Wiki source code of SAML 2.0
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{content/}} | ||
| 2 | |||
| 3 | When adding a //SAML 2.0// identity provider (e.g. //Shibboleth 2.0//) the parameters listed below can be configured. | ||
| 4 | |||
| 5 | == Base settings == | ||
| 6 | |||
| 7 | {{figure image="saml_base_settings_en.png" clear="h1"}}Basic settings for the configuration of the SAML 2.0 identity provider.{{/figure}} | ||
| 8 | |||
| 9 | === Name === | ||
| 10 | |||
| 11 | Name of the identity provider in {{formcycle/}}. | ||
| 12 | |||
| 13 | === Different name on form login button === | ||
| 14 | |||
| 15 | If a form has been configured to offer several authentication options, a dialog will be displayed when opening the form in which an authentication type has to be selected. The text content that should be on the button for this identity provider can be configured here. | ||
| 16 | |||
| 17 | If nothing is entered here, the name entered under //Name// is used. | ||
| 18 | |||
| 19 | === Alias for callback URL (UUID) === | ||
| 20 | |||
| 21 | Unique identifier that is used when the identity provider returns to {{formcycle/}}. This value is generated automatically, but can be changed if necessary. | ||
| 22 | |||
| 23 | === Callback URL === | ||
| 24 | |||
| 25 | The URL which is used when returning from the identity provider to {{formcycle/}} is shown here and can be copied to the clipboard by clicking the copy icon to the right of the URL. | ||
| 26 | |||
| 27 | == Initially visible buttons == | ||
| 28 | |||
| 29 | Below the base settings there are initially 3 buttons whose functions are intended to help with the configuration of the Facebook identity provider. | ||
| 30 | |||
| 31 | === Send email to provider === | ||
| 32 | |||
| 33 | Opens the e-mail program set up in the system with a pre-formulated request regarding the information required for the configuration of the identity provider in {{formcycle/}}. | ||
| 34 | |||
| 35 | === Help === | ||
| 36 | |||
| 37 | Opens this help page in the browser. | ||
| 38 | |||
| 39 | === Add configuration === | ||
| 40 | |||
| 41 | If the required information has been provided by the identity provider, the area for the configuration of the identity provider can be opened by clicking on this button. Afterwards the area //configuration// which is described below opens. | ||
| 42 | |||
| 43 | {{figure image="saml_configuration_en.png" clear="h2"}}Configuration options for an SAML 2.0 identity provider.{{/figure}} | ||
| 44 | == Configuration == | ||
| 45 | |||
| 46 | * **Upload configuration**: Pressing this button opens a file selection dialog, with which the configuration file supplied by the Identity Provider can be selected. By confirming the selection in the dialog, the file is uploaded. | ||
| 47 | |||
| 48 | * **//FileName.xml//**: After a configuration file has been uploaded and the configuration was saved, it is possible to download the file here. The download is started by clicking on the file name or the {{ficon name="download-circle-outline"/}} symbol. | ||
| 49 | |||
| 50 | === Mapping to user attributes === | ||
| 51 | |||
| 52 | By clicking on //Mapping to user attributes// the configuration fields for mapping individual attributes can be made visible. SAML attributes can be configured for the following data. In each case, the name of the //saml:attributes// node must be specified. | ||
| 53 | |||
| 54 | * **Given name (firstname)**: first name of the user | ||
| 55 | * **Last name (familyName)**: Last name of the user | ||
| 56 | * **Display name (displayName)**: Display name of the user | ||
| 57 | * **Username (userName)**: User name of the user | ||
| 58 | * **Email (mail)**: Email address of the user | ||
| 59 | * **Language (locale)**: Language of the user | ||
| 60 | * **Location (location)**: Location of the user | ||
| 61 | * **Picture url (pictureUrl)**: Picture URL of the user | ||
| 62 | * **Profile url (profileUrl)**: Profile URL of the user | ||
| 63 | |||
| 64 | {{id name="keystore" /}} | ||
| 65 | === Manage keystore === | ||
| 66 | |||
| 67 | By clicking on //Manage keystore// the settings for the keystore become visible. There are the following two buttons: | ||
| 68 | |||
| 69 | * **Create new keystore**: Creates a new keystore with a new key pair | ||
| 70 | * **Update keystore file**: Opens a file selection dialog with which an existing keystore can be selected and uploaded. | ||
| 71 | |||
| 72 | After uploading your own keystore, the following input fields also appear: | ||
| 73 | * **Keystore password**: Password of the keystore | ||
| 74 | * **Keypair password**: Password of the key pair | ||
