Manually Configuring a SAML2 Provider for Initial Use - Identity and Access Management Services - 3.0 - 3.0 - Other - external

Identity and Access Management Services

Platform
Other
Product
Identity and Access Management Services
Release
3.0
License

This section describes the steps required to manually configure a SAML2 provider when initially setting up a Hyland IdP server. For additional configuration and ongoing maintenance, see the Configuring the Hyland IdP Server chapter in this module reference guide.

To initially configure a SAML2 provider:

  1. First complete the main steps under Configuring the Hyland IdP Server for Use With Perceptive before attempting this procedure.
  2. Locate the provider block with the Type value of 3.
  3. Replace the entire Settings block with the following settings block:
    "Settings": {
    "IdentityProvider": "",
    "ExternalIdPMetadataLocation": "",
    "SecuritySettings": {
    "EncryptionCertificatePath": "",
    "SigningCertificatePath": "",
    "SigningAlgorithm": "",
    "WantAssertionsSigned": true,
    "MinimumIncomingSigningAlgorithm": ""
    },
    "BindingsSettings": {
    "AuthenticationRequestBinding": 2,
    "AssertionBinding": 4
    },
    "UserAttributeMapping": {
    "username": "",
    "email": "",
    "realName": "",
    "group": ""
    },
    "StripDomainFromUsername": false,
    "UserProvisioningEnabled": false
    }
    Note:

    Be sure to include the closing } when replacing the settings block.

  4. Update the values of the settings to match your environment:

    Setting

    Description

    IdentityProvider

    Set this option to the unique identifier of the SAML IdP, usually formatted as a URL. It is also known as the Identity Provider Issuer or just Issuer.

    Note:

    The Identity Provider is the only authority the Hyland IdP server accepts SAML assertions from.

    ExternalIdPMetadataLocation

    Set this option to the URL or UNC path used to access the metadata about the SAML provider.

    Tip:

    This should be a UNC path to a static file that contains the metadata information. If a URL is used and the site is not accessible, authentication will fail.

    SecuritySettings |

    EncryptionCertificatePath

    Set this option to the path of the certificate parties other than the Hyland IdP service should use to encrypt messages sent to the Hyland IdP server.

    This path can be a thumbprint in the format thumbprint:xxxx, where xxxx is the alphanumeric thumbprint value.

    Note:

    If the certificate path is referenced by thumbprint, the certificate must be stored in the Personal Store under the Local Computer.

    SecuritySettings |

    SigningCertificatePath

    Set this option to the path of the certificate used to sign the outbound messages of the authentication request.

    This path can be a thumbprint in the format thumbprint:xxxx, where xxxx is the alphanumeric thumbprint value.

    Note:

    If the certificate path is referenced by thumbprint, the certificate must be stored in the Trusted Root Certification Authorities under the Local Computer.

    SecuritySettings |

    SigningAlgorithm

    Set this option to the path of the encryption algorithm used for the signing certificate. The available algorithms are RSA-SHA1, RSA-SHA256, RSA-SHA384, or RSA-SHA512. Enter only the path for the corresponding encryption algorithm.

    • RSA-SHA1:

      http://www.w3.org/2000/09/xmldsig#rsa-sha1

    • RSA-SHA256:

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    • RSA-SHA384:

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha384

    • RSA-SHA512:

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

    Tip:

    It is recommended to use RSA-SHA256.

    SecuritySettings |

    WantAssertionsSigned

    Set this option to true.

    Note:

    In order to improve security, signing is recommended.

    SecuritySettings |

    MinimumIncomingSigningAlgorithm

    Set this option to the path of the encryption algorithm that is the minimum encryption algorithm that can be used for the incoming signing certificate. The available algorithms are RSA-SHA1, RSA-SHA256, or RSA-SHA512. Enter only the path for the corresponding encryption algorithm.

    • RSA-SHA1:

      http://www.w3.org/2000/09/xmldsig#rsa-sha1

    • RSA-SHA256:

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

    • RSA-SHA512:

      http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

    Tip:

    It is recommended to use RSA-SHA256.

    BindingsSettings |

    AuthenticationRequestBinding

    Set this to the whole-number method that defines how authentication requests are handled by the SAML server:

    • HTTP Redirect: 1

    • HTTP POST: 2

    • Artifact: 4

    This value specifies the binding of the request sent from the SAML server to the Hyland IdP server.

    BindingsSettings |

    AssertionBinding

    Set this to the whole-number method that defines how assertions are handled by the SAML server:

    • HTTP POST: 2

    • Artifact: 4

    This value specifies the binding of the request sent from the SAML server to the Hyland IdP server.

    UserAttributeMapping

    These settings are used to synchronize user attribute information.

    The schema definitions of the provider responses that contain the account declarations of the user logging in. The following attributes can be synchronized.

    • username: The URI of the claim type in the provider response that contains the user name of the user logging in. The specific value depends on the SAML assertion from the external provider.

      Tip:

      To determine the value, look at the Name attribute of the <saml2:Attribute> element in a sample SAML assertion generated from the external provider being used. For complete details on SAML and SAML assertions, see the SAML 2.0 documentation available from OASIS.

    • email: The URI of the claim type in the provider response that contains the email address of the user logging in.

    • realName: The URI of the claim type in the provider response that contains the real name of the user logging in.

    • group: The URI of the claim type in the provider response that contains the group membership of the user logging in.

    StripDomainFromUsername

    Set this option to true to remove the domain from the user name before it is passed for authentication.

    This setting controls whether to automatically strip the domain from user names that are passed as either domain\username or username@domain. This is useful when providers use a full domain and user name but authenticating system only uses the user name.

    UserProvisioningEnabled

    Set this option to false for Perceptive environments.

  5. Save and close the idpconfig.json file.
  6. Recycle the application pool of the Hyland IdP server for the changes to take effect.