Adding a SAML Enterprise identity provider

You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity provider. The identity provider authenticates the user identity against data in this identity provider before it grants access to Verify.

About this task

Procedure

  1. Select Authentication > Identity providers.
  2. Select SAML Enterprise.
  3. On the General page, provide the following information.
    Name
    Realm

    It is an identity source attribute that helps distinguish users from multiple identity providers that have the same username.

    It must be a unique name across all other configured identity sources in your subscription. The name can contain any alphanumeric characters. Special characters are not allowed except for dot (.) and hyphen (-).

    The maximum allowed string length is 253, similar to the maximum length of a domain name.
    Note: You cannot edit the name after you create it.
    ID
    The ID is created after you save the configuration.
    Enabled
    Select this checkbox to use this identity provider for signing in.

    Indicates whether the identity provider is active and available.

    When the identity provider is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity provider. If the identity provider is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity provider that is enabled to sign in to Verify.
    • If only one identity provider is enabled, it becomes the default sign-in option for the user.
  4. Select Next.
  5. Select the radio button to indicate whether the service provider or the identity provider initiates the SAML single sign-on flow.
    • Service provider
    • Identity provider
      In this scenario:
      1. The user has an account at the identity provider site.
      2. The user signs in to the identity provider site or uses the identity provider single sign-on URL to access the protected resource from the service provider.
      3. The identity provider initiates a SAML authentication response that asserts that the user is authenticated.
      4. The service provider validates the SAML authentication response.
      5. The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
  6. If you selected Identity provider, you must provide the SSO URL.

    It is the URL that initiates the single sign-on from the identity provider to the service provider.

  7. Upload the *.xml file that contains the SAML provider metadata.
    The name of the Selected File is displayed.
  8. Select Next.
  9. Provide the identity provider with the following service provider metadata properties. You can either copy the information or download the metadata file.
    Entity ID
    Specifies the issuer in the SAML authentication request and the audience of any inbound SAML authentication response.
    Assertion Consumer Service URL

    Specifies the endpoint at the service provider that receives the SAML authentication response.

    The identity provider redirects the SAML authentication response to this URL. This endpoint receives and processes the SAML assertion.

    Single Logout URL

    Specifies the endpoint at the service provider that receives the SAML logout request and response.

    The identity provider redirects the SAML logout request and response to this URL. This endpoint receives and processes the SAML logout request and response.

  10. Select Next.
  11. Optional: On the Single Logout page, specify whether the incoming logout request and response messages require signature.
    • If the incoming logout request message requires a signature, select Validate logout request signature.
    • If the incoming logout response message requires a signature, select Validate logout response signature.
    Note:
    • If the identity provider metadata file that you uploaded includes the SingleLogoutService element with an HTTP POST binding, the single logout is enabled for this identity provider.
    • The URL for service provider-initiated single logout looks like following: https://<tenant-Host>/saml/sps/saml20sp/sloinitial?RequestBinding=HTTPPost.
    • If the SAML identity provider in the current session does not respond to a logout request that is sent from Verify, the single logout stops at that identity provider. To resume the single logout, the user must perform the single logout again.
  12. Optional: On the Identity linking page, specify whether to enable identity linking.
    Turns on identity linking for a specific identity provider. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity provider.
    Note:
    1. You cannot enable linking on the identity provider that is set as your default identity provider.
    2. You cannot disable or delete your default linking identity provider.
    1. Select the Enable identity linking for this identity provider checkbox.
      If you enable identity linking, select the unique identifier that you want to use for the accounts.
    2. Select Enable just-in-time provisioning.
      This option is available only if you enable identity linking. It creates and updates the user account in the primary identity provider realm that is associated with the SAML identity.
  13. Select Next.
  14. Optional: If you created privacy profiles, select a profile from the menu.
    Privacy profiles require users in this directory to review and consent to a set of data usage purposes, or end-user license agreements (EULAs), or both. See Managing privacy profiles.
  15. Select Done.