Configuring SAML single sign-on in the identity provider
Use SAML for single sign on to allow applications to verify the identity of its users based on the authentication that is performed by Verify. The users are redirected to Verify for login. Verify verifies the users' identities, sends the information through a SAML assertion, and confirms with the service provider that the users are authorized to access and use the resource.
Before you begin
- You must have administrative permission to complete this task.
- Open at least two browser windows to complete the setup. One for the
Verify administration console and the other for the
administration console of the target application.
- Log in to the IBM® Security Verify administration console as an Administrator.
- Log in to the target application administration console with your Administrator account.
- You must set up the basic information for the application instance in the General tab. See Setting the basic application details.
About this task
Verify can act as a single sign-on identity provider or a service provider. In this task, Verify is the identity provider, and the target application is the service provider.
If you are using a Custom Application template, see Custom application before you proceed.
- Verify with certain data from the service provider.
- The service provider with certain data from Verify.
If the service provider signs its SAML authentication request, you must first add the signer certificate in the See page.Managing certificates.
If the service provider requires other attributes from the SAML assertion aside from the built-in attributes, add the required attribute sources in the Managing attributes. page. See
manageFederations
and readFederations
API entitlements. - clockSkew
- The tolerance in seconds when the received SAML assertion
NotBefore
andNotOnOrAfter
is validated. - messageValidTime
- The tolerance in seconds when the received SAML message
IssueInstant
is validated. - skipTargetUrlValidation
- Indicates whether to skip a targetURL validation in SAML.
The default value is false.
- allowedTargetUrls
- Indicates the allowed target URLs for SAML.
The value of this configuration property is a String array. Each array element is a URL. The URL hostname supports wildcard. For example, *.ibmcloud.com.
The value is empty by default.
- signatureAlgorithm
- For signing, an algorithm digitally signs the SAML AuthnRequest message, supported values are: RSA-SHA1, RSA-SHA256, RSA-SHA512, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512. When it's empty, it takes default RSA-SHA256.
- signingKeyLabel
- For signing, this certificate is used to sign the SAML AuthnRequest during single sign-on. The default selection refers to the default personal certificate that you configured in Security>Certificates>Personal Certificates.
- decryptionKeyLabel
- Use this certificate to decrypt the received SAML Response message if it contains encrypted elements during single sign-on. The default personal certificates that you configured in Security>Certificates>Personal Certificates.
- assertionSettings.assertionValidAfter
- The tolerance in seconds that are added to
NotOnOrAfter
when the SAML assertion is issued. - assertionSettings.assertionValidBefore
- The tolerance in seconds that are added to
NotBefore
when the SAML assertion is issued. - messageValidTime
- The tolerance in seconds when the received SAML message
IssueInstant
is validated.
- crlEnabled
- Checks the certificate revocation list. Checking is done for all functions that use an external certificate. If your configuration does not require CRL checking, you can disable it. For example, if you use an internal certificate authority (CA), you might want to disable CRL checking. The crlEnabled property defaults to true.
- keySelectionCriteria
- Specify which key or certificate to use for signing, validating, encrypting, or decrypting
various messages. If there are multiple keys or certificates with the same
SubjectDN
as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:- only.alias
- Select the key or certificate with the specified alias. This method is the default.
- longest.lifetime
- For signing, a valid key with the longest available lifetime is used. For validation, keys that
have the same
SubjectDN
are sorted based on lifetime availability. The keys are tried sequentially starting with the key that has the longest lifetime availability until validation is successful. - shortest.lifetime
- For signing, a valid key with the shortest available lifetime is used. For validation, keys that
have the same
SubjectDN
are sorted based on lifetime availability. The keys are tried sequentially starting with the key that has the shortest lifetime availability until validation is successful.
- Data type: String
- Example: only.alias
Procedure
What to do next
- Provide the service provider with information about Verify that is necessary to
complete the SAML single sign-on
configuration between Verify
and the service provider. See the instructions that are provided in the user interface.
If the SAML application is configured with Default personal certificate as the Signing certificate, you can download SAML metadata from Verify at https://{tenantName}/v1.0/saml/federations/saml20ip/metadata. If the SAML application is configured with a non Default personal certificate with label {actualKeyLabel} as the Signing certificate, you can download SAML metadata from https://{tenantName}/v1.0/saml/federations/saml20ip/metadata?keyLabel={actualKeyLabel}.
- Add user or group entitlements to permit access to the configured applications. See Managing application entitlements (by administrator or application owner).
- Enforce two-factor authentication for added security control on users when they sign on to the configured applications. See Configuring authentication factors.