Configuring Your Identity Provider (IdP)

IdP Requirements

To use SAML with Shares, you must already have an identity provider (IdP) that meets the following requirements:

  • Supports SAML 2.0
  • Able to use an HTTP POST Binding.
  • Able to connect to the same directory service that Shares uses.
  • Not configured to use pseudonyms.
  • Can return assertions to Shares that include the entire contents of the signing certificate.
  • If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

IdP Metadata Formats

You must configure formats to set up your IdP to work with Shares:
Tag Format
NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Entity ID https://shares_ip/auth/saml/metadata/
Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL https://shares_ip/auth/saml/callback

If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Shares configuration by going to https://server_ip/auth/saml/metadata and saving the XML as an XML file.

SAML Assertion Requirements

Shares expects assertion from an IdP to contain these elements:

Default Attribute Shares User Field Required
NameID / SAML_SUBJECT Username Yes, with the format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
email Email address Yes
given_name First name Yes
surname Last name  
member_of SAML group Necessary for SAML groups
Tip: All attributes other than NameID or SAML_SUBJECT can also use the urn:oasis:names:tc:SAML:2.0:attrname-format:basic format.

SAMl Assertion Example

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://aspera.ibm-sample.com/auth/saml/callback" ID="_866852166a98ae2a855514761b870e64" InResponseTo="_6bba436a-54a6-4e4f-b109-97a6c6bd0349" IssueInstant="2021-09-15T21:48:51.268Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://shib-idp-01.dev.aspera.us/idp/shibboleth</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </saml2p:Status>
  <saml2:Assertion ID="_a7d332169ef7ad5fd2967234ced2d736" IssueInstant="2021-09-15T21:48:51.268Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://shib-idp-01.dev.aspera.us/idp/shibboleth</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference URI="#_a7d332169ef7ad5fd2967234ced2d736">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <ds:DigestValue>2LMPPDFUKaQxIFK9JSoj3iMPWF0=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>a6ItMgcnDsqi8j8MMX2uaVMSoYGM2tbePomyFDn82alHkucZLTHlGQSIXn1+36bCb11WBuCz9WYAtHw2hve8dBLMJj3s9SmVtFAoZl80HB4ZWuTHH730ykvXTmGL01MNkId1ry9uRW+1TIT9BqLHaOq1Ep/SBlMJ+Ljzp8iT+9mi3DPBhP4uV8YPy/BYPQLdONPv9UBDz1FetBGov9BeNAfwrbo5Y/NY0gEJ1+Mgj+98V/gkJyotRTMDcX7tyIu2qXSSspIi5DiAv0/UtKZtAm96SKWFqsCdyd662SUTSekPCxT9obXfvW76eV2vUf9nLebD3IvpIRXPZ7NFgjsjKA==</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>MIIDUDCCAjigAwIBAgIVANkYVO1LBB6MuViBihCDECq8XoAxMA0GCSqGSIb3DQEBBQUAMCQxIjAg
          BgNVBAMTGXNoaWItaWRwLTAxLmRldi5hc3BlcmEudXMwHhcNMTMxMTA2MjIzODAzWhcNMzMxMTA2
          MjIzODAzWjAkMSIwIAYDVQQDExlzaGliLWlkcC0wMS5kZXYuYXNwZXJhLnVzMIIBIjANBgkqhkiG
          9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkk7e5VrTJpcmeQTbNQXlgBTgpeWkkhx+8t4zpEh4UbQr8sXh
          so9GtDQjVhasWMfGPAO+Mlp112eXVvT8uQQMBh2Ce7qSx1aXl4ZsJw+mPfuRf6xIZDk5sVNfY801
          SxXbeVvPSGXN6lTPV7/0/dd4s+IMIeG6NfIdfpFbYa4F2QaJD28ergf3KELzHkrBWti55NH8Np49
          rk5Iq0fk56YR1KuETHI2pS3vvVIOJMwIhOvOrsNxHu0O6oohFmLM5k+yHQqur1Lk0mV9GFZnwFQC
          lwPcLKvJ6gTv8k4hUkI0fhWUVOENcleyyDc9acnMXCrnM424eW4QnKE1H8u8xO6DcwIDAQABo3kw
          dzBWBgNVHREETzBNghlzaGliLWlkcC0wMS5kZXYuYXNwZXJhLnVzhjBodHRwczovL3NoaWItaWRw
          LTAxLmRldi5hc3BlcmEudXMvaWRwL3NoaWJib2xldGgwHQYDVR0OBBYEFPZq25rft0WK+9WvL+Wl
          +W+knKH2MA0GCSqGSIb3DQEBBQUAA4IBAQAhCICuALkaLW1glDVtp8YuYB3FZqBn0Y3ekt/OUXIU
          uGwXDYhR8FdumXhGIGdUaPlQHd3MnZRIVougy7fS/Qyg8V/C8ALa5g7K/2sTOi/RtMjRQZK+vOlO
          oxneqotk4BPGp3an+m1pdnxjJvphL4kX/ZPuCcvkyzoDnelv/c+dE/+Yz6IzmL1j/drsxRL8etPc
          jpgGjIF4TDGTNDDhleOyLP3yN2aNPqEpF/Y8WOVhejrkux2YKwH6SQVKdSgodD6EVsUs13F1atvB
          BRRwBWgG2lFBnVRl01r3LOjH0VtFK/Hms3V3L9jE7ucR+qDbWNdPEmVwBY2aHr0EQU/NscQl</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
  <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="https://shib-idp-01.dev.aspera.us/idp/shibboleth" SPNameQualifier="https://aspera.ibm-sample.com/auth/saml/metadata">asperauser1</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml2:SubjectConfirmationData Address="10.41.48.51" InResponseTo="_6bba436a-54a6-4e4f-b109-97a6c6bd0349" NotOnOrAfter="2021-09-15T21:53:51.268Z" Recipient="https://aspera.ibm-sample.com/auth/saml/callback"/></saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2021-09-15T21:48:51.268Z" NotOnOrAfter="2021-09-15T21:53:51.268Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>https://aspera.ibm-sample.com/auth/saml/metadata</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2021-09-15T21:47:24.365Z" SessionIndex="_4589689d46dd27161ff17e37c686db04"><saml2:SubjectLocality Address="10.41.48.51"/><saml2:AuthnContext>
      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext>  
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
      <saml2:Attribute FriendlyName="office" Name="office" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Emeryville</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="sn" Name="surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="company_name" Name="company_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Aspera SAML</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aspera-sample-user@ibm.com</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="entryDN" Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=aspera-sample-user,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue><
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="givenName" Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aspera</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute FriendlyName="memberOf" Name="member_of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML_group,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>
When passing in multiple attribute values (for example, member_of), make sure the SAML assertion follows this pattern pulled from the example above:
<saml2:Attribute FriendlyName="memberOf" Name="member_of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
  <saml2:AttributeValue xmlns:xsi="[*http://www.w3.org/2001/XMLSchema-instance*]" xsi:type="xs:string">CN=SAML_group,OU=IBMAspera,OU=Users,OU=IBM,DC=aspera,DC=ibm-sample,DC=com</saml2:AttributeValue>
</saml2:Attribute>