Configuring a SAML2 Provider - Identity and Access Management Services - 3.1 - 3.1 - Other - external

Identity and Access Management Services

Platform
Other
Product
Identity and Access Management Services
Release
3.1
License

This type of provider uses a SAML2 server to authenticate users and log them in.

Note:

Detailed instructions on how to configure a third-party SAML2 server, to correctly authenticate and return valid tokens for use with the Hyland IdP server, are beyond the scope of this documentation. Detailed instructions for configuring your SAML server are available from the developer of the software being used.

To configure the Hyland IdP server to use a SAML2 provider:

  1. Launch the Hyland IdP Administration client and log in (see Accessing the Hyland IdP Administration Client).
    Upon successfully logging in, the tenant, provider, client connection, and API resource information is displayed. In a wide display, the tenant information is in the left pane and the providers, client connections, and API resources configured for that tenant are listed in the right pane. In a narrow display, the tenant information is at the top of the page and the provider, client connection, and API resource information is below it.
  2. Click the Provider tab to view the providers currently configured for the tenant. The number of providers configured is displayed in parenthesis in the tab heading.
  3. If this is a new provider, click Add New at the upper right of the providers list.

    If you are configuring an existing provider, click its name in the list of providers.

    The Provider configuration page is displayed. It is divided into the Basic Settings and Protocol areas. In a wide display, the Basic Settings area is on the left. In a narrow display, the Basic Settings area is at the top of the page.

  4. Under Basic Settings, configure the following options.

    Option

    Description

    Name

    A unique name for the provider. This value is required and cannot contain any slashes (/ or \).

    User Attribute Mapping

    These settings are used to synchronize user attribute information.

    The schema definitions of the provider responses that contain the account declarations of the user logging in. The following attributes can be synchronized.

    • UserId: The unique user identifier received from the SAML provider. This can be configured to use the username if the username does not change over time. This attribute is required.

    • Username: The URI of the claim type in the provider response that contains the user name of the user logging in. The specific value depends on the SAML assertion from the external provider. This attribute is required.

      Tip:

      To determine the value, look at the Name attribute of the <saml2:Attribute> element in a sample SAML assertion generated from the external provider being used. For complete details on SAML and SAML assertions, see the SAML 2.0 documentation available from OASIS.

    • Email: The URI of the claim type in the provider response that contains the email address of the user logging in.

    • Real Name: The URI of the claim type in the provider response that contains the real name of the user logging in.

    • Group: The URI of the claim type in the provider response that contains the group membership of the user logging in.

    Strip domain from username

    Select this option to remove the domain from the user name before it is passed for authentication.

    This setting controls whether to automatically strip the domain from user names that are passed as either domain\username or username@domain. This is useful when providers use a full domain and user name but authenticating system only uses the user name.

    Enable User Provisioning

    Select this option to synchronize the user attributes defined in the User Attribute Mapping section when the user logs in.

    Note:

    User provisioning requires a SCIM Endpoint to be defined for the tenant. See Configuring the Tenant.

    User Provisioning Create Enabled

    Select this option to allow creating a new user in the tenant resource if the user logging in is not found.

    If this option is not selected and the user logging in is not found, that user is not logged in and an exception is returned.

    Note:

    User provisioning requires a SCIM Endpoint to be defined for the tenant. See Configuring the Tenant.

    User Provisioning Update Enabled

    Select this option to allow updating an existing user in the tenant resource if the user logging in is found.

    If this option is not selected, the incoming user information from the tenant is ignored and no updates are made to user information.

    Note:

    User provisioning requires a SCIM Endpoint to be defined for the tenant. See Configuring the Tenant.

  5. Under Protocol, select SAML2 from the Type drop-down list. The specific settings for SAML2 providers are displayed.
  6. In the External IdP Metadata section, provide external IdP metadata information from your third-party SAML provider by one of the following methods:
    • Click Upload Metadata file to upload the static SAML provider metatdata file, an XML file that contains the metadata information about the third-party SAML provider.
      Note:

      When information in the metadata file changes, an updated static metadata file must be uploaded for the SAML provider configuration to remain current.

