Administrator

Creating a SAML2 Trusted Identity Provider

Based on the metadata file that the provider sends, create and configure a SAML2 trusted identity provider.

Prerequisites

  • Obtain from the SAML identity provider administrator a SAML2 metadata file that contains all the information required to communicate with the identity provider.
  • Ask the SAML administrator whether the user's identity is defined in the title or in an attribute of the SAML 2.0 assertion; if the latter, get the name of the attribute.

Procedure

  1. In Management Cockpit, select Start of the navigation path Settings Next navigation step SAML Next navigation step Trusted Identity Provider End of the navigation path.
  2. Click the Create icon .
  3. Complete the required information.
    Table 60: SAML2 Trusted Identity Provider Properties
    Property Default Value Description
    Metadata File No default Navigate to, and upload the SAML2 metadata file that you obtained from the SAML2 identity provider. Values from the file automatically populate the remaining fields.

    In most cases, edit the metadata file only to enter a description or a user ID source. Do not change any other fields unless your are certain that you understand the effects of the change.

    Name No default The name of the identity provider. Do not change.
    Description No default A short description for this identity provider.
    Single Sign-On URL No default The identity provider's endpoint (URL) to which the service provider sends authentication requests.
    Single Sign-On Binding HTTP-POST The metadata imported from the identity provider may indicate support for various bindings. The only binding supported by SAP Mobile Platform SDK clients is HTTP-POST. SAP Mobile Platform Server also supports redirect, but SAP Mobile Platform SDK does not.

    Do not change this value, unless it shows a value other than HTTP-POST. If you do need to change it, you very likely must also change the Single Sign-On URL. Inspect the identity provider metadata file to determine the URL that is associated with the HTTP-POST binding, and copy that URL into this property.

    Single Logout URL No default Single logout is not supported by SAP Mobile Platform SDK clients. The URL and binding for logout are shown here only for informational purposes.
    Single Logout Binding HTTP-POST The SAML-specified HTTP binding the service provider uses to send a logout request. This field is populated from identity provider metadata. Do not change.
    Signature Algorithm SHA-1 The cryptographic algorithm that computes the digest of the digital signatures in the SAML protocol messages. SHA-1 is the default value; this field is not extracted from the identity provider metadata. Change to SHA-256 if your identity provider uses SHA-256.
    Signature Certificate No default The X.509 certificate used by the identity provider to digitally sign the SAML protocol messages. This field is automatically populated from identity provider metadata. Do not change.
    User ID Source SUBJECT The source of the user ID, either:
    • SUBJECT – the name identifier in the SAML assertion’s subject element (<saml:Subject>), or
    • ATTRIBUTE – a SAML attribute in the assertion.

    If the identity provider returns the user ID in an attribute, set this value to ATTRIBUTE.

    Source No default (If User ID Source is ATTRIBUTE) The name of the SAML attribute from which the use ID is obtained.
    User Role Attribute No default Attribute that stores the user roles.
    You can configure SAML authentication to derive user-role membership from the identity assertion. For example, if the identity provider metadata includes:
    <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" FriendlyName="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://schemas.xmlsoap.org/claims/Group"/>

    The identity provider can add Group information to the assertion, and the server can process these attributes and create role principals for each, to enable role-based access checks for the user later in processing.

    SAML Proxy Off If set to On, you can access the SAML identity provider through SAP Mobile Platform Server.
    If you set to On:
    1. Click the plus sign, and select the endpoint connection URL that matches the SSO URL. For example, if the SSO URL is http://localhost:8779/saml2/localidp/sso, a matching connection URL is http://localhost:8779/saml2/localidp.
    2. Click OK. If two matching endpoint connection URLs are defined, an error occurs and you see this message: Multiple endpoint connection URLs match the single sign-on URL.
    3. See Defining Back-End Connections, and set these back-end connection properties:
      • Allow Anonymous Access, and
      • Select either Rewrite URL in SMP or Rewrite URL in Back-End System.
  4. Click Save.

Results

When the SAML2 authentication flow begins, the server generates a SAML2 request with an identity provider URL, and posts the request to the proxy connection URL that matches the SSO URL.

Next Steps

  • If you have not already done so, create a local service provider before you use SAML2 in a security profile.
  • If you are using Active Directory Federation Services (ADFS) as your identify provider, you must either enable the Java Development Kit for strong encryption or configure ADFS to disable encryption. By default, ADFS encrypts a SAML assertion when sending it to the server.