To authenticate users securely, SPS needs to know many technical details about the Identity Provider (IdP). The standard way of representing this information is SAML metadata, which is an XML file. You must obtain this file from your IdP and upload it to SPS.
The XML file must contain a single IdP entity. If you want to allow logins to SPS from multiple IdPs, you must create additional login methods with different metadata files, see Authenticating users with SAML2 login method. Optionally, the IdP entity element can be wrapped into an EntitiesDescriptor element.
SPS provides Service Provider (SP) metadata at the following location:
https://<ADDRESS-OF-YOUR-SPS>/sts/saml2/sp-metadata.xml
This file is accessible also for unauthenticated users since it only contains public information about the SAML2 SP configuration.
NOTE: Many Identity Providers (IdPs) do not consume SP metadata directly, therefore you might need to configure your IdP manually. This guide uses the terms that are defined in the SAML 2.0 standard, which may differ from how the actual configuration parameters are called by your IdP implementation. For example, depending on your IdP implementation, the SP Entity ID may be referred to as Audience or Audience URI.
Entity ID
The entity ID of SPS is an opaque string, which is generated automatically, for example:
https://example.com/sts/saml2/1278910176319e703186a8
This is a technical identifier of your SP, which should be unique in your federation, but is not meant to be visible by users. When needed, you can customize this string using the SPS REST API, see Configuring SPS login methods in the One Identity Safeguard for Privileged Sessions REST API Reference Guide.
Signing and encryption keys
SPS SP has an automatically generated private key and a corresponding self-signed certificate, which are used for the following purposes:
-
sign the SAML2 authentication request sent to the IdP,
-
decrypt the assertion in the IdP's response when it is encrypted (encryption is not required),
-
sign the metadata file, to prove the possession of the private key.
When needed, you can change the private key and the corresponding certificate using the SPS REST API.
Assertion Consumer Service URLs
Assertion Consumer Service (ACS) URL is a parameter in the SAML2 authentication request, to which the IdP should redirect the user back after completing the authentication. To prevent request forging, most IdPs validate that the ACS specified in the authentication request match any of the preconfigured ACS values for the SP.
Since SPS is accessible at multiple addresses, there can be several ACS URLs. The URL is a string made up from three parts:
-
the fixed string https://
-
the configured host name or the IP address of SPS with an optional port number. If the port number is specified, it must match the port number used in the URL bar of the browser.
-
the fixed string sts/saml2/acs/post
All ACS URLs support the HTTP POST binding.
NOTE: When you configure your SP, you must include all host names in the list of ACS URLs where SAML2 login is allowed. If the users attempt to log in to SPS using an alternative host name or IP address in the URL bar, the login will fail. The host name might contain a port number, but in this case, you must enter the port number into the URL bar of the browser too.
Since a managed SPS cluster appears as a single SP entity for IdPs, you must enter all host names (or IP addresses) of all managed SPS hosts into the central configuration. For example, if a host is represented by three different hostnames, such as 10.12.231.241, example.com, or user.example.com:8081, you must enter all three hostnames pertaining to that host to make SAML2 login method available for users. You must also enter the hostnames of the central configuration.
In SAML, the IdP can provide the user's long-term identifier in two ways:
-
using a NameID, or
-
using an attribute.
If the NameID format of the assertion is any of the following, then the user identifier will be obtained from the NameID value:
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
-
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
If the assertion has a different NameID format, then one of the following user attributes should contain the user identifier value:
-
subjectId
-
pairwiseId
-
eduPersonUniqueId
-
eduPersonPrincipalName
-
upn
-
primarySid
-
uid
-
eduPersonOrcid
-
email
-
emailAdress
-
mail
The attribute names above can be expressed in various standard attribute name formats, such as urn:oasis:names:tc:SAML:2.0:attrname-format:basic or urn:oasis:names:tc:SAML:2.0:attrname-format:uri.
If the IdP provides the user's groups in attribute values, then SPS evaluates the permissions assigned to these groups, therefore user authorization is performed based on the assertion only. SPS supports the following attributes for groups:
-
eduPersonEntitlement
-
isMemberOf
-
group