Follow

SAML SSO Integration Guide: Generic IdP

 

Terminology

IdP: The Identity Provider, which is the system that handles authentication.

SP: The Service Provider, which is the SD Elements server/service in this situation.

SD Elements Support: Contact support@sdelements.com

 

Set up SAML SSO on the IdP

Your SAML admin teams can use the following guidelines to set up SAML SSO on the idP side:

  1. You need to set up a new app with IdP initiated SAML 2.0 POST binding.
    • SD Elements only supports IdP initiated sign on and POST binding at this time.
  2. You can use any IdP EntityID of your choice.
    • Some products/providers have the IdP EntityID fixed, and some allow customized. Either are are valid.
    • Take note of the IdP's Entity ID.
  3. The SP EntityID is: "https://<your-sd-elements-domain>/sso/saml2/metadata/"
  4. The URL to POST SAML messages on the SP side is called Assertion Consumer Service (ACS) is "https://<your-sd-elements-domain>/sso/saml2/acs/"
  5. The SP doesn’t care for SAML_SUBJECT (our application uses attributes instead).
    • You can just use email or any other value in there.
  6. Set up the following attribute map using AttrNameFormat "basic" ("urn:oasis:names:tc:SAML:2.0:attrname-format:basic"):
    • [required] "email" > User’s email (normally called "mail" in AD backed setups)
    • [optional] "firstname" > User’s Given Name (normally called "givenName" in AD backed setups)
    • [optional] "lastname" > User’s Surname (normally called "sn" in AD backed setups)
  7. Ensure that requests (SAML Assertions) are signed.
  8. Save the IdP's certificate file.
    • In SaaS setups, pass this to the SD Elements support so that they can use this to setup the SP side.

 

Set up SAML SSO on your SP (SD Elements)

SaaS Customers

  1. Pass the IdP EntityID and the IdP certificate to SD Elements support.
    • This must be a valid URL, as the application only supports URLs as Entity IDs.
  2. SD Elements support will set up the server in SAML mode.
  3. You can also provide the IdP metadata file to SD Elements support.

OSD Customers

Earlier than version 4.6

  1. You can configure SAML by visiting the Single-Sign On page under the System (gear icon).
  2. From the Single-Sign On page, select the SAML toggle and fill in the Identity Provider Entity ID field.
    • The Identity Provider Single Sign-On Service (HTTP POST Binding) field is not used and can be ignored.
    • The login and logout URL are optional and can be set to the URLs provided by your IdP.

Version 4.6 or later

  • The Identity Provider Single Sign-On Service (HTTP POST Binding) field has been removed.
  • The Identity Provider Entity ID text field has been replaced with an upload field for an IdP metadata file.
    • Only valid XMLs that follow the SAML 2.0 schema are accepted.

Note: Make sure that the time is in sync, has UTC time zone settings and the ntp server mentioned in ntpd.conf file is reachable.

 

Additional SP steps for OSD deployments

You will need a certificate for the SP to pass to the IdP during the SAML transaction.

  • This can either be a CA-issued certificate or a self-signed one
  • If you are bringing your own certificate, it must be in PEM format.

In either case, place the certificate and its corresponding key in the /docs/sde/saml2 directory. The certificate and key should be named "server.crt" and "server.key" respectively.

If you do not have a CA-signed certificate and need to generate a self-signed one instead, you can copy the script attached to this article to your SDE instance and run it with as the sde_admin user with the command "bash samlcert.sh"

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments