If the IdP provides the user's groups in attribute values, then SPS evaluates the permissions assigned to these groups, therefore user authorization is performed based on the assertion only. SPS supports the following attributes for groups:
-
eduPersonEntitlement
-
isMemberOf
-
group
The topics below discuss how to configure SAML2 login.
Configuring SAML2 login contains the following steps:
NOTE: Authentication configuration is shared between the SPS central configuration and the managed hosts, therefore you must configure the Service Provider (SP) settings and the SAML2 login methods on the central configuration node.
Navigate to Users & Access Control > Login options. The SSO Configuration menu contains information about your SP configuration.
To configure SPS as a SAML2 Service Provider (SP), complete the following steps.
-
Navigate to Users & Access Control > Login options, and click SSO Configuration.
The SSO Configuration menu contains information about your SP configuration.
-
Click SAML2 Service Provider settings from the drop down menu.
-
Click Add new hostname to provide all the host names on which the SAML2 login method is available for users. When necessary, provide the port number as well. For example, 10.12.231.241, example.com, or user.example.com:8081.
The web user interface allows you to configure the Assertion Consumer Service URLs. You can configure the entityID and the custom credentials on the REST API, if the defaults are not suitable.
Figure 91: Users & Access Control > Login Options > SSO Configuration > SAML2 Service Provider settings – Configuring SP entity ID and host names
-
Click Save.