SAML 2.0

Content [ Hide ]

When adding a SAML 2.0 identity provider (e.g. Shibboleth 2.0) the parameters listed below can be configured.

Base settings

Basic settings for the configuration of the SAML 2.0 identity provider.

Name

Name of the identity provider in Xima® Formcycle.

Different name on form login button

If a form has been configured to offer several authentication options, a dialog will be displayed when opening the form in which an authentication type has to be selected. The text content that should be on the button for this identity provider can be configured here. 

If nothing is entered here, the name entered under Name is used.

Alias for callback URL (UUID)

Unique identifier that is used when the identity provider returns to Xima® Formcycle. This value is generated automatically, but can be changed if necessary.

Callback URL

URLs for each Xima® Formcycle-Server (master server as well as frontend servers) which can be used when returning from the identity provider to Xima® Formcycle. Each URL can be copied to the clipboard by clicking the copy icon to the right of the URL.

Initially visible buttons

Below the base settings there are initially 3 buttons whose functions are intended to help with the configuration of the Facebook identity provider.

Send email to provider

Opens the e-mail program set up in the system with a pre-formulated request regarding the information required for the configuration of the identity provider in Xima® Formcycle

Help

Opens this help page in the browser.

Add configuration

If the required information has been provided by the identity provider, the area for the configuration of the identity provider can be opened by clicking on this button. Afterwards the area configuration which is described below opens.

Configuration options for an SAML 2.0 identity provider.

Configuration

  • Upload configuration: Pressing this button opens a file selection dialog, with which the configuration file supplied by the Identity Provider can be selected. By confirming the selection in the dialog, the file is uploaded.
  • FileName.xml: After a configuration file has been uploaded and the configuration was saved, it is possible to download the file here. The download is started by clicking on the file name or the symbol.

Mapping to user attributes

By clicking on Mapping to user attributes the configuration fields for mapping individual attributes can be made visible. SAML attributes can be configured for the following data. In each case, the name of the saml:attributes node must be specified.

  • Given name (firstname): first name of the user
  • Last name (familyName): Last name of the user
  • Display name (displayName): Display name of the user
  • Username (userName): User name of the user
  • Email (mail): Email address of the user
  • Language (locale): Language of the user
  • Location (location): Location of the user
  • Picture url (pictureUrl): Picture URL of the user
  • Profile url (profileUrl): Profile URL of the user

Manage keystore

By clicking on Manage keystore the settings for the keystore become visible. There are the following two buttons:

  • Create new keystore: Creates a new keystore with a new key pair
  • Update keystore file: Opens a file selection dialog with which an existing keystore can be selected and uploaded.

After uploading your own keystore, the following input fields also appear:

  • Keystore password: Password of the keystore
  • Keypair password: Password of the key pair

Own keystores must be Java keystores of type JKS, which contain a corresponding 2048-bit RSA key pair. Such a keystore can be generated, for example, with the utility program keytool for a certificate lifetime of approximately 10 years (3650 days) using the following command: keytool -genkeypair -alias ihr-alias -keypass ihr-passwort -keystore samlKeystore.jks -storepass ihr-passwort -keyalg RSA -keysize 2048 -validity 3650

Extended settings for configuring an SAML 2.0 identity provider.

Extended settings

With a click on Extended settings further parameters for the connection with the Identity Provider can be configured.

Service provider entity ID

Optional ID for identification against the Identity Provider.

Force authentication

Specifies whether a user should be forced to log in even if a valid session is still present.

Passive authentication

Specifies whether an authentication without interaction with the user should be tried.

User name qualifier

Specifies whether the authentication request should also send the NameQualifier. This is not required by the SAML standard, but for some identity providers it is necessary.

Authentication request signed

Specifies whether the authentication request should be digitally signed.

Logout request signed

Specifies whether the logout request should be digitally signed.

Wants assertions signed

Specifies whether the SAML statements (assertions) are requested to be digitally signed.

Wants response signed

Specifies whether the SAML responses should be digitally signed.

Max. authentication lifetime (seconds)

Maximum duration of an exisitng login to the identity provider. The default value is 3600 seconds.

Max. clock skew (seconds)

Maximum allowed difference in system clock times between the  Xima® Formcycle Server and the identity provider. The default value is 300 seconds.

Assertion consumer service index

Specifies the index of the Assertion Consuming Service to be used in the login request. The default value is -1, which is the default of the identity provider.

Attribute consumer service index

Specifies the index of the attribute consuming services which should be used for the authentication request. The default value is -1, which is the default of the identity provider.

Authentication request binding type

Specifies the transmission type with which Xima® Formcycle requests a login to the identity provider.

Response binding type

Specifies the transmission type with which the identity provider responds to a Xima® Formcycle login.

Logout request binding type

Specifies the transmission type with which Xima® Formcycle requests a logoff from identity provider.

Logout response binding type

Specifies the transmission type with which the identity provider responds to a logoff from Xima® Formcycle.

Signature canonicalization algorithm

Specifies the algorithm to be used to convert the signed request into a standardized XML form. http://www.w3.org/2001/10/xml-exc-c14n# is used by default.

Black listed signature signing algorithms

Algorithms that are forbidden for signing.

Signature algorithms

Algorithms allowed for signing.

Signature reference digest methods

Specifies the hash algorithms that are allowed when signing the SAML statements (assertions).

Download service provider metadata

By clicking on this button, the service metadata is generated as XML based on the previously specified settings and made available as a download.
This metadata can then be integrated directly into the respective identity provider.