This section describes the steps required to manually configure a SAML2 provider when initially setting up a Hyland IdP server. For additional configuration and ongoing maintenance, see the Configuring the Hyland IdP Server chapter in this module reference guide.
To initially configure a SAML2 provider:
- First, complete the main steps under Configuring the Hyland IdP Server for Use With Perceptive before attempting this procedure.
-
Locate the Providers block and add the following
settings.
{ "Id": "", "Name": "", "Type": 3, "ProtocolSettings": { "IdentityProvider": "", "ExternalIdPMetadataLocation": "", "SecuritySettings": { "EncryptionCertificatePath": "", "SigningCertificatePath": "", "SigningAlgorithm": "", "WantAssertionsSigned": true, "MinimumIncomingSigningAlgorithm": "" }, "BindingsSettings": { "AuthenticationRequestBinding": 2, "AssertionBinding": 4 } }, "UserAttributeMappingSettings": { "userid": "", "username": "", "email": "", "realName": "", "group": "" }, "UserProvisioningSettings": { "UserProvisioningEnabled": false, "DefaultSsoGroupMapping": [] }, "ClaimTransformationSettings": { "StripDomainFromUserName": false } }
-
Enter a unique identification value in the Id
field.
Note: This value is required and must be unique.
-
Enter a unique name for the provider.
Note: This value is required and must not contain slashes (/ or \).
-
Update the values of the settings to match your environment:
Setting
Description
IdentityProvider
Set this option to the unique identifier of the SAML IdP, usually formatted as a URL. It is also known as the Identity Provider Issuer or just Issuer.
Note:The Identity Provider is the only authority the Hyland IdP server accepts SAML assertions from.
ExternalIdPMetadataLocation
Set this option to the URL or UNC path used to access the metadata about the SAML provider.
Tip:This should be a UNC path to a static file that contains the metadata information. If a URL is used and the site is not accessible, authentication will fail.
SecuritySettings | EncryptionCertificatePath
Set this option to the path of the certificate parties other than the Hyland IdP service should use to encrypt messages senProtocolSettings | SecuritySettings |t to the Hyland IdP server. EncryptionCertificatePath
This path can be a thumbprint in the format thumbprint:xxxx, where xxxx is the alphanumeric thumbprint value.
Note:If the certificate path is referenced by thumbprint, the certificate must be stored in the Personal Store under the Local Computer.
SecuritySettings | SigningCertificatePath
Set this option to the path of the certificate used to sign the outbound messages of the authentication request.
This path can be a thumbprint in the format thumbprint:xxxx, where xxxx is the alphanumeric thumbprint value.
Note:If the certificate path is referenced by thumbprint, the certificate must be stored in the Trusted Root Certification Authorities under the Local Computer.
SecuritySettings | SigningAlgorithm
Set this option to the path of the encryption algorithm used for the signing certificate. The available algorithms are RSA-SHA1, RSA-SHA256, RSA-SHA384, or RSA-SHA512. Enter only the path for the corresponding encryption algorithm.
-
RSA-SHA1:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
-
RSA-SHA256:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-
RSA-SHA384:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
-
RSA-SHA512:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Tip:It is recommended to use RSA-SHA256.
SecuritySettings | WantAssertionsSigned
Set this option to true.
Note:In order to improve security, signing is recommended.
SecuritySettings | MinimumIncomingSigningAlgorithm
Set this option to the path of the encryption algorithm that is the minimum encryption algorithm that can be used for the incoming signing certificate. The available algorithms are RSA-SHA1, RSA-SHA256, or RSA-SHA512. Enter only the path for the corresponding encryption algorithm.
-
RSA-SHA1:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
-
RSA-SHA256:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
-
RSA-SHA512:
http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
Tip:It is recommended to use RSA-SHA256.
BindingsSettings | AuthenticationRequestBinding
Set this to the whole-number method that defines how authentication requests are handled by the SAML server:
-
HTTP Redirect: 1
-
HTTP POST: 2
-
Artifact: 4
This value specifies the binding of the request sent from the SAML server to the Hyland IdP server.
BindingsSettings | AssertionBinding
Set this to the whole-number method that defines how assertions are handled by the SAML server:
-
HTTP POST: 2
-
Artifact: 4
This value specifies the binding of the request sent from the SAML server to the Hyland IdP server.
UserAttributeMappingSettings
These settings are used to synchronize user attribute information.
The schema definitions of the provider responses that contain the account declarations of the user logging in. The following attributes can be synchronized.
-
username: The URI of the claim type in the provider response that contains the user name of the user logging in. The specific value depends on the SAML assertion from the external provider.
Tip:To determine the value, look at the Name attribute of the <saml2:Attribute> element in a sample SAML assertion generated from the external provider being used. For complete details on SAML and SAML assertions, see the SAML 2.0 documentation available from OASIS.
-
email: The URI of the claim type in the provider response that contains the email address of the user logging in.
-
realName: The URI of the claim type in the provider response that contains the real name of the user logging in.
-
group: The URI of the claim type in the provider response that contains the group membership of the user logging in.
ClaimTransformationSettings | StripDomainFromUserName
Set this option to true to remove the domain from the user name before it is passed for authentication.
This setting controls whether to automatically strip the domain from user names that are passed as either domain\username or username@domain. This is useful when providers use a full domain and user name but authenticating system only uses the user name.
UserProvisioningSettings | UserProvisioningEnabled
Set this option to false for Perceptive environments.
-
- Save and close the idpconfig.json file.
- Recycle the application pool of the Hyland IdP server for the changes to take effect.