Connector Studio and the Applications page help you set up basic configuration settings for a SAML 2.0 application. After you create a SAML 2.0 application by using a connector, the Applications page displays Advanced Setup links in each configuration section. You can use these links to go to the SAML 2.0 configuration pages and configure additional settings.
To create a SAML 2.0 connector, ensure that the service provider meets the following protocol-specific requirements:
Supports identity federation by using the SAML 2.0 protocol.
For more information about SAML, see the OASIS website.
Supports the SAML web browser single sign-on profile, with the Redirect and POST bindings for service-provider-initiated SSO, and the POST binding for identity-provider-initiated SSO.
Provides technical documents that describe the application’s SAML federation requirements, metadata, and assertions.
You must collect information about the destination web service or application before creating a SAML 2.0 connector.
Ask the application service provider the following questions to gather the required information:
What does your SAML assertion look like?
Do you have a SAML metadata document? What fields, if any, are customer-specific?
Does your service support the SAML single logout protocol?
What are the required configuration steps in your application to set up federation?
What information do you provide to customers when they set up federation with their identity source?
You must configure the fields shown in red before saving a connector. Other fields are optional, but may require configuration based on requirements of the service provider.
Perform the following steps to create a SAML 2.0 connector:
Log in to Administration Console as an administrator.
In Dashboard, click Administrative Tasks > Connector Studio > + > Create SAML 2.0 connector.
Under General, specify the following details:
|
Field |
Description |
|---|---|
|
Target Name |
Specify a unique name for the connector file. This name is used as the filename when downloading the connector to a file or publishing to the Local Application Catalog. |
|
Version |
Specify a three-digit version number for the connector. This value is used in the filename when downloading the connector to a file or publishing to the Local Application Catalog. It is displayed in the Applications page while configuring an application based on this connector. |
|
Description for Provider |
Access Manager does not use this option. |
|
Description for Tenant |
Specify the description of the connector. This value is displayed in the Description field on the Applications page while configuring an application based on this connector. |
|
Certificate required for provider |
Select if the service provider requires a signing certificate. If selected, the Applications page displays the signing certificate field as required. If this option is selected, the Applications page considers the certificate field as mandatory and displays a red asterisk. A certificate from the service provider must be imported to save the application. You can also import a default certificate from the service provider while creating the connector by using the Metadata page. See Step 5. |
|
Change Image |
Add a custom graphic to use for the icon that represents the connector in Connector Studio and the Applications page. |
Select Settings.
You can use the Settings page to create settings based on requirements of a service provider. These settings are used to create SAML metadata while creating an application based on this connector.
You can use these settings to gather and display configuration information from the administrator while configuring a connector in Connector Studio and while configuring an application on the Applications page.
In Connector Studio, these settings are available for selection on other configuration pages within Connector Studio (Metadata, Assertion, and Federation Instructions pages) and in the Applications page under the Application Connector Setup section. Settings, also referred to as replaceable values, are used as configuration data placeholders. An administrator can specify actual values while configuring an application based on this connector. In the XML definition file of a connector created in Connector Studio, replaceable values use the ${nameOfSetting} format. In the Applications page, while creating an application based on a connector with one or more settings, the Display Name of the setting is displayed in the Application Connector Setup section. The values specified for those settings while configuring the application are then used to create metadata for the application.
The Settings page provides the following options to create a new setting or edit an existing one:
|
Field |
Description |
|---|---|
|
Name |
Specify a name for the setting. This name is used to reference or track the setting internally. |
|
Display Name |
Specify a display name for the setting. This name is used on the Metadata, Assertion, and Federation Instructions pages in Connector Studio and also in the Applications page under the Application Connector Setup section. |
|
Data Owner |
Select Tenant. Access Manager does not support other options in the list. |
|
Type |
Select the type of the data. Access Manager supports only String and URL data types. |
|
Min |
Specify the minimum acceptable limit of the data. This value depends on the type you select under Type. For example, if you select String, specify the minimum length of the value. If you leave this field blank, then no minimum value is enforced. |
|
Max |
Specify the maximum acceptable limit of the data. This value depends on the type you select under Type. For example, if you select String, specify the maximum length of the value. If you leave this field blank, then no maximum value is enforced. |
|
Description |
Specify the description of this setting. This value is displayed when you mouse over the help icon associated with this setting in the Application Connector Setup section on the Applications page. |
|
Default Value |
Specify a default value. |
|
Required |
Select if you want to make this field mandatory. When selected, the field is marked as required (a red asterisk) on the Applications page. If not selected, you can skip specifying a value while creating or editing an application. |
|
Concealed |
If you select this option, the value for this setting is masked with asterisks (*) when you create an application based on this connector on the Applications page. |
Select Metadata.
Access Manager uses the service provider's metadata for communications with the service provider. You can use the Metadata page to determine how the metadata representing the service provider is created and configured.
Some service providers allow you to download their metadata from a URL. If not, you can manually generate the metadata based on the settings defined here.
Select one of the following methods to create the metadata:
Request: Specify Source URL to retrieve the metadata from the service provider. You can specify Source URL by using replaceable values configured on the Settings page if required.
