Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
72:integration:saml [2019/08/28 12:00] emr72:integration:saml [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Configure SAML Authentication ====== ====== Configure SAML Authentication ======
 +
 +[[:general:secadv-2019-01|Before you configure SAML, please assure you adhere to Security Advisory 2019-01]].
  
 SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system. SAML stands for Security Assertion Markup Language. It is a current standard for authenticating users in a distributed system.
Line 40: Line 42:
         <service-provider         <service-provider
                         providerId="<yourStagesURL>"                         providerId="<yourStagesURL>"
-                        signatureKeyAlias="samlkeyalias" +                        signatureKeyAlias="samlkeyalias"> 
-   >+
         </service-provider>         </service-provider>
  
Line 61: Line 63:
  
   * EntityIdfromMetadata   * EntityIdfromMetadata
 +
   * SingleSignOnServiceLocationFromMetadata   * SingleSignOnServiceLocationFromMetadata
 +
   * DisplayName (alternative: FirstName, LastName)   * DisplayName (alternative: FirstName, LastName)
 +
   * EMailAddress   * EMailAddress
  
Line 76: Line 81:
                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"                         nameIdPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
                         userFullnameTemplate="%firstname% %lastname%"                         userFullnameTemplate="%firstname% %lastname%"
-            >+      > 
 +            <!-- userFullnameTemplate is used to build the user's full name from multiple IDP attributes 
 +                 as defined below as <identity-provider-attribute name=.../>
 +                 In the example above the firstname and lastname attributes are concatenated speparated by a space. --> 
             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->             <!-- hardcoded magic value that specifies the NameID from the SAML reply -->
             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />             <identity-provider-attribute name="username" id="http://schemas.stages.methodpark.com/saml/v2/identity/claims/subject" />
Line 137: Line 146:
         <identity-provider providerId="STAGES"/>         <identity-provider providerId="STAGES"/>
 </authentication> </authentication>
 +
 </code> </code>
  
 After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service. After you configured the service provider and identity provider in ''config.xml'', update the configuration via "''stages update''" and restart the Stages service.
 +
  
 ===== Generate the SAML SP metadata ===== ===== Generate the SAML SP metadata =====
Line 158: Line 169:
 sendBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" sendBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 </code> </code>
 +
 ===== Validated IdP Vendors ===== ===== Validated IdP Vendors =====
  
Line 163: Line 175:
  
   * Cisco Central Web Authentication (CWA)   * Cisco Central Web Authentication (CWA)
 +
   * Oracle Access Manager (OAM)   * Oracle Access Manager (OAM)
 +
   * Shibboleth IdP   * Shibboleth IdP
 +
 +  * Active Directory Federation Services (ADFS)
  
 Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet. Please let us know if you were able to make Stages SAML work with your server and it is not on this list yet.