IdP: The Identity Provider, which is the system that handles authentication.
SP: The Service Provider, which is the SD Elements server/service in this situation.
SD Elements Support: Contact email@example.com
Set up SAML SSO on the IdP
Your SAML admin teams can use the following guidelines to set up SAML SSO on the idP side:
- You need to set up a new app with IdP initiated SAML 2.0 POST binding.
- SD Elements only supports IdP initiated sign on and POST binding at this time.
- You can use any IdP EntityID of your choice.
- Some products/providers have the IdP EntityID fixed, and some allow customized. Either are are valid.
- Take note of the IdP's Entity ID.
- You can just use email or any other value in there.
- [required] "email" > User’s email (normally called "mail" in AD backed setups)
- [optional] "firstname" > User’s Given Name (normally called "givenName" in AD backed setups)
- [optional] "lastname" > User’s Surname (normally called "sn" in AD backed setups)
- In SaaS setups, pass this to the SD Elements support so that they can use this to setup the SP side.
Set up SAML SSO on your SP (SD Elements)
- Pass the IdP EntityID and the IdP certificate to SD Elements support.
- This must be a valid URL, as the application only supports URLs as Entity IDs.
Earlier than version 4.6
- You can configure SAML by visiting the Single-Sign On page under the System (gear icon).
- From the Single-Sign On page, select the SAML toggle and fill in the Identity Provider Entity ID field.
- The Identity Provider Single Sign-On Service (HTTP POST Binding) field is not used and can be ignored.
- The login and logout URL are optional and can be set to the URLs provided by your IdP.
Version 4.6 or later
- The Identity Provider Single Sign-On Service (HTTP POST Binding) field has been removed.
- The Identity Provider Entity ID text field has been replaced with an upload field for an IdP metadata file.
- Only valid XMLs that follow the SAML 2.0 schema are accepted.
Note: Make sure that the time is in sync, has UTC time zone settings and the ntp server mentioned in ntpd.conf file is reachable.
Additional SP steps for OSD deployments
You will need a certificate for the SP to pass to the IdP during the SAML transaction.
- This can either be a CA-issued certificate or a self-signed one
- If you are bringing your own certificate, it must be in PEM format.
In either case, place the certificate and its corresponding key in the /docs/sde/saml2 directory. The certificate and key should be named "server.crt" and "server.key" respectively.
If you do not have a CA-signed certificate and need to generate a self-signed one instead, you can copy the script attached to this article to your SDE instance and run it with as the sde_admin user with the command "bash samlcert.sh"