authentication requests must be signed. If set, all requests received by the application must be signed. Requests sent by the application are signed. This corresponds to the following property: com.aris.umc.saml.signature.request.active

    Enforce signing of responses

    Specifies whether the SAML authentication response must be signed or not. This corresponds to the following property: com.aris.umc.saml.signature.resonse.active

    Enforce signing of metadata

    Enforces that the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed. This corresponds to the following property: com.aris.umc.saml.signature.metadata.active

    Signature algorithm

    Specifies the algorithm for the signature. The algorithm can be selected from the list. This corresponds to the following property: com.aris.umc.saml.signature.algorithm

    Keystore

    Keystore

    Specifies the location of the keystore file used for validating SAML assertions. Specify all values for the keystore and then upload the keystore file. This corresponds to the following property: com.aris.umc.saml.keystore.location

    Upload Upload

    Opens the Keystore dialog.

    Alias

    Specifies the alias name that is used to access the keystore. This corresponds to the following property: com.aris.umc.saml.keystore.alias

    Password

    Specifies the password that is used to access the keystore. This corresponds to the following property: com.aris.umc.saml.keystore.password

    Type

    Specifies the type of the keystore to be used. The keystore type can be selected from a list. This corresponds to the following property: com.aris.umc.saml.keystore.type

    Truststore

    Truststore

    Specifies the location of the truststore file used for validating SAML assertions. Specify all values for the keystore and then upload the keystore file. This corresponds to the following property: com.aris.umc.saml.truststore.location

    Upload Upload

    Opens the Truststore dialog.

    Alias

    Specifies the alias to be used for accessing the truststore. This corresponds to the following property: com.aris.umc.saml.truststore.alias

    Password

    Specifies the password to be used for accessing the truststore. This corresponds to the following property: com.aris.umc.saml.truststore.password

    Type

    Specifies the type of the truststore. This corresponds to the following property: com.aris.umc.saml.truststore.type

    User attributes

    First name

    Specifies the attribute name to be used for reading first names from a SAML assertion. This corresponds to the following property: com.aris.umc.saml.attribute.fname

    Last name

    Specifies the attribute name to be used for reading last names from a SAML assertion. This corresponds to the following property: com.aris.umc.saml.attribute.lname

    E-mail address

    Specifies the attribute name to be used for reading e-mail addresses from a SAML assertion. This corresponds to the following property: com.aris.umc.saml.attribute.email

    Telephone number

    Specifies the attribute name to be used for reading phone numbers from a SAML assertion. This corresponds to the following property: com.aris.umc.saml.attribute.phone

    Member of

    Attribute that references the groups of a user. This corresponds to the following property: com.aris.umc.saml.attribute.memberof

    User-defined

    Comma-separated list of attributes to be imported as user-defined attributes of the user. This corresponds to the following property: com.aris.umc.saml.attribute.userdefined

    Advanced settings

    Login using DN

    Specifies whether login is to be tried using the fully qualified name instead of the user name. This corresponds to the following property: com.aris.umc.saml.login.mode.dn.active

    Decompose DN

    Specifies whether the fully qualified name is to be decomposed. This corresponds to the following property: com.aris.umc.saml.login.mode.keyword.active

    Keyword

    Specifies which part of the fully qualified name is to be used for login. This corresponds to the following property: com.aris.umc.saml.login.mode.keyword.name

    Authentication context classes

    Specifies the authentication context classes to request, meaning which strength of the authentication is defined. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact. This corresponds to the following property: com.aris.umc.saml.auth.context.class.refs

    Authentication context comparison

    Specifies the authentication context comparison to request, meaning you specify whether other authentication procedures are allowed or not. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact. This corresponds to the following property: com.aris.umc.saml.auth.context.comparison

    NameID format

    Specifies in which format the user ID is transferred to ARIS Administration. This corresponds to the following property: com.aris.umc.saml.auth.nameid.format

    Automatically create user

    Defines whether or not the user specified in the SAML assertion should be created automatically if the user does not already exist. The following restrictions apply to automatically created users:

    • The Login attribute is set to the name specified in the assertion.

    • The distinguished name attribute is set to the name specified in the assertion (only if the name is in an appropriate format).

    • A manual login is not possible if the password and e-mail attributes are not maintained. This corresponds to the following property: com.aris.umc.saml.login.users.create

    Clock skew

    Specifies the time offset between identity provider and service provider in seconds. Assertions are accepted if they are received within the permitted time frame. This corresponds to the following property: com.aris.umc.saml.assertion.timeoffset

    Allowed service provider URLs

    Comma-separated list of service provider URLs that are allowed to request that the user administration initiates the use of SSO. This corresponds to the following property: com.aris.umc.saml.service.provider.urls

    Assertion lifetime

    Specifies the maximum lifetime of a SAML assertion in seconds. This corresponds to the following property: com.aris.umc.saml.assertion.ttl

    Default tenant

    Specifies the default tenant that is to be used for the SAML-based login. This corresponds to the following property: com.aris.umc.saml.tenant

  4. Click Edit Edit.

    The Cross-tenant symbol Cross-tenant indicates that the settings made apply to all tenants on this server and cannot be changed.

  5. Adjust your settings.

  6. Click Save Save.

You have customized your system configuration.

See also

What SAML properties are available?