Generate: Specify the following details to manually generate the metadata for the service provider based on the information provided by the service provider. You can use Import from URL or Import from File if the metadata is available in that form instead of specifying the following values:
|
Field |
Description |
|---|---|
|
EntityID |
The value required for EntityID is available in the service provider’s metadata or in the help information that may be available in federation instructions from the provider. Specify the entityID of the metadata that uniquely identifies the particular service provider, such as sp_domain_name. For example, google.com. You can also specify a previously configured setting (replaceable value) by clicking the Select icon. |
|
Signing Certificate |
If you have selected Certificate required for provider under General and do not upload a certificate here, the administrator will be required to add a certificate while configuring an application based on this connector by using the Applications page. |
|
Assertion Consumer Service URL |
Specify the URL where the assertion is posted by the browser. For example, https://www.google.com/a/${customer-domain}/acs. You can also specify a previously configured setting (replaceable value) by clicking the Select icon. |
|
Logout URL |
Specify a logout URL. The logout URL corresponds to the field SingleLogoutService from the service provider’s metadata. You can also specify a previously configured setting (replaceable value) by clicking the Select icon. |
|
Logout URL Binding |
Specify the logout URL Binding (HTTP Post or Redirect). For SAML 2.0, the only supported binding method is POST. |
|
Logout Response URL |
Specify the URL a logout request be sent to. The logout response URL is required when the SingleLogoutService field has ResponseLocation specified in the metadata. You can also specify a previously configured setting (replaceable value) by clicking the Select icon. |
|
Import from File |
If you selected Method > Generate and you have downloaded the service provider’s metadata to a file, use this option to populate the values in Metadata page configuration fields using that file. |
|
Import from URL |
If you selected Method > Generate and the service provider’s metadata is available at a specified URL, use this option to populate the values in Metadata page configuration fields. |
Select Attributes.
You can use the Attributes page to define mappings between the remote attribute names required by the service provider and the user attributes available in the local Access Manager user stores. The mapped attributes are included in the SAML response and are used by the service provider to identify the user.
Attribute mappings configured here are displayed in the Attributes section while creating an application based on this connector (using the Applications page). When the application is created, an Attribute Set object is automatically created that contains these attribute mappings. You can view or edit the attribute set in the Shared Settings page of Access Manager.
Using the Attributes page, you can either create new attributes or import existing attributes from attribute sets already configured on the local Access Manager system.
To import existing attributes:
Click Import Attribute Set.
All attribute sets from the local Access Manger system are displayed.
Select one or more attribute sets from the list.
The mappings from the selected sets are displayed.
(Optional) Click the More Options icon associated with each attribute and click Edit to modify the details if needed. You can use the attributes as it is also.
Any change that you make in attribute mappings here does not impact the source attribute set that was used as a template. These changes are applicable only for this connector. After you save the connector, the attribute mappings are saved in the connector. When you download or publish the connector, these attribute mappings are included in the connector definition.
Click OK.
To create new attributes:
Click New Attribute.
Specify the following details:
|
Field |
Description |
|---|---|
|
Display Name |
Specify a display name. The value of Display Name is used in the Assertion page when the Select icons are clicked for Audience Restriction and Name ID. |
|
Remote Attribute Name |
Specify a name. This name is used to identify the attribute in the SAML response sent to the service provider. It is displayed on the Applications page under Attributes > Remote Attribute while configuring an application based on this connector. |
|
Description |
Specify the description of this attribute. This text is displayed when you mouse over the help icon associated with this attribute in the Attributes section on the Applications page while configuring an application. |
|
Remote Namespace |
Specify the namespace defined for the attribute by the remote system. |
|
Remote Format |
Select one of the following formats:
|
|
Type |
Select the type of the attribute. Available options are LDAP Attribute, String, and Token. |
|
Encoding |
Select None. Access Manager does not support attribute encoding while publishing connectors to the Local Application Catalog or while importing connectors into the Applications page. Selecting encoding types other than None is allowed in Connector Studio for compatibility when creating connectors to be exported and used with other system types. |
|
Local Attribute |
(Optional) You can specify a default value for the Type you have selected. If a default value is specified, you can view or edit it in the Mapped to System Attribute column on the Applications page for this attribute. In the Applications page, the Attributes section displays the mappings defined here. |
|
Required |
If you select this option, a red asterisk is displayed with the attribute in the Applications page and the attribute mapping must be completed to save the application. |
Select Assertion.
You can use the Assertion page to configure values for specific elements included in the SAML assertion sent to the service provider.
Specify the following details:
|
Field |
Description |
|---|---|
|
Audience Restriction |
Access Manager does not support this option. |
|
Name ID |
Select an attribute that uniquely identifies the user at the service provider. If an attribute has not yet been created (using the Attributes page), click the select icon > New Attribute to create a new attribute. |
|
Format |
Select the NameID formats to match the requirements of the service provider by inspecting the provider’s metadata or federation instructions. |
|
Destination URL |
Specify the URL of the destination application. The default appmark created for an application that is configured based on this connector contains the target override field populated with the value specified here. The user’s browser is redirected to this URL after a successful single sign-on when clicking the appmark. |
Select Federation Instructions.
You can use the Federation Instructions page to create the help information that is displayed in the Applications page while configuring an application based on this connector. This information is available under the System Setup section in the Applications page. Specify the detailed instructions here for configuring the service provider to trust Access Manager as an identity provider.Federation instructions can use the following system-provided replaceable values. When configuring an application in the Applications page, these placeholders are replaced with values appropriate for the Access Manager Identity Server cluster where the application is being configured.
|
Field |
Description |
|---|---|
|
${entityID} |
Represents the value of Identity Server cluster’s Entity ID. |
|
${ssoURL} |
Represents the value of the Identity Server cluster’s single sign-on URL. |
|
${sloURL} |
Represents the value of the Identity Server cluster’s single logout URL. |
|
${sloReturnURL} |
Represents the value of the Identity Server cluster’s logout return URL. |
|
${signingCert} |
Represents the value of the Identity Server cluster’s default signing certificate. |
Click OK to save the connector.
Proceed to Section 4.8, Publishing a Connector to the Local Catalog to finish creating the new connector.