Configuring SAML users onboarding configurations
Before you begin
Ensure you have
- Enabled the SAML feature.
- API Administrator privilege.
About this task
Procedure
- Click the menu options icon
from the title bar and click Administration. - Select SAML and click the Signature tab.
- Enable the following fields, if required:
- Enforce signing of assertions. Turn on to specify that the SAML assertions must be signed. If this is enabled, all assertions received by the application will be signed.
- Enforce signing of requests. Turn on to specify that the SAML authentication requests must be signed. If this field is enabled, all requests received by the application must be signed. Requests sent by the application are signed by the selected signature algorithm.
- Enforce signing of responses. Turn on to specify whether the SAML authentication response must be signed.
- Enforce signing of metadata. Turn on to specify whether the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.
- Select the required Signature algorithm from the drop-down list.
- Click the Keystore tab, click Browse, and select the SAML keystore file.
- Provide the Alias name and Password required to access the keystore file in the corresponding fields.
- Select the type of keystore file to be used from the Type drop-down list.
- Click the Truststore tab, click Browse, and select the SAML truststore file.
- Provide the Alias name and Password required to access the truststore file in the corresponding fields.
- Select the type of truststore file to be used from the Type drop-down list.
- Click the User attributes tab and provide values in the following
fields.
Field Description First name Attribute name to be used for reading the first name from a SAML assertion. Last name Attribute name to be used for reading the last name from a SAML assertion. E-mail address Attribute name to be used for reading the email addresses from a SAML assertion. Telephone number Attribute name to be used for reading the phone numbers from a SAML assertion. memberOf Attribute that references the groups of a user. User-defined List of attributes, separated by commas, to be imported as user-defined attributes of the user. - Click the Advanced settings tab and select Create user
automatically. A user is created automatically using the details received from assertion.
- Provide information in following fields:
Field Description Login using DN Specifies whether sign in must be tried using the fully qualified name instead of the user name. The name in the assertion is assigned as the distinguished name of the user being created.
Decompose DN Specifies whether the fully qualified name is to be decomposed. The name in the assertion is assigned as the distinguished name of the user being created only if the name is in an appropriate format.
Keyword Specifies which part of the fully qualified name is to be used for login. Authentication context comparison Specifies the level of comparison that must be performed on the assertion context class against the authentication context. If this fails, the user is not authenticated. Name ID format Specifies the format in which the user ID must be saved. Clock skew (in seconds) Specifies the time offset between identity provider and service provider, in seconds. Assertions are accepted if they are received within the permitted time frame. Assertion lifetime (in seconds) Specifies the maximum lifetime of a SAML assertion, in seconds. Assertion consumer service URL Specifies the URL to which the identity provider must send the authentication response. The URL must be given in the format: http(s)://hostname/portal/rest/v1/saml/initssoDefault tenant Specifies the default tenant that is to be used for the SAML-based login. - Click the Extensions tab. This tab includes options to allow you to configure settings to extract user information from the assertion sent by your SAML service provider to Developer Portal.
- Turn the Read multiple values from assertion slider on to extract multiple values from the assertion.
- Turn the Enable assertion validation slider on to validate the incoming assertion before extracting the required values.
- Provide the names of attributes from which the following values to be extracted from the
assertion:
- First name
- Last name
- E-mail address
- Role
- Sub-domains
- Click Save. You have specified SAML configuration details. Users can sign up to Developer Portal using their SSO credentials.
What to do next
- The service provider meta-data required for the registration is generated dynamically after SAML configuration. You can use the metadata and use it for configuring the identity provider. Download the metadata by clicking Download Metadata from the Metadata tab.