SAML SSO Web Profile Authentication Resource Template
SAML SSO Web Profile Authentication Resource Template provides configuration fields for SAML SSO Web Profile Authentication.
General Tab
Property | Description |
---|---|
Entity Id (Required) | Unique identifier for the service provider. This must be the same as that configured in the IdP
Example:
|
Authentication Successful URL (Required) | URL for authentication successful landing page
Example:
|
IDP Metadata Source (Required) | SAML Metadata describes service provider or identity provider.
Select one of the options from following:
|
IDP Metadata URL (Required) | Location of IdP Metadata source file (if IDP String Metadata option is selected) or
HTTP URL of IdP Metadata (if IDP HTTP Metadata URL option is selected) Example: Google: D:\SAML\GoogleIDPMetadata.xml ADFS:
|
IDP Login URL (Required) | URL to initiate SAML login
Example:
|
IDP Logout URL (Required) | URL to initiate SAML logout
Example:
|
IDP SSO URL (Required) | URL where SAML assertions are posted back by IdP
Example:
|
IDP Single Logout URL (Required) | URL where logout response is sent back by IdP
Example:
|
Logout Successful URL (Required) | URL for logout successful landing page
Example:
|
Authentication Failure URL (Required) | URL for authentication failure landing page
Example:
|
Response Skew Time (seconds) (Required) | Duration for which response from IdP is valid
Example:
|
Unauthorize Redirect Requests (Optional) | By default this checkbox is not selected for SOA applications
For TIBCO ActiveMatrix BPM applications this checkbox must be selected. |
Max Authentication Age (seconds) (Optional) |
You can configure this field to ensure that the existing SAML assertion returned by the IdP is not older than the value specified in this field. Default value:
|
Local Logout (Optional) | Select the checkbox if you are using Google IdP |
Advanced Tab
You can sign or encrypt SAML requests and responses for advanced security. The Advanced tab provides configuration fields for signing or encrypting SAML requests and responses. You must provide valid public key or certificate to the IdP so that it can identify signed requests. For more information about keystore, see Keystores.
Property | Description |
---|---|
Keystore Provider (Required) |
The name of a Keystore Provider shared resource |
Sign Authentication Request (Optional) | If you select this checkbox, authentication request by service provider must be signed. You must provide valid public key or certificate to the IdP so that it can identify signed requests. |
Sign Logout Request (Optional) | Select the checkbox to sign logout request |
Sign Logout Response (Optional) | If you select this checkbox, the IdP must sign the logout response before returning it to the service provider. |
Sign Assertions (Optional) | Select the checkbox to sign SAML assertions |
Sign Metadata (Optional) | Select the checkbox to sign SAML metadata |
Encrypt Assertion (Optional) | Select the checkbox to encrypt SAML assertion |
Key Alias to Encrypt and Key Alias Password (Optional) | Name of the key alias used for encryption and password for the alias |
Key Alias to Sign and Key Alias Password (Optional) | Name of the key alias used to sign and password for the alias |
Default Key Alias and Key Alias Password (Required) | Name of the default key alias and password for the alias |
When configuring SAML SSO, Authentication Successful URL in SAML SSO Web rofile Authentication Resource Template and ACS URL in SSO configuration of Google must be in lowercase.