Integrate a generic SAML application

Configure the General settings

Click > Security > Applications. The Applications List page appears.

Click Add. The Select an Application Template page appears.

Do one of the following:

Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

Click Generic SAML Application. The Add Generic SAML General page appears.

Configure the App Settings.

Enter a Name for the application.

Enter a Description.

Configure the SAML Settings.

If you have a metadata file from your Service Provider, use the Upload Metadata XML file option to auto-populate the following fields, if available in the file:

Default Assertion Consumer Service URL

Alternative Assertion Consumer URLs

Service Provider Entity ID (Issuer)

Single Logout Service URL

SAML Signing Certificate

SAML NameID Encoding Format

SAML Signature Algorithm

To import the Metadata file:

1.  Click and browse to select the file. The Metadata Configuration dialog box appears.
2. If required, click Merge with existing values to merge new values with existing values for Alternative Assertion Consumer Services URLs and SAML attribute names.
3. Click Save.

If you do not have a metadata file, enter the following:

1. Enter the Default Assertion Consumer Service URL for the SAML application.
2. Enter the Service Provider Entity ID (Issuer) that is used by Identity as a Service to identify the SAML service provider.
3. If your SAML service provider supports SAML SP-initiated logout, set the Single Logout Service URL to the value supplied by your SAML service provider. Otherwise, leave it blank.

Note: Identity as a Service performs session logout based on the Authentication Session Lifetime (see Manage General settings). The default value for this setting is 15 minutes. Set this parameter to an appropriate value according to your site security policy. 

Identity as a Service also supports SP-initiated logout (SLO) from a SAML client application. In this case, the SAML application can be configured with a Single Logout URL. When a SAML request is sent, using either the HTTP-Redirect or HTTP-POST SAML binding, Identity as a Service logs out the current user session and the user is redirected to the configured Single Logout URL of the SAML client application using HTTP-POST binding. The binding used in the response is not configurable. 

- SAML SP-initiated logout is not propagated to all other SAML SPs.
- Identity as a Service does not support IDP-initiated SAML logout.

Enter the SAML Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to reauthenticate during a new login attempt. This applies for both SP-initiated and IDP-initiated login. Set this field to -1 to disable this feature.

From the SAML NameID Attribute drop-down list, select the user attribute that will be used to uniquely identity a user to both Identity as a Service and your SAML application. The attribute should be one that will never change.

Select the SAML NameID Encoding Format from the drop-down list.

Options include:

KERBEROS

PERSISTENT

TRANSIENT

UNSPECIFIED

X509_SUBJECT_NAME

EMAIL

WINDOWS_DOMAIN_QUALIFIED_NAME.

From the SAML Signing Certificate drop-down list, do one of the following:

Select an existing certificate from the drop-down list.

-OR-

Click Create Certificate to create a new signing certificate.

Attention:  If you are updating a previous SAML Signing Certificate for the SAML application, you need to update both here and at the SAML service provider. The certificate update must be made at the same time. Once the change is made to either side, the other side will not be available until it is also updated. Any SAML authentications during this period will result in a failure.

Add SAML Attributes.

Under SAML Attributes, click Add. The SAML Attributes dialog box appears.

Enter a Name that clearly indicates the purpose of the attribute. It should indicate whether the SAML attribute value contains user group, authenticator, or organization. For example, if the attribute value contains user groups the name could be User Groups.

   From the drop-down list, select the Name Format for the attribute. 

Click Add next to Value(s).

Note: You can further filter and parse the attributes by appending the following actions to it:
.filter(regex filter expression).matcher(regex matcher expression).replace(regex replacement).end()

Attention: This is an advanced setting and requires regex expertise.

Example:
Filter any IDaaS groups that start with AWS-, return the group names after AWS- and before -xxx:
[Groups].filter(^AWS-(.*)$).matcher(^AWS-(.*)-(.*)$).replace($1).end()

Convert custom userid values of the form domain\userid into userid@domain.com:
<Custom Userid>.filter().matcher(^(.*)\(.*)$).replace($2@$1.com).end()

In the Values field do the following, as required:

1. Type < and select the user attribute to include every time the user authenticates to the application.
2. Type [ and select from the following, as required:

 [Authenticators] to include a user's authenticators every time the user authenticates to the application.

[Group Attributes] to include a user's group attributes every time the user authenticates to the application.

[Groups] to include a user's groups every time the user authenticates to the application.

[Organizations] to include a list of the user's organizations every time the user authenticates to the application.

[Role] to include a list of the user's role every time the user authenticates to the application.

[Selected Organization] to include the user's selected organization the next time the user authenticates to the application.

[Unique Group IDs] to include a user's group ids every time the user authenticates to the application.

[Unique Organization IDs] to include a list of the user's organization ids every time the user authenticates to the application.

 [Unique Role ID] to include the user's role ID the next time the user authenticates to the application.

 [Unique Selected Organization ID] to include the user's selected organization id the next time the user authenticates to the application.

3. To add static text, type the text in the Value text box.

When you define a value, click to test it.

Optionally, use the Test Regular Expressions section to enter a list of values (one per line) and then click Test to run a test on the expression.

Repeat these steps to add additional SAML attributes.

Repeat these steps to add additional SAML attributes.

Click Add.

Click Show Advanced Settings to configure the advanced settings.

If required, configure the following Advanced Settings.

Select Enable Organizations and Domain-Based Identity Providers to allow organization information to be returned in SAML attribute values when users log in. When enabled, if users are associated with one or more organizations and one has not yet been requested, users can select their organizations after they authenticate to their application.

Note: When organizations are enabled, the corresponding SAML attributes must also be configured.

From the SAML Signature Algorithm drop-down list, select the type of signing algorithm you want Identity as a Service to use to sign the SAML response/assertion. The type of algorithm you select depends on the requirements of the application being configured.

Enter the SAML Session Timeout (minutes) to the time when the SAML Assertion times out. The maximum is 720 minutes.

Optional. Enter the SAML Username Parameter Name used to identify the user ID being requested for authentication.

The user ID can then be passed as a parameter, for example, Username=jdoe. Alternately, if the SAML username is NameID, the SAML Request XML NameID element value is used to the identity the IDaaS userID.

Optional: Select Sign complete SAML response to ensure the message integrity of the SAML response sent to the application during authentication.

Optional: Select Encrypt SAML Assertion. When selected the SAML Assertion is also encrypted. If you select this option, do the following:

1. Click and browse to upload the encryption certificate file.
2. From the Encryption Method for Key drop-down list, select either RSA Version 1.5 or RSA-OAEP. RSA Version 1.5 is the default.
3. From the Encryption Method for Data drop-down list, select the encryption method used to encrypt data. The options are:

AES-256 (default)

AES-128

AES-192

Triple DES

Note: The Subject Domain Name and Certificate Expiry Date values are populated with values from the certificate once the Encryption Certificate is uploaded.

Optional. Select Override SAML Audience to override the SAML application issuer value. If you select this option, complete the following:

1. Select SAML Audience supplied in request to determine the purpose of the following audience value:

If enabled, set the Audience value to the required prefix of the SAML authentication request audience parameter value. If it matches the supplied value, the supplied value is used.

If deselected, set the Audience value to the override value to use.

Note: When selecting the Override SAML Audience option, consider the following:

- Set the Audience value to a different value only if it is required by the SAML Service Provider.
- Configure the SAML application to allow the client to override the audience only if the client is trusted. If the client specifies the audience value, it may allow one SAML application to specify the SAML audience of another SAML application and allow access to the other applications.

Optional. Add Alternative Assertion Consumer Service URLs, as follows:

Click Add.

Enter a Name.

Enter a URL Value.

Select Show in My Profile to display the Alternative Consumer Service URL in a user's My profile page.

Optional. Add an Application Logo.

Click Add.

Repeat these steps to add more Alternative Assertion Consumer Service URLs.

Optional. To add a Relay State, do the following:

Under Relay State click Add. The Add Relay State dialog box appears.

Enter a Name for the relay state.

Enter the Value for the relay state. This setting specifies the application or URL that a user is redirected to after successful authentication. For example, https://google.calendar.com.

Select Show in My Profile to display the relay state on the user's My Profile page.

Notes:  After you add relay states, you can also enable or disable them on the Add/Edit application page. Click next to the relay state to disable it or click   to re-enable it.

Relay states apply to the Default Assertion Consumer Service URLs and not the Alternative Consumer Service URLs.

Optional: Add a Relay State custom logo, as follows:

1. Click next to Relay State Logo. The Upload Logo dialog box appears.
2. Click to select an image file to upload.
3. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
4. If required, resize your image.
5. Click OK.
6. Click Add.

Repeat these steps to add more Relay States.

Click Save.

Note: After configuring the General settings, Customization and Resource Rule tabs appear.

Proceed to Step B: Configure Customizations.

Click the Customization tab. The Customization page appears.

Select Show Default Assertion Consumer URL Service in the My Profile. When selected, the Default Assertion Consumer URL appears in a user's My Profile page in addition to relay states and Alternative Assertion Consumer URLs.

Deselect Enable Go Back Button if you do not want users to be able to go back to the application login page to log in.

Select Respond Immediately for Unsuccessful Responses to return to the application immediately after a login failure, rather than allow user to try again with a different userID.

Optional. Add a custom application logo.

Click next to Application Logo. The Upload Logo dialog box appears.

Click  to select an image file to upload.

Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.

If required, resize your image.

Click OK.

Select the Authentication Flow that appears to users during login. You must select at least one. For more information on Passkey login, see Manage Passkey/FIDO2 authenticators.

Click Save.