Configuring Your Identity Provider (IdP)
IdP Requirements
To use SAML with Orchestrator, you must already have an identity provider (IdP) that meets the following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Orchestrator uses.
- Not configured to use pseudonyms.
- Can return assertions to Orchestrator that include the entire contents of the signing certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)
IdP Metadata Formats
You must configure formats to set up your IdP to work with Orchestrator:| Tag | Format |
|---|---|
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
If the IdP is capable of reading SAML XML metadata for a service
provider, you can upload a saved XML metadata file to configure the IdP. You can
retrieve the XML metadata for an existing Orchestrator.
Do the following:
- At the top-right, click the Admin dropdown.
- Click the Metadata button. An XML file opens. For
example:
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://10.0.154.125/aspera/orchestrator/saml/metadata?=1" ID="_ab676d30-b03b-0135-65e4-0050569fd8f4"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.0.154.125/aspera/orchestrator/saml_response/1" index="0" isDefault="true"/> </md:SPSSODescriptor> </md:EntityDescriptor> - Right-click the page and click Save as; save it as filename_metadata.xml.
SAML Assertion Requirements
Orchestrator: expects assertion from an IdP to contain the following elements:
| Default Attribute | Orchestrator User Field | Required |
|---|---|---|
| NameID / SAML_SUBJECT | Username | Yes, with the format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Email address | Yes | |
| given_name | First name | Yes |
| surname | Last name | Yes |