Configuring SAML with IdP initiated login

You can configure SAML with identity provider (IdP) initiated login to use the IdPs for the SAML single sign-on (SSO) configuration.

You can configure SAML with IdP initiated login with one of the following methods:

Before you begin

To configure SAML with IdP initiated login, you need to set the Relay State parameter with the URL in the IdP side to redirect the users after successful authentication.

If the Relay State parameter is not configured in the IdP side, the following error is displayed in the login page:

500: The SAML login attempt failed. This failure could indicate that the SAML identity provider has been misconfigured. If this is an IDP initiated SAML provider, verify that the relay state parameter is set.

To resolve the issue, see SAML login fails when you configure SAML with IdP initiated login.

Configuring SAML with IdP initiated login using the your product console

To configure SAML with IdP initiated login, complete the following steps:

  1. Login to the console as an administrator.

  2. Click Administer > Identity providers in the navigation menu.

  3. Click Create Connection. Select SAML 2.0 as the protocol type and click Next. The New SAML Connection page is displayed.

  4. Select the Connection details tab in the New SAML Connection page. You need to fill the following parameters:

    • Name: A name for the SAML connection.

    • Description: Description of the SAML connection.

  5. Enable Identity Provider initiated login toggle option.

    SAML with IdP initiated login

  6. Enter the IdP SSO url from the IdP side in the Identity provider initiated login section.

  7. Select the Token attribute-mapping tab. It contains the following options that you are required to fill:

    • Subject
    • Given name
    • Family name
    • Groups
    • Email

    See the following notes:

    • By default, the Token attribute-mapping values are pre-defined if you do not specify the mapping. It is recommended to modify the default values according to the SAML claim. The following default values are displayed if you do not specify the mapping values:

      • Subject : uid
      • Given name : firstName
      • Family name : lastName
      • Groups : blueGroups
      • Email : emailAddress
    • The uniqueSecurityName option is not supported from the product console. If the uniqueSecurityName is required in Token attribute mapping, see Different schema elements for IdP V3.

  8. Select To identity provider tab. Click Download metadata link to download the SAML 2.0 metadata. Once you download the metadata, you can upload that metadata to your identity provider to generate identity provider metadata.

  9. Select From identity provider tab. Upload the identity provider metadata in *.xml file that is supplied by your identity provider.

  10. The SCIM configuration tab is enabled when you choose to configure SAML with SCIM dependency. It contains the following fields:

    SCIM configuration

    Also, you need to configure the SCIM attribute mapping for the user and group resources. By default, these fields are pre-defined as the principalName in both user and group attributes. It is recommended to modify the values based on the SCIM IdP configuration.

    SCIM attribute

  11. Click Create.

Configuring SAML with IdP initiated login using the IdP V3 API

Register the IdP V3 to configure SAML with IdP initiated login. For more information, see SAML with IdP initiated login.