To add a new SAML authenticator for Single Sign On with your Identity Provider, go to the Authenticator page, and click Add New.
This is a unique identifier for this connection. Because of legacy, this needs to be the same value as the Host field.
Descriptive text about this Authenticator.
Login Page Text:
If Remote Initiated is disabled, SSO users will be able to authenticate via the platform's login page. This field customizes the text displayed next to the SSO login link.
When checked, this Authenticator is not in use. When disabling that option for the first time, immediately go to the Users area to ensure all users have the correct authentication method assigned to their account. By default, all users will be enabled as SSO users.
Select this checkbox if the SSO is to be only initiated from a specified location (e.g. as a link on their intranet). When enabled, the SSO login option will not be displayed on the platform's login page.
The Remote Url is the URL of the IdP that the user will be redirected to when using SP initiation, or if the Remote Initiated is checked. It will be prepended to any links when sending an email to a user who is using SAML authentication. The exact value will vary depending on the client's IdP setup. The link in the platform then gets appended to this, and should redirect the user to the client's IdP first to be authenticated before being redirected to the it.
Group Value(s) Mapping:
If Group Name values are provided in the assertion and match exactly the Group Name values available in IntelligenceBank, these Groups can be automatically assigned to the user. Supported assertion parameters are "group" or "member-of".
Only Map Group Value(s) on User Creation:
If Group Value(s) Mapping is enabled, you can chose for the feature to only apply when a user is initially automatically created as part of the assertion. This requires Auto User Creation on SSO setting to be enabled under Admin > Settings.
Group Value(s) Mapping Type:
This option defines the behavior of the mapping as per the below.
On initial user creation, if there is a Template user in the system, the Groups from the assertion follow are either MERGED with the Template User Groups or REPLACE the Template User Groups.
If there is no Template user enabled in the system, the Groups are assigned to the user in both scenarios where Merge or Append is enabled.
If no values are matched, then the user will not be created.
On Updates/Subsequent Assertions:
REPLACE - Group values in the assertion replace any existing groups values available against the user account at the time of assertion.
This does not apply if there are no Groups listed in the assertion OR if zero of the Group name values from the assertion can be matched with, as in this case the current Group values are kept (the User should not have 0 group).
MERGE - Group values are appended to/ merged with any existing groups available for the existing user at the time of the assertion.
This is the URL of the idP that will be sending the SAML assertion. Because of legacy this value also needs to be used as the Name field.
This is a text identifier for IntelligenceBank. Usually it is IB or IntelligenceBank, but there is no definitive value. The important thing is that it is the same on both the Authenticator and on the client's IdP configuration (where it might be called the Audience or SP).
If the IdP requires an authentication request, then set this to 'true'. This will then be added to the remote URL when accessing from the Login page.
Turn Base64Attributes on if this is set at the IdP end. This is usually not required.
This is the value of the client's IdP certificate that is used to ensure the received information is from the correct source. Do NOT include ——BEGIN CERTIFICATE—— at the start and ——END CERTIFICATE—— at the end of the certificate data.
Option field which the IdP may require.
This should be set to your organization's name.
This should be set to your organization's name.
Whether to sign authentication requests sent from this Service Provider / IntelligenceBank. If set, the AuthnRequestsSigned attribute of the SPSSODescriptor element in SAML 2.0 metadata will contain its value. Note that this option also exists in the IdP-remote metadata, and any value in the IdP-remote metadata overrides the one configured in the Service Provider configuration.
Set this field to where the SSO user should be sent to on logout.
SERVICE PROVIDER METADATA
The Service Provider Metadata simply facilitates the setup process by indicating:
- The entityID (it is just an ID - most places would use a URL, but it doesn't have to be. For 99.99%, we just use the letters IB - it is set as the Service Provider field value in the Authenticator) that we use on our end. This needs to match with the value set in the Identity Provider.
- The data / format we expect for the name ID (i.e. attributes or claims that are required in the assertion - at minimum, it has to be an email address - you can however can still chose to pass on additional parameters. In the metadata, we only provide the minimum required field).
- The assertion consumer endpoint aka Location (IntelligenceBank platform URL with /auth at the end). This also needs to match with the value set in the Identity Provider.
The SP metadata is typically an XML file format that can be uploaded directly into iDP to facilitate the configuration.
Below is an example of what is in the IntelligenceBank metadata file. The items in blue are the only items that need to be changed from a client to another - it can easily be created manually using a text editor or a free software like TextWrangler, and saving the file with a .xml extension.
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
SUPPORTED ASSERTION PARAMETERS
The following IntelligenceBank User Account fields can be mapped automatically by providing the corresponding parameters in the assertion.
Supported Parameter In Assertion
'External-ID', 'userid', 'employeeid'
Enabling auto-creation / just-in-time provisioning of SAML users
Setting up SAML Single Sign On with OneLogin
Setting up SAML Single Sign On with Azure
If you have any questions or need assistance with setting up SSO in your IntelligenceBank platform, please contact your Customer Success Manager or submit a request via the Helpdesk.
Please sign in to leave a comment.