Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
72:integration:saml [2018/10/25 18:04] emr72:integration:saml [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Configure SAML Authentication ====== ====== Configure SAML Authentication ======
 +
 +[[:general:secadv-2019-01|Before you configure SAML, please assure you adhere to Security Advisory 2019-01]].
  
 SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system. SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system.
Line 40: Line 42:
         <service-provider         <service-provider
                         providerId="<yourStagesURL>"                         providerId="<yourStagesURL>"
-                        signatureKeyAlias="samlkeyalias" +                        signatureKeyAlias="samlkeyalias"> 
-       >+
         </service-provider>         </service-provider>
  
Line 61: Line 63:
  
   * EntityIdfromMetadata   * EntityIdfromMetadata
 +
   * SingleSignOnServiceLocationFromMetadata   * SingleSignOnServiceLocationFromMetadata
 +
   * DisplayName (alternative: FirstName, LastName)   * DisplayName (alternative: FirstName, LastName)
 +
   * EMailAddress   * EMailAddress
  
Line 76: Line 81:
                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         userFullnameTemplate="%firstname% %lastname%"                         userFullnameTemplate="%firstname% %lastname%"
-                >+      > 
 +            <!-- userFullnameTemplate is used to build the user's full name from multiple IDP attributes 
 +                 as defined below as <identity-provider-attribute name=.../>
 +                 In the example above the firstname and lastname attributes are concatenated speparated by a space. --> 
             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->
             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />
Line 137: Line 146:
         <identity-provider providerId="STAGES"/>         <identity-provider providerId="STAGES"/>
 </authentication> </authentication>
 +
 </code> </code>
  
 After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service. After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service.
 +
  
 ===== Generate the SAML SP metadata ===== ===== Generate the SAML SP metadata =====
  
-After configuring the SAML SP, you can download the SAML SP metadata directly by navigating to the URL ''[[http://<yourstages|http://<yourstages]]>/rest/saml/metadata''+After configuring the SAML SP, you can download the SAML SP metadata directly by navigating to the URL ''[[http://<yourstages|http://<yourstages]]>/stages/rest/saml/metadata''
  
 The resulting XML file can be sent to the SAML IdP administrators and contains all information necessary to set up the trust relationship on the IdP side. After the SAML IdP has been configured with the SP metadata, users will be able to authenticate successfully with Stages through the SAML IdP. The resulting XML file can be sent to the SAML IdP administrators and contains all information necessary to set up the trust relationship on the IdP side. After the SAML IdP has been configured with the SP metadata, users will be able to authenticate successfully with Stages through the SAML IdP.
 +
 +===== Configure the SAML Request Type =====
 +
 +The default binding type of the SAML Request is ''redirect''.
 +
 +Some IDPs do not work with that type and rather need a POST Request. This can only be found out on the IDP.
 +
 +This can be configured in the ''identity-provider''  section via
 +
 +<code>
 +sendBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 +</code>
  
 ===== Validated IdP Vendors ===== ===== Validated IdP Vendors =====
  
-The following IdP servers have been tested sucessfully with Stages SAML:+Stages SAML has successfully been deployed with the following IdP servers:
  
   * Cisco Central Web Authentication (CWA)   * Cisco Central Web Authentication (CWA)
 +
 +  * Oracle Access Manager (OAM)
 +
   * Shibboleth IdP   * Shibboleth IdP
 +
 +  * Active Directory Federation Services (ADFS)
  
 Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet. Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet.