Step
A: Configure the General settings
Identity as a Service includes a number of cloud applications for you to integrate with Identity as a Service for two-factor authentication. If the you want to protect a cloud service that is not preconfigured with Identity as a Service, you can integrate it as a generic SAML service provider application.
Note: This section describes how to add a generic SAML application. See SAML Integration Guides for a list of available pre-configured integrations.
Before you begin, identify the Assertion Consumer Service URL, Service Provider Entity ID, SAML NameID Attribute, and other required or optional SAML Attribute values needed to complete this procedure. If you have a metadata XML file that includes this information, you can upload the file to auto-populate these fields.
Step
A: Configure the General settings
Configure the General settings
1. Click 
> Security > Applications.
The Applications List page appears.
2. Click Add. The Select an Application Template page appears.
3. Do one of the following:
● Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
- or -
● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
4. Click Generic SAML Application. The Add Generic SAML General page appears.
5. Configure the App Settings.
a. Enter a Name for the application.
b. Enter a Description.
6. Configure the SAML Settings.
a. If you have a metadata file from your Service Provider, use the Upload Metadata XML file option to auto-populate the following fields, if available in the file:
– Default Assertion Consumer Service URL
– Alternative Assertion Consumer URLs
– Service Provider Entity ID (Issuer)
– Single Logout Service URL
– SAML Signing Certificate
– SAML NameID Encoding Format
– SAML Signature Algorithm
To import the Metadata file:
i) Click 
and browse
to select the file. The Metadata
Configuration dialog box appears.
ii) If required, click Merge with existing values to merge new values with existing values for Alternative Assertion Consumer Services URLs and SAML attribute names.
iii) Click Save.
b. If you do not have a metadata file, enter the following:
i) Enter the Default Assertion Consumer Service URL for the SAML application.
ii) Enter the Service Provider Entity ID (Issuer) that is used by Identity as a Service to identify the SAML service provider.
iii) If your SAML service provider supports SAML logout, set the Single Logout Service URL to the value supplied by your SAML service provider. Otherwise, leave it blank.
c. Enter the SAML Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to reauthenticate during a new login attempt. This applies for both SP-initiated and IDP-initiated login. Set this field to -1 to disable this feature.
d. From the SAML NameID Attribute drop-down list, select the user attribute that will be used to uniquely identity a user to both Identity as a Service and your SAML application. The attribute should be one that will never change.
e. Select the SAML NameID Encoding Format from the drop-down list.
Options include:
– KERBEROS
– WINDOWS_DOMAIN_QUALIFIED_NAME.
f. From the SAML Signing Certificate drop-down list, do one of the following:
– Select an existing certificate from the drop-down list.
-OR-
– Click Create Certificate to create a new signing certificate.
Attention: If you are updating a previous SAML Signing Certificate for the SAML application, you need to update both here and at the SAML service provider. The certificate update must be made at the same time. Once the change is made to either side, the other side will not be available until it is also updated. Any SAML authentications during this period will result in a failure.
7. Add SAML Attributes.
a. Under SAML Attributes, click Add. The SAML Attributes dialog box appears.
b. Enter a Name that clearly indicates the purpose of the attribute. It should indicate whether the SAML attribute value contains user group, authenticator, or organization. For example, if the attribute value contains user groups the name could be User Groups.
c. From the drop-down list, select the Name Format for the attribute.
d. Click Add next to Value(s).
Note: You
can further filter and parse the attributes by appending the following
actions to it:
.filter(regex filter expression).matcher(regex
matcher expression).replace(regex replacement).end()
Attention: This is an advanced
setting and requires regex expertise.
Example:
Filter any IDaaS groups that start with AWS-, return the group names
after AWS- and before -xxx:
[Groups].filter(^AWS-(.*)$).matcher(^AWS-(.*)-(.*)$).replace($1).end()
Convert custom userid values of the form domain\userid into userid@domain.com:
<Custom Userid>.filter().matcher(^(.*)\(.*)$).replace($2@$1.com).end()
e. In the Values field do the following, as required:
i) Type < and select the user attribute to include every time the user authenticates to the application.
ii) Type [ and select from the following, as required.
● [Authenticators] to include a user's authenticators every time the user authenticates to the application.
● [Group Attributes] to include a user's group attributes every time the user authenticates to the application.
● [Groups] to include a user's groups every time the user authenticates to the application.
● [Organizations] to include a list of the user's organizations every time the user authenticates to the application.
● [Role] to include a list of the user's role every time the user authenticates to the application.
● [Selected Organization] to include the user's selected organization the next time the user authenticates to the application.
● [Unique Group IDs] to include a user's group ids every time the user authenticates to the application.
● [Unique Organization IDs] to include a list of the user's organization ids every time the user authenticates to the application.
● [Unique Role ID] to include the user's role ID the next time the user authenticates to the application.
● [Unique Selected Organization ID] to include the user's selected organization id the next time the user authenticates to the application.
iii) To add static text, type the text in the Value text box.
f. When you define a value, click 
to test it.
g. Optionally, use the Test Regular Expressions section to enter a list of values (one per line) and then click Test to run a test on the expression.
h. Repeat these steps to add additional SAML attributes.
i. Repeat these steps to add additional SAML attributes.
j. Click Add.
8. Click Show Advanced Settings to configure the advanced settings.
If required, configure the following Advanced Settings.
a. Select Enable Organizations and Domain-Based Identity Providers to allow organization information to be returned in SAML attribute values when users log in. When enabled, if users are associated with one or more organizations and one has not yet been requested, users can select their organizations after they authenticate to their application.
Note: When organizations are enabled, the corresponding SAML attributes must also be configured.
b. From the SAML Signature Algorithm drop-down list, select the type of signing algorithm you want Identity as a Service to use to sign the SAML response/assertion. The type of algorithm you select depends on the requirements of the application being configured.
c. Enter the SAML Session Timeout (minutes) to the time when the SAML Assertion times out. The maximum is 720 minutes.
d. Optional. Enter the SAML Username Parameter Name used to identify the user ID being requested for authentication.
The user ID can then be passed as a parameter, for example, Username=jdoe. Alternately, if the SAML username is NameID, the SAML Request XML NameID element value is used to the identity the IDaaS userID.
e. Optional: Select Sign complete SAML response to ensure the message integrity of the SAML response sent to the application during authentication.
f. Optional: Select Encrypt SAML Assertion. When selected the SAML Assertion is also encrypted. If you select this option, do the following:
i) Click
and browse to upload the encryption certificate file.
ii) From the Encryption Method for Key drop-down list, select either RSA Version 1.5 or RSA-OAEP. RSA Version 1.5 is the default.
iii) From the Encryption Method for Data drop-down list, select the encryption method used to encrypt data. The options are:
– AES-256 (default)
– AES-128
– AES-192
– Triple DES
Note: The Subject Domain Name and Certificate Expiry Date values are populated with values from the certificate once the Encryption Certificate is uploaded.
g. Optional. Select Override SAML Audience to override the SAML application issuer value. If you select this option, complete the following:
i) Select SAML Audience supplied in request to determine the purpose of the following audience value:
– If enabled, set the Audience value to the required prefix of the SAML authentication request audience parameter value. If it matches the supplied value, the supplied value is used.
– If deselected, set the Audience value to the override value to use.
Note: When
selecting the Override SAML Audience option, consider the following:
- Set the Audience value to a different value only if it is required
by the SAML Service Provider.
- Configure the SAML application to allow the client to override the
audience only if the client is trusted. If the client specifies the
audience value, it may allow one SAML application to specify the SAML
audience of another SAML application and allow access to the other
applications.
h. Optional. Add Alternative Assertion Consumer Service URLs, as follows:
i) Click Add.
ii) Enter a Name.
iii) Enter a URL Value.
iv) Select Show in My Profile to display the Alternative Consumer Service URL in a user's My profile page.
v) Optional. Add an Application Logo.
vi) Click Add.
vii) Repeat these steps to add more Alternative Assertion Consumer Service URLs.
i. Optional. To add a Relay State, do the following:
i) Under Relay State click Add. The Add Relay State dialog box appears.
ii) Enter a Name for the relay state.
iii) Enter the Value for the relay state. This setting specifies the application or URL that a user is redirected to after successful authentication. For example, https://google.calendar.com.
iv) Select Show in My Profile to display the relay state on the user's My Profile page.
Notes: After
you add relay states, you can also enable or disable them on the Add/Edit
application page. Click 
next to the relay state
to disable it or click 
to re-enable it.
Relay states apply to the Default Assertion Consumer Service URLs and
not the Alternative Consumer Service URLs.
v) Optional: Add a Relay State custom logo, as follows:
● Click
next to Relay
State Logo. The Upload Logo dialog
box appears.
● Click
to select an image file to upload.
● Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
● If required, resize your image.
● Click OK.
vi) Click Add.
vii) Repeat these steps to add more Relay States.
9. Click Save.
Note: After configuring the General settings, Customization and Resource Rule tabs appear.
10. Proceed to Step B: Configure Customizations.
Step
B: Configure Customizations
1. Click the Customization tab. The Customization page appears.
2. Select Show Default Assertion Consumer URL Service in the My Profile. When selected, the Default Assertion Consumer URL appears in a user's My Profile page in addition to relay states and Alternative Assertion Consumer URLs.
3. Deselect Enable Go Back Button if you do not want users to be able to go back to the application login page to log in.
4. Select Respond Immediately for Unsuccessful Responses to return to the application immediately after a login failure, rather than allow user to try again with a different userID.
5. Optional. Add a custom application logo.
a. Click next to Application Logo.
The Upload Logo dialog box appears.
b. Click 
to
select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
d. If required, resize your image.
e. Click OK.
6. Select the Authentication Flow that appears to users during login. You must select at least one. For more information on Passkey login, see Manage Passkey/FIDO2 authenticators.
7. Click Save.
Step 2: Configure a resource rule1. Click the Resource Rules tab.
2. Click Add Resource Rule.
3. Follow the instructions in Create and manage resource rules.
Step 3: Download
the signing certificateExport a SAML signing certificate
1. Log in to your Identity as a Service administrator account.
1. Click
> Security > Applications.
The Applications List page appears.
2. Under SAML Cloud Integrations, click SAML Signing Certificates. The SAML Signing Certificates page appears.
3. Click
next to the certificate to export the certificate
you want to import into your SAML service provider application. The Export Certificate dialog box appears.
a. If the certificate has been issued by a CA, do one of the following:
– Click Certificate to export the self-signed certificate.
– Click Root CA Certificate to export a certificate issued from a CA.
– Click Certificate Chain to export the SAML signing certificate and its CA certificates.
b. Click Export.
Step 4: Set
up Identity as a Service as an Identity Provider for your SAML Service
ProviderSet up Identity as a Service as an Identity Provider for your SAML service provider
1. Open your SAML Service Provider application.
2. Copy or import the signing certificate into your application.
Note: For Service Providers that support it, the metadata file can be uploaded instead of manually filling in all the fields.
3. Complete other required tasks to configure Identity as a Service as an Identity Provider in your custom application.