Step 1: Copy
the ACS URL, Entity ID, and SAML attribute values from AIRAir is a tool that is used to manage creative assets. It automates the way teams collect, approve, and share creative content. See https://help.air.inc/en/ for more information.
Note: This guide was tested using Identity as a Service 5.35 and Air 3.0. Other versions of Air may require integration and configuration steps that differ from those documented in this procedure. For newer versions of Air, this integration guide may be used as an initial approach for integrating Air. In the event of other issues, contact support@entrust.com for assistance.
Before you begin, open two browser windows: one for Air and one for IDaaS.
Step 1: Copy
the ACS URL, Entity ID, and SAML attribute values from AIR1. Open a Web browser and go to https://help.air.inc/en/articles/7051227-configuring-saml-sso.
2. Scroll to the section, SAML app configuration variables.
3. In a text editor, such as Notepad, copy the following values from the table:
● Assertion Consumer Service (ACS) URL
● Entity ID
4. Scroll to the section, Additional SAML attributes and copy the following values to the text file:
● The user's first name value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
● The user's last name value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
● The user's email value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Step 2: Add
Air to Identity as a ServiceAdd Air application to Identity as a Service
1. Log into your Identity as a Service administrator account.
2. Click
> Security > Applications. The Applications
Lists page appears.
3. Click Add. The Select an Application Template page appears.
4. Do one of the following:
● Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
- or -
● In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
5. Click Air. The Add Air page appears.
6. Enter an Application Name.
7. Enter an Application Description.
8. Optional. Add a custom application logo.
a. Click 
next to Application Logo. The
Upload Logo dialog box appears.
b. Click 
to
select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.
d. If required, resize your image.
e. Click OK.
9. Select the Authentication Flow that appears to users during login.
10. Click Next. The General page appears.
11. In the Default Assertion Consumer URL field, enter the Assertion Consumer Service (ACS) URL you copied in Step 1: Copy the ACS URL, Entity ID, and SAML attribute values from AIR. It should be:
https://auth.air.inc/saml2/idpresponse
12. In the Service Provider Entity ID (Issuer) field, enter the Entity ID you copied in Step 1: Copy the ACS URL, Entity ID, and SAML attribute values from AIR. It should be:
urn:amazon:cognito:sp:us-east-1_EbSzy11nS
13. Enter the SAML Session Timeout to the time when the SAML Assertion times out. The maximum is 720 minutes.
14. Enter the Max Authentication Age (seconds) to set the maximum amount of time that can elapse before a user is required to reauthenticate during a new login attempt. This applies for both SP-initiated and IDP-initiated login. Set this field to -1 to disable this feature.
15. From the SAML Name ID Attribute drop-down list, select User ID.
16. From the SAML NameID Encoding Format drop-down list, select Unspecified.
17. For SAML Response Signature Algorithm, select the signing algorithm you want Identity as a Service to use to sign the SAML response/assertion. The type of algorithm you select depends on the requirements of the application being configured.
18. Select the SAML Signing Certificate from the drop-down list.
19. Optional: Select Sign complete SAML response to ensure the message integrity of the SAML response sent to the application during authentication.
20. From the SAML Response Signature Algorithm drop-down list, select SHA256.
21. Select Sign Complete SAML Response.
22. Optional: Select Respond Immediately for Unsuccessful Responses to return to the application immediately after a login failure, rather than allow user to try again with a different userID.
23. Deselect Enable Go Back Button if you do not want users to be able to go back to the Air login page to log in.
24. Add SAML Attributes. These are the Additional SAML attributes you copied in Step 1: Copy the ACS URL, Entity ID, and SAML attribute values from AIR.
Note: Confirm that the attributes provided match the ones you copied in Step 1: Copy the ACS URL, Entity ID, and SAML attribute values from AIR.
Add a First Name attribute
a. Under SAML Attributes, click Add. The SAML Attributes dialog box appears.
b. In the Name field enter the user's first name value you copied in Step 1: Copy the ACS URL, Entity ID, and SAML attribute values from AIR.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
c. In the Values field type < and select <First Name> from the drop-down list.
d. Click Add.
Add a Last Name attributes as follows:
a. Under SAML Attributes, click Add. The SAML Attributes dialog box appears.
b. In the Name field the user's last name value you copied in Step 1: Copy the ACS URL, Entity ID, and SAML attribute values from AIR.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
c. In the Values field type < and select <Last Name> from the drop-down list.
d. Click Add.
Add an Email SAML Attributes as follows:
a. Under SAML Attributes, click Add. The SAML Attributes dialog box appears.
b. In the Name field enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
c. In the Values field type < and select <Email> from the drop-down list.
d. Click Add.
25. Click Submit.
Step 4: Copy
the Public Endpoint from Identity as a Service1. In Identity as a Service, click
> Security > Applications.
The Applications List page appears.
2. Click
next to the Air Inc. application
you are integrating with Identity as a Service and select SAML
IDP Metadata. The SAML Application Metadata
dialog box appears.
3. Select the certificate to include in the SAML IDP Metadata file from the drop-down list.
4. If applicable, Select the domain to include in the SAML IDP Metadata file from the drop-down list.
5. Enter the Lifetime, in days, for the SAML IDP Metadata file. The value must be between 2 and 730.
6. Copy the Public Endpoint to paste into Air.
7. Paste the Public Endpoint into a text file, such as Notepad. You need this value in the next step.
Step 5: Add
Identity as a Service to Air1. In a Web browser, go to https://app.air.inc/login?redirect=%2Fhome and log in to your Air account as an administrator.
2. Click Settings & Members.
3. Click Security & Identity.
4. Scroll to SAML metadata URL.
5. In the SAML metadata URL field, paste the Public Endpoint you copied in Step 4: Copy the Public Endpoint from Identity as a Service.
6. Toggle on Enable SAML SSO.
7. Optional. Toggle on Enforce SAML SSO to only allow workspace members with an approved email domain to use SAML SSO to log in.
Step
6: Test the integrationTesting Service Provider Login
1. Open a Web browser and enter the URL for your Air account.
2. On the login page, click SSO Login. You are redirected to Identity as a Service.
3. Respond to the second-factor authentication challenge. If you respond successfully, you are logged in to Air.