Adding a SAML Enterprise identity provider

You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to Verify.

Procedure

  1. Select Authentication > Identity providers.
  2. Select Add identity provider.
  3. Select SAML Enterprise.
  4. On the General page, provide the following information.
    Name
    Provide a recognizable name for your identity provider.
    Realm

    It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username.

    It must be a unique name across all other configured identity sources in your subscription. The name can contain any alphanumeric characters. Special characters are not allowed except for dot (.) and hyphen (-).

    The maximum allowed string length is 253, similar to the maximum length of a domain name.
    Note: You cannot edit the name after you create it.
    ID
    The ID is created after you save the configuration.
    Enabled
    Select this checkbox to use this identity provider for signing in.

    Indicates whether the identity provider is active and available.

    When the identity provider is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity provider. If the identity provider is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity provider that is enabled to sign in to Verify.
    • If only one identity provider is enabled, it becomes the default sign-in option for the user.
  5. Select Next.
  6. Select the radio button to indicate whether the service provider or the identity provider initiates the SAML single sign-on flow.
    • Service provider
    • Identity provider
      In this scenario:
      1. The user has an account at the identity provider site.
      2. The user signs in to the identity provider site or uses the identity provider single sign-on URL to access the protected resource from the service provider.
      3. The identity provider initiates a SAML authentication response that asserts that the user is authenticated.
      4. The service provider validates the SAML authentication response.
      5. The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
  7. If you selected Identity provider, you must provide the SSO URL.

    It is the URL that initiates the single sign-on from the identity provider to the service provider.

  8. Upload the *.xml file that contains the SAML provider metadata.
    The name of the Selected File is displayed.
  9. Select Next.
  10. Provide the identity provider with the following service provider metadata properties. You can either copy the information or download the metadata file.
    Entity ID
    Specifies the issuer in the SAML authentication request and the audience of any inbound SAML authentication response.
    Assertion Consumer Service URL

    Specifies the endpoint at the service provider that receives the SAML authentication response.

    The identity provider redirects the SAML authentication response to this URL. This endpoint receives and processes the SAML assertion.

    Single Logout URL

    Specifies the endpoint at the service provider that receives the SAML logout request and response.

    The identity provider redirects the SAML logout request and response to this URL. This endpoint receives and processes the SAML logout request and response.

  11. Select Next.
  12. Optional: On the Single Logout page, specify whether the incoming logout request and response messages require signature.
    • If the incoming logout request message requires a signature, select Validate logout request signature.
    • If the incoming logout response message requires a signature, select Validate logout response signature.
    Note:
    • If the identity provider metadata file that you uploaded includes the SingleLogoutService element with an HTTP POST binding, the single logout is enabled for this identity provider.
    • The URL for service provider-initiated single logout looks like following: https://<tenant-Host>/saml/sps/saml20sp/saml20/sloinitial?RequestBinding=HTTPPost.
    • If the SAML identity provider in the current session does not respond to a logout request that is sent from Verify, the single logout stops at that identity provider. To resume the single logout, the user must perform the single logout again.
  13. Optional: On the Identity linking page, specify whether to enable identity linking.
    Turns on identity linking for a specific identity provider. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity provider.
    Note:
    1. You cannot enable linking on the identity provider that is set as your default identity provider.
    2. You cannot disable or delete your default linking identity provider.
    1. Select the Enable identity linking for this identity provider checkbox.
      If you enable identity linking, select the unique identifier that you want to use for the accounts.
    2. Select Enable just-in-time provisioning.
      This option is available only if you enable identity linking. It creates and updates the user account in the primary identity provider realm that is associated with the SAML identity.
    3. Specify an attribute that identifies users from the identity provider user registry from the External ID menu or a custom External ID.
      The default value is userID.
    4. Select a transformation value to transform the External ID value or leave the default value as None.
  14. Select Next.
  15. Optional: On the Attribute mapping page, map attributes from the SAML Enterprise identity provider to IBM® Security Verify Cloud Directory.
    Note: If you do not make a selection, the Attribute mapping that is specified in the Global settings is applied. Otherwise, the Attribute mapping that is specified in the SAML Enterprise identity provider overrides the selection in the Global settings. For more information on Global settings, see Configuring Global settings.
    1. Select Add attribute mapping.
    2. Specify a SAML Enterprise identity provider attribute by using one of the following options:
      1. Select from the following list of available options:
        Attribute Name Description
        company Company of the user.
        country Country of the user.
        displayName Display name of the user.
        email Email address of the user where notification is sent.
        family_name Surname of the user.
        given_name Given name of the user.
        mobile_number Mobile number of the user where notification is sent.
        userID Unique identifier of the user.
        Custom rule Custom SAML Enterprise identity provider attribute. If you select Custom rule, enter a custom rule in the rule editor and click OK to save.
      2. Enter an attribute name in the Select an attribute field. This is an attribute name that is not available in the list of options.
    3. Select a transformation value to transform the SAML Enterprise identity provider attribute or leave the default value as None.
      Attribute Name Description
      Uppercase Transforms attribute to uppercase.
      Lowercase Transforms attribute to lowercase.
      Base64 Encode Transforms attribute using base64 encoding algorithm.
      Base64 Decode Transforms attribute using base64 decoding algorithm.
      Encode URI Transforms attribute using encode URI method.
      Encode URI Component Transforms attribute using encode URI component method.
      Decode URI Transforms attribute using decode URI method.
      Decode URI Component Transforms attribute using decode URI component method.
      Generate UUID if no value is evaluated Transforms attribute to generate universally unique identifiers.
      Current Time (seconds) Transforms attribute to time in seconds.
      Current Time (milliseconds) Transforms attribute to time in milliseconds.
      SHA-256 Hash Transforms attribute using SHA-256 algorithm.
      SHA-512 Hash Transforms attribute using SHA-512 algorithm.
    4. Specify an IBM Security Verify attribute. For more information on attributes, see Managing attributes.
      Note: Avoid selecting from the following reserved built-in attributes as they are not mapped with the identity provider attributes.
      • groupIds
      • preferred_username
      • realmName
      • tenantId
      • uid
    5. Specify how the attribute is stored in the user profile.
      • Always - Store or update the attribute at each login.
      • On user creation only - Store the attribute once at account creation.
      • Disable - Never store or update the attribute.
    6. Repeat the process for each attribute that you map.
  16. Optional: Select one of the following from the Group membership source menu to specify the source for the user access permissions groups.
    • Cloud Directory - User access permissions are derived from the user groups in the Cloud Directory.
    • Cloud Directory and Identity provider - User access permissions are derived from the user groups in the Cloud Directory and the identity source token, which includes the groupIds claim.
    • Identity provider - User access permissions are derived from the identity source token, which includes the groupIds claim.
      Note: You do not get any group membership permissions if the identity source token does not contain the groupIds claim.
    • Custom rule - If you select Custom rule, enter a custom rule in the rule editor and click OK to save. User access permissions are derived based on the custom rule.
    Note: If you do not make a selection, the Group membership source that is selected in the Global settings is applied. Otherwise, the Group membership source that is selected in the SAML Enterprise identity provider overrides the selection in the Global settings.
  17. Optional: If you created privacy profiles, select a profile from the menu.
    Privacy profiles require users in this directory to review and consent to a set of data usage purposes, or end-user license agreements (EULAs), or both. See Managing privacy profiles.
  18. Select Done.