Configuring the identity provider for a SAML SSO authentication service

To enable the system to verify the identity of requestors, configure the identity provider (IdP) for your SAML SSO authentication service. You configure the identity provider by importing values from a file or by entering them manually.

Note: For the SAML ruleform, Global Resource Settings are supported. For more information, see Fields that support the Global Resource Settings syntax.
  1. Open the service from the navigation panel in Dev Studio by clicking Records > SysAdmin > Authentication Service and choosing a service from the instance list. On the SAML 2.0 tab, navigate to the Identity Provider (IdP) information section.
  2. If you are configuring the identity provider by importing the configuration, complete these steps:
    1. Click Import IdP metadata.
    2. Select the source of the metadata ( via URL or via file ), and then enter the URL or file path.
    3. Click Submit.
  3. If you are configuring the identity provider by entering values manually, complete these steps:
    1. In the Entity Identification (Issuer) field, enter the entity ID for the identity provider.
    2. In the Login (SSO) protocol binding list, select the standard communication protocol that is supported for the response message:
      • HTTP POST – SAML protocol messages are transmitted in an HTML form with base64-encoded content.
      • HTTP Artifact – SAML protocol messages are transmitted using a unique identifier called an artifact. Select this protocol if you do not want to expose the content of the SAML message during connection.
      • HTTP Redirect – SAML protocol messages are transmitted within URL parameters.
    3. In the Login location field, enter a login service.
    4. In the Logout (SLO) protocol binding list, select the standard communication protocol that is supported for the response message: HTTP Redirect or SOAP.
    5. Optional: In the Logout location field, enter a logout service.
    6. If your Login (SSO) protocol binding is HTTP Artifact, then in the Artifact Resolution Service (ARS) location field, enter the URL that is used by the service provider to send the artifact resolve request to the Identity Provider. Otherwise, leave the field blank.
    7. In the Verification certificate section, click the Pencil icon to enter the certificate alias.
    8. In the CERTIFICATE STORE field, press the Down Arrow key and select the keystore that contains the IdP public key that is used for verifying the signature of the SAML assertion.
      Note:
      • If you imported IdP metadata, or if the CERTIFICATE STORE field is blank, the system creates a keystore instance and adds the IdP certificate to it. The system sets the alias of the entry in the keystore to the certificate's issuer name and sets the keystore password to rules.
      • If the CERTIFICATE STORE field is not blank and points to a valid keystore instance when you import the IdP metadata, the system adds the IdP certificate to the existing keystore instance and sets the alias of the entry to the certificate's issuer name.
    9. Click Submit.
    10. Optional: In the TLS/SSL truststore field, press the Down Arrow key and select the truststore record that contains the server certificate for a TSL or SSL handshake.
      Note: Select a truststore record if you have provided a secure Logout location or a secure Artifact Resolution Service (ARS) location, and you have not added the TSL or SSL certificate to the truststore of the Java virtual machine.
  4. Click Save.
What to do next:  Mapping operator information for a SAML SSO authentication service