Integration for Single Sign-On can integrate with SAML authenticators. The SAML SSO authenticator is designed to receive a SAML assertion message as an HTTP POST to the OnBase Web Client login page.
Integration for Single Sign-On currently supports Identity Provider-initiated SAML 2.0 only and does not support Relay State (it will not perform any HTTP redirects specified in the RelayState parameter).
When SAML is selected from the Authenticator drop-down list, the SAML SSO Properties dialog box is automatically displayed.
To configure single sign-on to use a SAML authenticator:
-
Type the POST variable name for the SAML token in the SAML Token Name field. The SAML SSO authenticator is designed to receive a SAML assertion message as an HTTP POST to the OnBase Web Client login page.
Note:
Integration for Single Sign-On currently supports Identity Provider-initiated SAML 2.0 only and does not support Relay State (it will not perform any HTTP redirects specified in the RelayState parameter).
- Type the full URL address to the Username Claim Type in the field provided.
- In the Clock Skew Used For Replay Detection In Minutes field, enter the number of minutes that the token date/time can be off from the current date/time and still be considered valid.
- Select Base64 Encoded if the SAML responses are base64 encoded, then select the format of the encoded token from the Encoding drop-down list.
-
On the Trusted Users tab, enter the subject names of all certificates that are issued by trusted users. These values must match the subject names of the certificates.
To manually enter a new name, click twice in the Trusted Issuers Certificate Subject Name column on a table row with an asterisk (*) in the left column, then type the name at the cursor.
To edit an existing name, click twice on the name to change it.
You can also enter subject names by clicking Add Trusted Issuer and selecting the certificates to add.
The certificates available to choose from are based on the certificate store you have configured under the Certificate Configuration tab and are displayed in the Select Issuer Certificate dialog box.
-
Click the Certificate Configuration tab to configure the certificate validation options.
-
Select the Certificate Validation Mode from the drop-down list:
-
None: The certificate issuer is not validated. This option is not recommended in a production environment.
-
PeerTrust: The certificate issuer is validated if the issuer is in the TrustedPeople certificate store.
-
ChainTrust: The certificate issuer is validated if the issuer has a valid signature chain to a trusted root authority.
-
PeerOrChainTrust: The certificate issuer is validated if using either the PeerTrust or ChainTrust methodology validates the user.
-
-
Select the Certificate Revocation Mode from the drop-down list:
-
NoCheck: The revocation mode of the certificate issuer is not checked.
-
Online: The revocation mode of the certificate issuer is checked against an online CRL (Certificate Revocation List).
-
Offline: The revocation mode of the certificate issuer is checked against a cached CRL (Certificate Revocation List).
-
-
Select the Certificate Store Location from the drop-down list:
-
LocalMachine: The certificate store is located on the local machine but not under a specific user.
-
CurrentUser: The certificate store is located on the local machine under the user that is currently logged in.
-
- Select the name of the X.509 certificate store to use from the Certificate Store Name drop-down list.
-
Click the Audience URI tab to configure the Audience URI verification.
-
Select the Audience URI Verification Mode:
-
Never: The Audience URI is not checked.
-
Always: The Audience URI is always checked.
-
BearerKeyOnly: The Audience URI is only checked if the security token has a BearerType key and there are no proof-of-possession keys in the security token.
-
- If Always or BearerKeyOnly is selected for the Audience URI Verification Mode you must type the Allowed Audience URI in the field provided. The is the full URL to the OnBase Web server login page (e.g., http://YourDomain/AppNet/Login.aspx).
-
Click OK. The SAML SSO properties are saved.
Note:
To complete the full single sign-on configuration you must use the Single Sign On Config utility. See Deploying Integration for Single Sign-On.