Using ActiveMatrix Administrator to Create a SAML Web Profile Shared Resource
ActiveMatrix Administrator can be used to create a shared resource for SAML Web Profile authentication.
- From ActiveMatrix Administrator, select Shared Objects > Resource Templates.
- In the Type field, select "SAML SSO Web Profile Authentication".
- In the Scope section, select the Environment option, then choose "BPMEnvironment".
- In the Scope section, select the Application option, then choose "amx.bpm.app".
- Click New.
- Complete the Add Resource Template dialog, using the field descriptions below:
Field / Option | Description |
---|---|
Name | This must be "amx.bpm.auth.samlweb". |
Type | This is "SAML SSO Web Profile Authentication" for this type of shared resource. |
Description (optional) | A description for the SAML Web Profile shared resource. |
Entity Id | A unique ID that identifies the service provider and application that has been registered with an IdP.
This must match the ID that was configured at the IdP. |
Authentication Successful URL | The URL to which the user is redirected after being authenticated by the IdP. This must be:
http://host:port/openspace/sso/bpmssoapp.html where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application. Although the Authentication Successful URL is used for all ActiveMatrix BPM applications, the response from the IdP is routed to the appropriate ActiveMatrix BPM application based on an interceptor script (bpm-sso-interceptor.min.js) that is included in the application that submitted the request to the IdP (for more information about the interceptor script, see Using SAML Web Profile Authentication with Custom Applications). |
IDP Metadata Source | Specifies the source of the metadata file from the IdP. The selections are: |
IDP Metadata URL | This field appears only if "IDP Http Meta data URL" is selected in the
IDP Metadata Source field.
This specifies the URL to the IdP metadata file. |
IDP Login URL | This is not currently used. |
IDP Logout URL | This is not currently used. |
IDP SSO URL | This is not currently used. |
IDP Single Logout URL | This is not currently used. |
Logout Successful URL | This is a "fallback" URL to which the user may be redirected upon logout. Normally, the user is redirected to the login page of the application to which they were logged in. This URL is used only if the login page to which the user would normally be redirected is not available.
Default: /loggedOut |
Authentication Failure URL | This is not currently used. |
Response Skew Time (seconds) | If the clocks of the IdP and the ActiveMatrix BPM server are not in sync, the authentication request may fail, as the response from the IdP may be outside the valid time period allowed.
This property specifies the maximum difference allowed between the clocks of the IdP and the ActiveMatrix BPM server. Default: 300 |
Unauthorized Redirect Requests (optional) | Specifies whether it is the responsibility of the application to handle unauthorized redirect requests.
Select this option if the application will handle unauthorized requests and will forward them to the appropriate location. ActiveMatrix BPM handles unauthorized requests, therefore, for ActiveMatrix BPM applications, this option must be selected. Default: true |
Local Logout (optional) | This option controls the type of logout that occurs when a user logs out of an ActiveMatrix BPM application:
Default: true |