Configuring Your Identity Provider (IdP)
IdP Requirements
To use SAML with Shares, you must already have an identity provider (IdP) that meets the following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Shares uses.
- Not configured to use pseudonyms.
- Can return assertions to Shares that include the entire contents of the signing certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)
IdP Metadata Formats
You must configure formats to set up your IdP to work with Shares:Tag | Format |
---|---|
NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
Entity ID | https://shares_ip/auth/saml/metadata/ |
Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
Callback URL | https://shares_ip/auth/saml/callback |
If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Shares configuration by going to https://server_ip/auth/saml/metadata and saving the XML as an XML file.
SAML Assertion Requirements
Shares expects assertion from an IdP to contain these elements:
Default Attribute | Shares User Field | Required |
---|---|---|
NameID / SAML_SUBJECT | Username | Yes, with the format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
Email address | Yes | |
given_name | First name | Yes |
surname | Last name | |
member_of | SAML group | Necessary for SAML groups |
Tip: All attributes other than NameID or SAML_SUBJECT can also use the
urn:oasis:names:tc:SAML:2.0:attrname-format:basic format.
SAMl Assertion Example
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://aspera.ibm-sample.com/auth/saml/callback" ID="_866852166a98ae2a855514761b870e64" InResponseTo="_6bba436a-54a6-4e4f-b109-97a6c6bd0349" IssueInstant="2021-09-15T21:48:51.268Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://shib-idp-01.dev.aspera.us/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:Assertion ID="_a7d332169ef7ad5fd2967234ced2d736" IssueInstant="2021-09-15T21:48:51.268Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://shib-idp-01.dev.aspera.us/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_a7d332169ef7ad5fd2967234ced2d736">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2LMPPDFUKaQxIFK9JSoj3iMPWF0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>a6ItMgcnDsqi8j8MMX2uaVMSoYGM2tbePomyFDn82alHkucZLTHlGQSIXn1+36bCb11WBuCz9WYAtHw2hve8dBLMJj3s9SmVtFAoZl80HB4ZWuTHH730ykvXTmGL01MNkId1ry9uRW+1TIT9BqLHaOq1Ep/SBlMJ+Ljzp8iT+9mi3DPBhP4uV8YPy/BYPQLdONPv9UBDz1FetBGov9BeNAfwrbo5Y/NY0gEJ1+Mgj+98V/gkJyotRTMDcX7tyIu2qXSSspIi5DiAv0/UtKZtAm96SKWFqsCdyd662SUTSekPCxT9obXfvW76eV2vUf9nLebD3IvpIRXPZ7NFgjsjKA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDUDCCAjigAwIBAgIVANkYVO1LBB6MuViBihCDECq8XoAxMA0GCSqGSIb3DQEBBQUAMCQxIjAg
BgNVBAMTGXNoaWItaWRwLTAxLmRldi5hc3BlcmEudXMwHhcNMTMxMTA2MjIzODAzWhcNMzMxMTA2
MjIzODAzWjAkMSIwIAYDVQQDExlzaGliLWlkcC0wMS5kZXYuYXNwZXJhLnVzMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkk7e5VrTJpcmeQTbNQXlgBTgpeWkkhx+8t4zpEh4UbQr8sXh
so9GtDQjVhasWMfGPAO+Mlp112eXVvT8uQQMBh2Ce7qSx1aXl4ZsJw+mPfuRf6xIZDk5sVNfY801
SxXbeVvPSGXN6lTPV7/0/dd4s+IMIeG6NfIdfpFbYa4F2QaJD28ergf3KELzHkrBWti55NH8Np49
rk5Iq0fk56YR1KuETHI2pS3vvVIOJMwIhOvOrsNxHu0O6oohFmLM5k+yHQqur1Lk0mV9GFZnwFQC
lwPcLKvJ6gTv8k4hUkI0fhWUVOENcleyyDc9acnMXCrnM424eW4QnKE1H8u8xO6DcwIDAQABo3kw
dzBWBgNVHREETzBNghlzaGliLWlkcC0wMS5kZXYuYXNwZXJhLnVzhjBodHRwczovL3NoaWItaWRw
LTAxLmRldi5hc3BlcmEudXMvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFPZq25rft0WK+9WvL+Wl
+W+knKH2MA0GCSqGSIb3DQEBBQUAA4IBAQAhCICuALkaLW1glDVtp8YuYB3FZqBn0Y3ekt/OUXIU
uGwXDYhR8FdumXhGIGdUaPlQHd3MnZRIVougy7fS/Qyg8V/C8ALa5g7K/2sTOi/RtMjRQZK+vOlO
oxneqotk4BPGp3an+m1pdnxjJvphL4kX/ZPuCcvkyzoDnelv/c+dE/+Yz6IzmL1j/drsxRL8etPc
jpgGjIF4TDGTNDDhleOyLP3yN2aNPqEpF/Y8WOVhejrkux2YKwH6SQVKdSgodD6EVsUs13F1atvB
BRRwBWgG2lFBnVRl01r3LOjH0VtFK/Hms3V3L9jE7ucR+qDbWNdPEmVwBY2aHr0EQU/NscQl</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://shib-idp-01.dev.aspera.us/idp/shibboleth" SPNameQualifier="https://aspera.ibm-sample.com/auth/saml/metadata">asperauser1</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="10.41.48.51" InResponseTo="_6bba436a-54a6-4e4f-b109-97a6c6bd0349" NotOnOrAfter="2021-09-15T21:53:51.268Z" Recipient="https://aspera.ibm-sample.com/auth/saml/callback"/></saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-09-15T21:48:51.268Z" NotOnOrAfter="2021-09-15T21:53:51.268Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://aspera.ibm-sample.com/auth/saml/metadata</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-09-15T21:47:24.365Z" SessionIndex="_4589689d46dd27161ff17e37c686db04"><saml2:SubjectLocality Address="10.41.48.51"/><saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="office" Name="office" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Emeryville</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="sn" Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="company_name" Name="company_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Aspera SAML</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aspera-sample-user@ibm.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="entryDN" Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=aspera-sample-user,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue><
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName" Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aspera</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="memberOf" Name="member_of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML_group,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
When passing in multiple attribute values (for example,
member_of)
, make sure
the SAML assertion follows this pattern pulled from the example
above:<saml2:Attribute FriendlyName="memberOf" Name="member_of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML_group,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
</saml2:Attribute>