Wiki source code of SAML 2.0

Hide last authors
gru 1.1 1 {{content/}}
2
jdr 12.1 3 When adding a //SAML 2.0// identity provider (e.g. //Shibboleth 2.0//) the parameters listed below can be configured.
gru 1.1 4
jdr 12.1 5 == Base settings ==
gru 1.1 6
jdr 12.1 7 {{figure image="saml_base_settings_en.png" clear="h1"}}Basic settings for the configuration of the SAML 2.0 identity provider.{{/figure}}
gru 1.1 8
jdr 10.1 9 === Name ===
10
jdr 12.1 11 Name of the identity provider in {{formcycle/}}.
gru 1.1 12
jdr 12.1 13 === Different name on form login button ===
gru 1.1 14
jdr 12.1 15 If a form has been configured to offer several authentication options, a dialog will be displayed when opening the form in which an authentication type has to be selected. The text content that should be on the button for this identity provider can be configured here.
gru 1.1 16
jdr 12.1 17 If nothing is entered here, the name entered under //Name// is used.
gru 1.1 18
jdr 12.1 19 === Alias for callback URL (UUID) ===
gru 1.1 20
jdr 12.1 21 Unique identifier that is used when the identity provider returns to {{formcycle/}}. This value is generated automatically, but can be changed if necessary.
gru 1.1 22
jdr 12.1 23 === Callback URL ===
gru 1.1 24
jdr 12.1 25 The URL which is used when returning from the identity provider to {{formcycle/}} is shown here and can be copied to the clipboard by clicking the copy icon to the right of the URL.
gru 1.1 26
jdr 12.1 27 == Initially visible buttons ==
gru 1.1 28
jdr 12.1 29 Below the base settings there are initially 3 buttons whose functions are intended to help with the configuration of the Facebook identity provider.
gru 1.1 30
jdr 12.1 31 === Send email to provider ===
gru 1.1 32
jdr 12.1 33 Opens the e-mail program set up in the system with a pre-formulated request regarding the information required for the configuration of the identity provider in {{formcycle/}}.
gru 1.1 34
jdr 12.1 35 === Help ===
gru 1.1 36
jdr 12.1 37 Opens this help page in the browser.
gru 1.1 38
jdr 12.1 39 === Add configuration ===
gru 1.1 40
jdr 12.1 41 If the required information has been provided by the identity provider, the area for the configuration of the identity provider can be opened by clicking on this button. Afterwards the area //configuration// which is described below opens.
gru 1.1 42
jdr 12.1 43 {{figure image="saml_configuration_en.png" clear="h2"}}Configuration options for an SAML 2.0 identity provider.{{/figure}}
44 == Configuration ==
gru 1.1 45
jdr 12.1 46 * **Upload configuration**: Pressing this button opens a file selection dialog, with which the configuration file supplied by the Identity Provider can be selected. By confirming the selection in the dialog, the file is uploaded.
gru 1.1 47
jdr 12.1 48 * **//FileName.xml//**: After a configuration file has been uploaded and the configuration was saved, it is possible to download the file here. The download is started by clicking on the file name or the {{ficon name="download-circle-outline"/}} symbol.
jdr 10.1 49
jdr 12.1 50 === Mapping to user attributes ===
gru 1.1 51
jdr 12.1 52 By clicking on //Mapping to user attributes// the configuration fields for mapping individual attributes can be made visible. SAML attributes can be configured for the following data. In each case, the name of the //saml:attributes// node must be specified.
gru 1.1 53
jdr 12.1 54 * **Given name (firstname)**: first name of the user
55 * **Last name (familyName)**: Last name of the user
56 * **Display name (displayName)**: Display name of the user
57 * **Username (userName)**: User name of the user
58 * **Email (mail)**: Email address of the user
59 * **Language (locale)**: Language of the user
60 * **Location (location)**: Location of the user
61 * **Picture url (pictureUrl)**: Picture URL of the user
62 * **Profile url (profileUrl)**: Profile URL of the user
gru 1.1 63
jdr 12.1 64 {{id name="keystore" /}}
65 === Manage keystore ===
gru 1.1 66
jdr 12.1 67 By clicking on //Manage keystore// the settings for the keystore become visible. There are the following two buttons:
gru 1.1 68
jdr 12.1 69 * **Create new keystore**: Creates a new keystore with a new key pair
70 * **Update keystore file**: Opens a file selection dialog with which an existing keystore can be selected and uploaded.
