How do I configure SAML settings to specify user onboarding configurations?
This use case starts when you want to configure SAML settings and ends when you have completed the configuration.
Before you begin:
Ensure you have
Enabled the SAML feature.
API Administrator privilege.
To configure SAML settings:
1. Click the menu options icon
from the title bar and click
Administration.
2. Select SAML.
3. Click the Signature tab.
4. Enable the following fields, if required:
Enforce signing of assertions. Turn on to specify that the SAML assertions must be signed. If this is enabled, all assertions received by the application will be signed.
Enforce signing of requests. Turn on to specify that the SAML authentication requests must be signed. If this field is enabled, all requests received by the application must be signed. Requests sent by the application are signed by the selected signature algorithm.
Enforce signing of responses. Turn on to specify whether the SAML authentication response must be signed.
Enforce signing of metadata. Turn on to specify whether the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.
5. Select the required Signature algorithm from the drop-down list.
6. Click the Keystore tab.
7. Click Browse and select the SAML keystore file.
8. Provide the Alias name and Password required to access the keystore file in the corresponding fields.
9. Select the type of keystore file to be used from the Type drop-down list.
10. Click the Truststore tab.
11. Click Browse and select the SAML truststore file.
12. Provide the Alias name and Password required to access the truststore file in the corresponding fields.
13. Select the type of truststore file to be used from the Type drop-down list.
14. Click the User attributes tab.
15. Provide required values in the following fields:
Field | Description |
First name | Attribute name to be used for reading the first name from a SAML assertion. |
Last name | Attribute name to be used for reading the last name from a SAML assertion. |
E-mail address | Attribute name to be used for reading the email addresses from a SAML assertion. |
Telephone number | Attribute name to be used for reading the phone numbers from a SAML assertion. |
memberOf | Attribute that references the groups of a user. |
User-defined | List of attributes, separated by commas, to be imported as user-defined attributes of the user. |
16. Click the Advanced settings tab.
17. Select Create user automatically.
A user is created automatically using the details received from assertion.
18. Provide information in following fields:
Field | Description |
Login using DN | Specifies whether sign in must be tried using the fully qualified name instead of the user name. The name in the assertion is assigned as the distinguished name of the user being created. |
Decompose DN | Specifies whether the fully qualified name is to be decomposed. The name in the assertion is assigned as the distinguished name of the user being created only if the name is in an appropriate format. |
Keyword | Specifies which part of the fully qualified name is to be used for login. |
Authentication context comparison | Specifies the level of comparison that must be performed on the assertion context class against the authentication context. If this fails, the user is not authenticated. |
Name ID format | Specifies the format in which the user ID must be saved. |
Clock skew (in seconds) | Specifies the time offset between identity provider and service provider, in seconds. Assertions are accepted if they are received within the permitted time frame. |
Assertion lifetime (in seconds) | Specifies the maximum lifetime of a SAML assertion, in seconds. |
Assertion consumer service URL | Specifies the URL to which the identity provider must send the authentication response. The URL must be given in the format: http(s)://hostname/portal/rest/saml/initsso |
Default tenant | Specifies the default tenant that is to be used for the SAML-based login. |
19. Click Save.
You have specified SAML configuration details. Users can sign up to Developer Portal using their SSO credentials.