3.4 Creating a SAML 2.0 Connector Template

To create a connector for single sign-on with SAML 2.0, you can use the SAML2 option in the Access Connector Toolkit.

3.4.1 SAML 2.0 Requirements for the Application Service Provider

To create a custom SAML 2.0 connector for a destination application, ensure that the service provider meets the following protocol-specific requirements:

  • Supports identity federation using the SAML 2.0 protocol.

    For more information about SAML, see the OASIS website.

  • Supports the SAML web browser single sign-on profile, with the Redirect and POST bindings for service-provider-initiated SSO, and the POST binding for identity-provider-initiated SSO.

  • Provides a capability in the application’s administration console that allows you to enable and configure SAML SSO with CloudAccess as the identity provider.

  • Provides technical documents that describe the application’s SAML federation requirements, metadata, and assertions.

3.4.2 Planning for a SAML 2.0 Connector

Before you attempt to create the SAML 2.0 connector, you must collect information about the destination web service or application. For more information, see Section 3.3, Federation Requirements for the Application Service Provider.

Ask the application service provider the following types of questions to gather the required information:

  • What does your SAML assertion look like?

  • Do you have a SAML metadata document? What fields, if any, are customer-specific?

  • Does your service support the SAML single logout protocol?

  • What are the required configuration steps in your application to set up federation?

  • What information do you provide to customers when they are setting up federation with their identity source?

NOTE:You can use a worksheet to organize the information. See Worksheet for SAML or WS-Federation Custom Connectors.

3.4.3 Creating a SAML 2.0 Connector Template for an Application

A SAML 2.0 connector template consists of multiple components for federation, metadata, and assertion information.

To create a custom SAML 2.0 connector:

  1. Log in as an administrator to the Access Connector Toolkit.

  2. Click New > SAML2.

    The connector Type is SAML2. The Type Name is Generic SAML2 Connector.

  3. On the Template tab, complete the following information:

    • Template properties

    • Whether the service provider requires a signing certificate

    • Federation instructions for the service provider

    • New settings that need to be collected on the Configuration page of the connector

  4. Click the Metadata tab, then use one of the following methods to specify the metadata:

    • Select Request, the specify the source URL to retrieve the metadata.

    • Complete the fields to manually generate the metadata.

    • Import the values from a file or URL, and modify them for your deployment environment.

  5. Click the Assertion tab, then define the properties and attributes required for the assertion.

    1. On the Properties subtab, specify the properties for the assertion.

    2. On the Attributes subtab, click New, specify and define the identity attribute, then click Save.

    3. (Conditional) If the service provider requires other identity attributes for an assertion, repeat Step 5.b to map the SAML assertion attribute to an attribute in your identity source.

  6. (Optional) If it is supported, create the provisioning definitions. For more information, see Section 3.2.3, Provisioning Support.

  7. Click Save to save the new connector template.

  8. Proceed to Section 3.9, Exporting a Connector Template to finish creating the new connector.