Configuring SAML Users Onboarding Configurations

About this task

This use case starts when you want to configure SAML settings and ends when you have completed the configuration.

Before you begin:

Ensure you have
  • Enabled the SAML feature.
  • API Administrator privilege.

To configure SAML settings:

  1. Click the menu options icon Menu options icon from the title bar and click Administration.
  2. Select SAML.
  3. Click the Signature tab.
  4. Enable the following fields, if required:
    • Enforce signing of assertions. Turn on to specify that the SAML assertions must be signed. If this is enabled, all assertions received by the application will be signed.
    • Enforce signing of requests. Turn on to specify that the SAML authentication requests must be signed. If this field is enabled, all requests received by the application must be signed. Requests sent by the application are signed by the selected signature algorithm.
    • Enforce signing of responses. Turn on to specify whether the SAML authentication response must be signed.
    • Enforce signing of metadata. Turn on to specify whether the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.
  5. Select the required Signature algorithm from the drop-down list.
  6. Click the Keystore tab.
  7. Click Browse and select the SAML keystore file.
  8. Provide the Alias name and Password required to access the keystore file in the corresponding fields.
  9. Select the type of keystore file to be used from the Type drop-down list.
  10. Click the Truststore tab.
  11. Click Browse and select the SAML truststore file.
  12. Provide the Alias name and Password required to access the truststore file in the corresponding fields.
  13. Select the type of truststore file to be used from the Type drop-down list.
  14. Click the User attributes tab.
  15. Provide required values in the following fields:
    Field Description
    First name Attribute name to be used for reading the first name from a SAML assertion.
    Last name Attribute name to be used for reading the last name from a SAML assertion.
    E-mail address Attribute name to be used for reading the email addresses from a SAML assertion.
    Telephone number Attribute name to be used for reading the phone numbers from a SAML assertion.
    memberOf Attribute that references the groups of a user.
    User-defined List of attributes, separated by commas, to be imported as user-defined attributes of the user.
  16. Click the Advanced settings tab.
  17. Select Create user automatically.

    A user is created automatically using the details received from assertion.

  18. Provide information in following fields:
    Field Description
    Login using DN Specifies whether sign in must be tried using the fully qualified name instead of the user name.

    The name in the assertion is assigned as the distinguished name of the user being created.

    Decompose DN Specifies whether the fully qualified name is to be decomposed.

    The name in the assertion is assigned as the distinguished name of the user being created only if the name is in an appropriate format.

    Keyword Specifies which part of the fully qualified name is to be used for login.
    Authentication context comparison Specifies the level of comparison that must be performed on the assertion context class against the authentication context. If this fails, the user is not authenticated.
    Name ID format Specifies the format in which the user ID must be saved.
    Clock skew (in seconds) Specifies the time offset between identity provider and service provider, in seconds. Assertions are accepted if they are received within the permitted time frame.
    Assertion lifetime (in seconds) Specifies the maximum lifetime of a SAML assertion, in seconds.
    Assertion consumer service URL Specifies the URL to which the identity provider must send the authentication response. The URL must be given in the format: 
    http(s)://hostname/portal/rest/v1/saml/initsso
    Default tenant Specifies the default tenant that is to be used for the SAML-based login.
  19. Click the Extensions tab.

    This tab includes options to allow you to configure settings to extract user information from the assertion sent by your SAML service provider to Developer Portal.

  20. Turn the Read multiple values from assertion slider on to extract multiple values from the assertion.
  21. Turn the SAML assertion as a query string slider on to <<info required>>.
  22. Turn the Include roles slider on to <<info required>>.
  23. Turn the Enable assertion validation slider on to validate the incoming assertion before extracting the required values.
  24. Provide the names of attributes from which the following values to be extracted from the assertion :
    • First name
    • Last name
    • E-mail address
    • Role
    • Sub-domains
  25. Click Save.

    You have specified SAML configuration details. Users can sign up to Developer Portal using their SSO credentials.

Next steps:
  • The service provider meta-data required for the registration is generated dynamically after SAML configuration. You can use the metadata and use it for configuring the identity provider. Download the metadata by clicking Download Metadata from the Metadata tab.
    SAML assertion - Sample