Defining Options for a SAML 2.0 Identity Provider

  1. Click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Identity Provider > Options.

  2. Select the required options:

    OIOSAML Compliance: To make the identity provider OIOSAML compliant.

    For more information about OIOSAML3, see Section 5.11.7, OIOSAML 3 Compliance.

    Enable Front Channel Logout: To enable a enable a service provider to initiates a logout at the identity provider by using the HTTP Redirect method.

  3. Click New to set SAML properties for an identity provider. The following table lists the available properties:

    Property Type

    Property Value

    Extensions

    Specify the value in this format: <samlp:Extensions>. This value is sent in the authentication request to this identity provider.

    SAML ASSERTION INCLUDE MILLISECS

    Select true to get SAML requests for this identity provider including the timestamp in millisecond in IssueInstant.

    SAML2 ATTRIBUTE CONSUMING INDEX

    Select the value of AttributeConsumingServiceIndex in SAML requests to this identity provider from the specified integer value.

    For example, you can provide the value as follows:

    For default value: default->10

    For protected resource URL: https://www.example.com:446/test/Test/test.php->2

    For contract: urn:oasis:names:tc:SAML:2.0:ac:classes:ID->3,

    SAML2 AVOID CONSENT

    Select true to not include Consent as part of the SAML 2.0 request to this identity provider.

    SAML2 AVOID ISPASSIVE

    Select true to not include IsPassive in a SAML 2.0 request to this identity provider.

    SAML2 AVOID NAMEIDPOLICY

    If you select true, NameIDPolicy is not included in a SAML 2.0 request to this identity provider.

    SAML2 AVOID PROTOCOLBINDING

    If you select true, ProtocolBinding is not included in a SAML 2.0 request to this identity provider.

    SAML2 AVOID PROXYCOUNT

    If you select true, ProxyCount is not included in a SAML 2.0 request to this identity provider.

    SAML2 ASSERTION REQUEST AUDIT EVENT

    Set the value to true for sending the SAML 2.0 assertion request audit log to the specified audit server. The name of the audit event is displayed in the reports as NIDS: Sent a federation request event. The audit log includes the assertion details based on the request that is sent to the configured identity provider. By default, this option is set to false.

    To use this property ensure that you have configured auditing details and enabled Audit Logging in the Auditing and Logging page of Identity Server.

    SAML2 ASSERTION RESPONSE AUDIT EVENT

    Set the value to true for sending the SAML 2.0 assertion response audit log to the specified audit server. The name of the audit event is displayed in the reports as NIDS: Assertion Information. The audit log includes the assertion details based on the response received from the configured identity provider. By default, this option is set to false.

    To use this property ensure that you have configured auditing details and enabled Audit Logging in the Auditing and Logging page of Identity Server.

    SAML2 AVOID SIGN AND VALIDATE ASSERTIONS TRUSTED PROVIDERS

    If you select true, the cluster will accept SAML 2.0 POST responses from this provider when the response is signed and assertion is not.

    SAML2 CHANGE ISSUER

    Specify the provider ID to be sent as issuer in the SAML requests to this identity provider.

    The value is in format {SPProviderID}->{issuer name}. {SPProviderID} will be replaced by the actual provider ID of the service provider. This will set the issuer of SAML 2.0 requests to the issuer name specified here.

    SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST

    Set this option to specify custom authentication class references. Use the delimiter & to specify more than one class reference. The value of this property is set to the value of the AuthnContextClassRef element of AuthnRequest.

    In Authentication Card > Authentication Request > Use Types, select Exact for Context Comparison. The Authentication Types field must be blank.

    SAML2 CUSTOM USER CLASS QUERY

    Set this option to replace "Person" class with "User" class in the query. This will allow you to set SAML Attribute Matching lookup filter to remove the objectclass=user mandate while using custom object.

    For example: SAML2_CUSTOM_USER_CLASS_QUERY=(|(objectClass=user)(objectClass=Person))

    SAML2 NAMEIDPOLICY ALLOWCREATE

    Select true to create ALLOWCREATE attribute in the NAMEIDPOLICY element of AuthnRequest.

    SAML2 POST DEFLATE TRUSTEDPROVIDERS

    If you select true, the cluster sends deflated post messages to this provider.

    SAML2 SEND ACS INDEX

    Select true to send AssertionConsumerServiceIndex with AuthnRequest to this identity provider.

    SAML2 SEND ACS URL

    Select true to send AssertionConsumerServiceURL with AuthnRequest to this identity provider.

    SAML2 SIGN METHODDIGEST SHA256

    The default algorithm that is used as signing algorithm for SAML 2 assertions is SHA256. Set the value to false if you want to use SHA1 algorithm as signing algorithm for assertions.

    OTHER

    Specify Property Name and Value if you want to configure any other property for this identity provider.

    SAML2 RESPONSE AVOID REMOVE EXTRANEOUS NAMESPACES: Select true to have assertion name space in a SAML message and assertion.

  4. Click OK > Apply.

Sample XML File When All SAML Options Are Set to True
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="2" ForceAuthn="false" ID="id5R6u1JFtay7eK.il97Q3eRl34u8" IssueInstant="2013-01-18T06:11:26Z" Version="2.0">
<saml:Issuer> 
     > 
    
</samlp:AuthnRequest>
Sample XML File When All SAML Options Are Set to False
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="2"Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idoeZTKq7FOs5MsCigBBCwp30lqD0" IsPassive="false"IssueInstant="2013-01-23T05:25:32Z"ProtocolBindingProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0">
<saml:Issuer> 
     > 
    
<samlp:NameIDPolicyAllowCreate="true"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"SPNameQualifier="https://nam.rtreyresearch.net:8443/nidp/saml2/metadata"/><samlp:Scoping ProxyCount="5"/>
</samlp:AuthnRequest>