Step by Step guide to setup On-Premise IDP

4.3.1 SAML

Configure Single Sign On (SSO) Settings for SAML Apps :

  • Login as a customer from Admin Console.
  • Go to Apps >> Manage Apps . Click Configure Apps button.
  • Click on SAML tab. Select App and click on Add App button.

  • SP Entity ID is used to identify your app against the SAML request received from SP. Make sure the SP Entity ID or Issuer is in this format: https://www.domain-name.com/a/[domain_name]/acs.
  • ACS URL or Assertion Consumer Service URL defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: https://www.domain-name.com/a/[domain_name]/acs.
  • Single Logout URL defines where the user should be redirected after receiving the logout request from SP. You can mention your applications logout page URL here. Make sure the Single Logout URL is in the format: https://mail.domain-name.com/a/out/tld/?logout.
  • Audience URI , as the name suggests, specifies the valid audience for SAML Assertion. It is usually same as SP Entity ID. If Audience URI is not specified separately by SP , leave it blank.
  • NameID defines what SP is expecting in subject element of SAML Assertion. Generally NameID is Username of Email Address
  • NameID Format defines the format of subject element content, i.e. NameID.
    For example, Email Address NameID Format defines that the NameID is  in the form of an email address, specifically “addr-spec”. An addr-spec has the form local-part@domain, has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by “<” and “>”.
    If NameID Format is not externally specified by SP, leave it unspecified.
  • You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, fullname, username,email, custom profile attributes and user groups,etc.
  • Click on Save to configure Apps.SAML Apps Configuration

 

  • Select a Group Name from the dropdown – the group which should have access to the SAML SSO using this app.
  • Give a policy name for Custom App in Policy Name.
  • Select the First Factor Type for authentication like Password, Mobile etc.
  • Enable Second Factor for authentication if required.
  • Click on Save button to add policy for Apps (Single Sign On).

  • Click on Metadata to set miniOrage as IDP (Identity Provider).
  • You can set miniOrange as IDP using following information :
IdP Entity ID or Issuer  https://<mycompany.domain-name.com>/<customer-id>
SAML Login URL https://<mycompany.domain-name.com>/idp/samlsso
SAML Logout URL https://<mycompany.domain-name.com>/idp/samllogout
Broker Service Login URL https://<mycompany.domain-name.com>/broker/login/saml_login
Broker Service Logout URL https://<mycompany.domain-name.com>/broker/login/saml_logout
X.509 Certificate X.509 certificate is enclosed in X509Certificate tag in IdP-Metadata XML file. (parent tag: KeyDescriptor use=”signing”)