SAML SSO Web Profile Authentication
The SAML SSO Web Profile Authentication resource template provides configuration fields for SAML SSO Web Profile Authentication.
| Field | Description |
|---|---|
| Entity Id (Required) | Unique identifier for the service provider. This must be the same as that configured in the IdP. Example: |
| Authentication Successful URL (Required) | URL for authentication successful landing page. Example: |
| IDP Metadata Source (Required) |
SAML metadata describes service provider or identity provider. Select one of the options from following:
|
| IDP Metadata URL (Required) | Location of IdP metadata source file (if IDP String Metadata option is selected) or HTTP URL of IdP metadata (if IDP HTTP Metadata URL option is selected). Example: Google: AD FS: |
| IDP Login URL (Required) | URL to initiate SAML login. Example: |
| IDP Logout URL (Required) | URL to initiate SAML logout. Example: |
| IDP SSO URL (Required) | URL where SAML assertions are posted back by IdP. Example: |
| IDP Single Logout URL (Required) | URL where logout response is sent back by IdP. Example: |
| Logout Successful URL (Required) | URL for logout successful landing page. Example: |
| Authentication Failure URL (Required) | URL for authentication failure landing page. Example: |
| Response Skew Time (seconds) (Required) | Duration for which response from IdP is valid. Example: 60 seconds |
| Unauthorize Redirect Requests (Optional) |
For TIBCO ActiveMatrix BPM applications, this check box must be selected. Default: Unchecked, for SOA applications |
| Max Authentication Age (seconds) (Optional) |
You can configure this field to ensure that the existing SAML assertion returned by the IdP is not older than the value specified in this field. Default: 7200 seconds |
| Local Logout (Optional) | Select the check box if you are using Google IdP. |
Advanced Tab
You can sign or encrypt SAML requests and responses for advanced security. The Advanced tab provides configuration fields for signing or encrypting SAML requests and responses. You must provide valid public key or certificate to the IdP so that it can identify signed requests. For more information about keystore, see Keystores.
| Field | Description |
|---|---|
|
Keystore Provider (Required) |
The name of a Keystore Provider resource. |
| Sign Authentication Request (Optional) | If you select this check box, authentication request by service provider must be signed. You must provide valid public key or certificate to the IdP so that it can identify signed requests. |
| Sign Logout Request (Optional) | Select the check box to sign logout request. |
| Sign Logout Response (Optional) | If you select this check box, the IdP must sign the logout response before returning it to the service provider. |
| Sign Assertions (Optional) | Select the check box to sign SAML assertions. |
| Sign Metadata (Optional) | Select the check box to sign SAML metadata. |
| Encrypt Assertion (Optional) | Select the check box to encrypt SAML assertion. |
| Key Alias to Encrypt and Key Alias Password (Optional) | Name of the key alias used for encryption and password for the alias. |
| Key Alias to Sign and Key Alias Password (Optional) | Name of the key alias used to sign and password for the alias. |
| Default Key Alias and Key Alias Password (Required) | Name of the default key alias and password for the alias. |
| Use Load Balancer | Select the check box if you are using the Load Balancer for an application. |
| Entity Base URL | This is the URL where the IdP will send and receive SAML requests and responses. |
| Scheme (http/https) | Name of the scheme (http or https). |
| Server Name | Name of the server. |
| Server Port | Port number of the server. |
| Include Server Port in Request URL | Select the check box to include server port number in the URL. |
| Context Path |
The prefix of a URL path that is used to select the contexts to which an incoming request is passed. For example, the path is displayed as |
Copying ADFS Encryption Certificate to Application Docker Image
If you want to use OpenID or SAML SSO with ADFS, you must have cacert containing ADFS encryption certificate for authentication purpose.
Procedure
- Copy default cacert from container to the host machine.
- Import ADFS encryption certificates to cacert by using Keystore Explorer or any other tool.
-
Save the certificate in the
certsfolder inside the application folder that you pass to--app_locationargument when building the Docker image. - Create an application Docker image.