gru 1.1 71
jdr 12.1 72 After uploading your own keystore, the following input fields also appear:
73 * **Keystore password**: Password of the keystore
74 * **Keypair password**: Password of the key pair
jdr 10.1 75
jdr 12.1 76 {{info}}Own keystores must be Java keystores of type JKS, which contain a corresponding 2048-bit RSA key pair. Such a keystore can be generated, for example, with the utility program keytool for a certificate lifetime of approximately 10 years (3650 days) using the following command: {{code language="none"}}keytool -genkeypair -alias ihr-alias -keypass ihr-passwort -keystore samlKeystore.jks -storepass ihr-passwort -keyalg RSA -keysize 2048 -validity 3650{{/code}}{{/info}}
gru 1.1 77
jdr 12.1 78 {{figure image="saml_extended_settings_en.png" clear="h2"}}Extended settings for configuring an SAML 2.0 identity provider.{{/figure}}
79 === Extended settings ===
gru 1.1 80
jdr 12.1 81 With a click on //Extended settings// further parameters for the connection with the Identity Provider can be configured.
gru 1.1 82
jdr 10.1 83 ==== Service provider entity ID ====
gru 1.1 84
jdr 12.1 85 Optional ID for identification against the Identity Provider.
gru 1.1 86
jdr 10.1 87 ==== Force authentication ====
gru 1.1 88
jdr 12.1 89 Specifies whether a user should be forced to log in even if a valid session is still present.
gru 1.1 90
jdr 10.1 91 ==== Passive authentication ====
gru 1.1 92
jdr 12.1 93 Specifies whether an authentication without interaction with the user should be tried.
gru 1.1 94
jdr 10.1 95 ==== User name qualifier ====
gru 1.1 96
jdr 12.1 97 Specifies whether the authentication request should also send the //NameQualifier//. This is not required by the SAML standard, but for some identity providers it is necessary.
gru 1.1 98
jdr 10.1 99 ==== Authentication request signed ====
gru 1.1 100
jdr 12.1 101 Specifies whether the authentication request should be digitally signed.
gru 1.1 102
jdr 10.1 103 ==== Logout request signed ====
gru 1.1 104
jdr 12.1 105 Specifies whether the logout request should be digitally signed.
gru 1.1 106
jdr 10.1 107 ==== Wants assertions signed ====
gru 1.1 108
jdr 12.1 109 Specifies whether the SAML statements (assertions) are requested to be digitally signed.
gru 1.1 110
jdr 10.1 111 ==== Wants response signed ====
gru 1.1 112
jdr 12.1 113 Specifies whether the SAML responses should be digitally signed.
gru 1.1 114
jdr 12.1 115 ==== Max. authentication lifetime (seconds) ====
gru 1.1 116
jdr 12.1 117 Maximum duration of an exisitng login to the identity provider. The default value is {{code language="none"}}3600{{/code}} seconds.
gru 1.1 118
jdr 12.1 119 ==== Max. clock skew (seconds) ====
gru 1.1 120
jdr 12.1 121 Maximum allowed difference in system clock times between the {{fcserver/}} and the identity provider. The default value is {{code language="none"}}300{{/code}} seconds.
gru 1.1 122
jdr 10.1 123 ==== Assertion consumer service index ====
gru 1.1 124
jdr 12.1 125 Specifies the index of the Assertion Consuming Service to be used in the login request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider.
gru 1.1 126
jdr 10.1 127 ==== Attribute consumer service index ====
gru 1.1 128
jdr 12.1 129 Specifies the index of the attribute consuming services which should be used for the authentication request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider.
gru 1.1 130
jdr 10.1 131 ==== Authentication request binding type ====
gru 1.1 132
jdr 12.1 133 Specifies the transmission type with which {{formcycle/}} requests a login to the identity provider.
gru 1.1 134
jdr 10.1 135 ==== Response binding type ====
gru 1.1 136
jdr 12.1 137 Specifies the transmission type with which the identity provider responds to a {{formcycle/}} login.
gru 1.1 138
jdr 10.1 139 ==== Logout request binding type ====
gru 1.1 140
jdr 12.1 141 Specifies the transmission type with which {{formcycle/}} requests a logoff from identity provider.
gru 1.1 142
jdr 10.1 143 ==== Logout response binding type ====
gru 1.1 144
jdr 12.1 145 Specifies the transmission type with which the identity provider responds to a logoff from {{formcycle/}}.
gru 1.1 146
jdr 10.1 147 ==== Signature canonicalization algorithm ====
gru 1.1 148
jdr 12.1 149 Specifies the algorithm to be used to convert the signed request into a standardized XML form. {{code language="none"}}http://www.w3.org/2001/10/xml-exc-c14n#{{/code}} is used by default.
gru 1.1 150
jdr 10.1 151 ==== Black listed signature signing algorithms ====
gru 1.1 152
jdr 12.1 153 Algorithms that are forbidden for signing.
gru 1.1 154
jdr 10.1 155 ==== Signature algorithms ====
gru 1.1 156
jdr 12.1 157 Algorithms allowed for signing.
gru 1.1 158
jdr 10.1 159 ==== Signature reference digest methods ====
gru 1.1 160
jdr 12.1 161 Specifies the hash algorithms that are allowed when signing the SAML statements (assertions).
162