    • Enter the URL or UNC path to a static file that contains the metadata information about the third-party SAML provider in the External IdP Metadata Location field and click Test. This should be a UNC path to a static file that contains the metadata information about the third-party SAML provider.
      Tip:

      For information on creating a metadata URL used by the SAML provider to access the metadata about the Hyland IdP server, see Creating a Metadata URL for SAML Providers.

    • If metadata information is already configured and new metadata information must be configured for this provider, click Reconfigure to remove the previously configured metadata information. Then, provide the new metadata information by using one the methods described in this step.
    Once the information is uploaded or if the provided site URL or UNC path is accessible, the information is auto-populated into the available fields in the Protocol area and the following non-editable fields are displayed:

    Setting

    Description

    Entity ID

    The unique identifier of the SAML IdP, usually formatted as a URL. It is also known as the Identity Provider Issuer or just Issuer.

    Note:

    The Entity ID is the only authority the Hyland IdP server accepts SAML assertions from.

    Authentication Request Binding

    How authentication requests are handled by the SAML server. This value specifies the binding of the request sent from the Hyland IdP server to the SAML server. The value is either HTTP Post or HTTP Redirect.

  7. Update the values of the SAML2 settings to match your environment.
    Tip:

    For more information on the SAML protocol, see the SAML documentation currently maintained by the OASIS standards consortium.

    Setting

    Description

    Assertion Binding

    Select how the assertions are handled by the SAML server:

    • HTTP POST

    • Artifact

    This value specifies the binding of the request sent from the SAML server to the Hyland IdP server.

    The default value is HTTP POST.

    Authentication Request Signing Algorithm

    Select the encryption algorithm used for the signing certificate. The available algorithms are:

    • RSA-SHA1

    • RSA-SHA256

    • RSA-SHA384

    • RSA-SHA512

    Tip:

    The default value is RSA-SHA256 and is the recommended value to use.

    Signing Certificate Path

    Enter the path to the certificate used to sign the outbound messages of the authentication request.

    This path can be a thumbprint in the format thumbprint:xxxx, where xxxx is the thumbprint value.

    Note:

    If the certificate path is referenced by thumbprint, the certificate must be stored in the Trusted Root Certification Authorities in Local Computer.

    Decryption Certificate Path

    Enter the path to the certificate parties other than the Hyland IdP service should use to decrypt messages sent to the Hyland IdP server.

    This path can be a thumbprint in the format thumbprint:xxxx, where xxxx is the thumbprint value.

    Note:

    If the certificate path is referenced by thumbprint, the certificate must be stored in the Trusted Root Certification Authorities in Local Computer.

    Minimum Incoming Signing Algorithm

    Select the minimum encryption algorithm that can be used for the incoming signing certificate. The available algorithms are:

    • RSA-SHA1

    • RSA-SHA256

    • RSA-SHA512

    Tip:

    It is recommended to use RSA-SHA256.

  8. Click Save in the lower right corner of the page.
  9. Recycle the application pool of the Hyland IdP server in IIS for the changes to take effect.
    The Hyland IdP Metadata section is displayed at the bottom of the configured SAML2 provider page. See the following available settings:
    Setting Description

    Entity ID

    Contains the Hyland IDP entity ID that can be used to configure an external SAML2 provider to connect with the Hyland IdP server.

    Note: The Entity Id for the provider is displayed in the Hyland IdP Administration client user interface.

    Hyland IdP Metadata Location

    Contains the URL location of the Hyland IdP metadata that can be used to configure an external SAML2 provider to connect with the Hyland IdP server.
    Note: The Entity Id for the provider is displayed in the Hyland IdP Administration client user interface.

    Download Metadata

    Downloads the metadata of the Hyland IdP server. This metadata contains information that can be used to help configure an external SAML2 provider configuration to connect with the Hyland IdP server.

Related information: