Configuration Manager - SAML Authentication
The “Saml Authentication" menu is where Saml2 interfaces for account provisioning and authentication are configured. Saml interfaces are configured client-specific meaning multiple can be configured in a multi-client setup. In the "Clients > Access and security" tab where there is a "SAML authentication" checkbox and "SAML entity ID" field to populate.
Description
Setting | What does the setting do? |
---|---|
Test mode | This should be used only for testing when the IdP is a created IdP from e.g. http://172.17.0.112:8081/simplesaml. |
Ignore validation | This should be set on true only when the configured IdP sends a SAMLArtifact or SAMLResponse that does not contain any signature.Otherwise, the SAMLArtifact or SAMLResponse signature will be validated with the configured certificate. |
Enable algorithm check | This should be used to check the key store Algorithm (RSA or DSA). |
Send Saml request | Based on this parameter the samlRequest will be send to the IDP (this has to be disabled for ADFS3.0). |
Multiple IdPs | More than one IdentityProvider setting can be configured (one per application/entityID). In that case this parameter must be set to true, so that the system will return different settings for different applications. The setting to use gets determined by the entityID that the application provides to the ILS. The setting for ILS itself needs the new parameter useForIls set to true (otherwise ILS will not know its own entityID). |
Enable account provisioning | |
Fallback provider URL | Specification of SAML2 Identity Provider to use as a fallback when authentication against the first IdP is failing. |
Fallback issuer URL | |
Fallback redirection URL | |
Fallback key store path IdP | |
Fallback key store alias IdP | |
SP meta data file path | |
SP assertion consumer service URL | |
SP single logout service URL | |
Entities that use the authentication context | If the EntityID is present in this whitelist, the optional SAML AuthnReq Authentication Context is not included in the authentication request before sending. The white list is comma seperated. |
SAML Profile Identifier Attribute | Database name of the imc attribute in the PERSON table that will be used to identify a user during SAML account provisioning. |
Mapping | |
Default client | Default client id of a person when it’s created if none is specified on the SAML response. |
Import without self-registration | If the value is ticked/true, persons are automatically created and no self registration page will be presented. |
Update existing user | If the value is set to ticked/true, persons that already exists will be updated with the attributes found from the SAML2 response. |
Ignore unmapped fields | Determines whether all source fields specified by mapping elements will be expected and imported in the imported file. Ticked/true: The attributes transferred in the import source for which no mapping is defined will be ignored. Unticked/false: If an attribute which is transferred with the imported data does not have any mapping defined, an exception will be generated. |
Is Reference | Determines whether all source fields specified by mapping elements will be expected and imported in the imported file. Ticked/true: The mapping elements determine which fields will be imported. Additional columns found in the import file will be ignored. Unticked/false: Only the columns found in the import file will be imported. Additional attributes specified by mapping elements will be ignored. |