| 75 | |||
| 76 | {{info}}Own keystores must be Java keystores of type JKS, which contain a corresponding 2048-bit RSA key pair. Such a keystore can be generated, for example, with the utility program keytool for a certificate lifetime of approximately 10 years (3650 days) using the following command: {{code language="none"}}keytool -genkeypair -alias ihr-alias -keypass ihr-passwort -keystore samlKeystore.jks -storepass ihr-passwort -keyalg RSA -keysize 2048 -validity 3650{{/code}}{{/info}} | ||
| 77 | |||
| 78 | {{figure image="saml_extended_settings_en.png" clear="h2"}}Extended settings for configuring an SAML 2.0 identity provider.{{/figure}} | ||
| 79 | === Extended settings === | ||
| 80 | |||
| 81 | With a click on //Extended settings// further parameters for the connection with the Identity Provider can be configured. | ||
| 82 | |||
| 83 | ==== Service provider entity ID ==== | ||
| 84 | |||
| 85 | Optional ID for identification against the Identity Provider. | ||
| 86 | |||
| 87 | ==== Force authentication ==== | ||
| 88 | |||
| 89 | Specifies whether a user should be forced to log in even if a valid session is still present. | ||
| 90 | |||
| 91 | ==== Passive authentication ==== | ||
| 92 | |||
| 93 | Specifies whether an authentication without interaction with the user should be tried. | ||
| 94 | |||
| 95 | ==== User name qualifier ==== | ||
| 96 | |||
| 97 | Specifies whether the authentication request should also send the //NameQualifier//. This is not required by the SAML standard, but for some identity providers it is necessary. | ||
| 98 | |||
| 99 | ==== Authentication request signed ==== | ||
| 100 | |||
| 101 | Specifies whether the authentication request should be digitally signed. | ||
| 102 | |||
| 103 | ==== Logout request signed ==== | ||
| 104 | |||
| 105 | Specifies whether the logout request should be digitally signed. | ||
| 106 | |||
| 107 | ==== Wants assertions signed ==== | ||
| 108 | |||
| 109 | Specifies whether the SAML statements (assertions) are requested to be digitally signed. | ||
| 110 | |||
| 111 | ==== Wants response signed ==== | ||
| 112 | |||
| 113 | Specifies whether the SAML responses should be digitally signed. | ||
| 114 | |||
| 115 | ==== Max. authentication lifetime (seconds) ==== | ||
| 116 | |||
| 117 | Maximum duration of an exisitng login to the identity provider. The default value is {{code language="none"}}3600{{/code}} seconds. | ||
| 118 | |||
| 119 | ==== Max. clock skew (seconds) ==== | ||
| 120 | |||
| 121 | Maximum allowed difference in system clock times between the {{fcserver/}} and the identity provider. The default value is {{code language="none"}}300{{/code}} seconds. | ||
| 122 | |||
| 123 | ==== Assertion consumer service index ==== | ||
| 124 | |||
| 125 | Specifies the index of the Assertion Consuming Service to be used in the login request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider. | ||
| 126 | |||
| 127 | ==== Attribute consumer service index ==== | ||
| 128 | |||
| 129 | Specifies the index of the attribute consuming services which should be used for the authentication request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider. | ||
| 130 | |||
| 131 | ==== Authentication request binding type ==== | ||
| 132 | |||
| 133 | Specifies the transmission type with which {{formcycle/}} requests a login to the identity provider. | ||
| 134 | |||
| 135 | ==== Response binding type ==== | ||
| 136 | |||
| 137 | Specifies the transmission type with which the identity provider responds to a {{formcycle/}} login. | ||
| 138 | |||
| 139 | ==== Logout request binding type ==== | ||
| 140 | |||
| 141 | Specifies the transmission type with which {{formcycle/}} requests a logoff from identity provider. | ||
| 142 | |||
| 143 | ==== Logout response binding type ==== | ||
| 144 | |||
| 145 | Specifies the transmission type with which the identity provider responds to a logoff from {{formcycle/}}. | ||
| 146 | |||
| 147 | ==== Signature canonicalization algorithm ==== | ||
| 148 | |||
| 149 | Specifies the algorithm to be used to convert the signed request into a standardized XML form. {{code language="none"}}http://www.w3.org/2001/10/xml-exc-c14n#{{/code}} is used by default. | ||
| 150 | |||
| 151 | ==== Black listed signature signing algorithms ==== | ||
| 152 | |||
| 153 | Algorithms that are forbidden for signing. | ||
| 154 | |||
| 155 | ==== Signature algorithms ==== | ||
| 156 | |||
| 157 | Algorithms allowed for signing. | ||
| 158 | |||
| 159 | ==== Signature reference digest methods ==== | ||
| 160 | |||
| 161 | Specifies the hash algorithms that are allowed when signing the SAML statements (assertions). |