Airlock IAM as SAML service provider (SP)

In order to receive user context data in SAML assertions from a SAML IDP, the Airlock IAM SP must be configured as follows:

SAML SP settings

  1. Basic Settings
  2. Go to:
    Loginapp >> SAML Settings >> SAML SP Settings
  3. In Attributes to Import as Context Data, create the needed SAML Attribute Import to add user context data from the SAML assertion.
  4. Configure User ID, Roles, Audit Token, Language, and Auth Token ID as needed.
  5. IAM will import context data and other attributes from the SAML assertion.
  1. Legacy Settings
  2. To continue to use the legacy method for importing user context data from SAML assertions via an attribute map, use this configuration:

  3. Enable Import SAML Attributes (attributeMap)
  4. IAM will import context data from the SAML assertion

This configures tells the SAML SP facility in the login application so that additional attributes are read from assertions and that they should be added to the authenticated user's context data container.

Extended SAML metadata configuration

This configuration is only required for context data import with the Legacy Settings.

It is strongly recommended to use the Basic Settings.

The attributes to be read from assertions must be listed in the extended SAML metadata of the service provider (e.g. sp-extended.xml) as in the example below.

Where can I find the SP's extended metadata file?

The extended SP metadata file is specified in the global SAML SP settings' entity configuration.

81028185.png

Open the file and add the context data attributes to the attributeSet tag as in the following example. The syntax is  <Assertion Attribute Name>=<Context Data Name or special identifier>

sp.extended.xml

    ...
    <Attribute name="attributeMap">
           <Value>GIVENNAME=givenname</Value>
           <Value>SURNAME=surname</Value>
           <Value>USERNAME=USER_ID</Value>
           <Value>ROLES=GRANTED_ROLES</Value>
    </Attribute>
    ...

In the above example, the attributes GIVENNAME and SURNAME are read from the SAML assertion received from the IDP and are stored in the authenticated user's context data container in the attributes givenname and surname.

If the username or the roles shall be taken from the attributes, the special identifiers USER_ID and GRANTED_ROLES need to be configured as above (the left-hand side must match the name of the attribute in the assertion).
In addition, this feature must be enabled in the Saml Sp Config:

81028186.png