This article explains how to configure the SAML IDP.
It requires the SAML directory and the key store information as explained in Prerequisites to setup IAM as SAML IDP.
This article explains how to configure the SAML IDP.
It requires the SAML directory and the key store information as explained in Prerequisites to setup IAM as SAML IDP.
The IDP configuration consists of the following parts:
Part | Purpose |
---|---|
Key store files | The key store and password files are used to securely store the key pairs used by the IDP to sign and encrypt SAML messages. |
Metadata file | The SAML metadata file contains information about the IDP in a standardized XML format. It is made available to the service providers. |
Extended metadata file | The extended SAML metadata file contains additional information in an XML file. It is not shared with the service providers. |
other SAML settings | Other SAML settings are part of the IAM configuration and can be edited using the Config Editor. |
.keystorepass
).privatekeypass
)For security reasons, it may make sense to put the password files in a folder outside the Airlock IAM installation (e.g. /etc/airlock/saml/
or alike) so the passwords are not part of any Airlock IAM instance backup.
If doing so, remember the folder when configuring the SAML IDP in the Config Editor (see below) and remember the passwords for later recovery or re-installation.
The IDP metadata file (usually idp.xml) contains all standardized information about the IDP. It contains public keys, SAML endpoints (URLs), supported SAML bindings, and encryption/signing preferences.
It may be given to any trusted service provider that wants to connect to the IDP.
The transfer of the idp.xml to the SP must be authentic, i.e., the SP must be sure the file belongs to the actual and trusted IDP.
The following XML template file may be used as starting point.
entityID
can be chosen freely but it must be unique among all parties taking part in the single sign-on (IDP and all SPs). Often, the public URL of the IDP is used as its entityID. In our examples, we use the entity ID https://iam.host.com/auth/saml/
.MIIFyjCCBLKg ... k49stQ==
) with the certificate of the configured key store. The same certificate may be used for both signing and encryption though for production environments it is recommended to use two different certificates. https://iam.host.com/auth/
with the URL of your Loginapp as seen from the browser. This is usually the entry path of the IAM mapping on the Airlock Gateway. https://my.host.com/auth/
ArtifactResolutionService
, attribute Location
): it specifies the URL called by the service provider (SP) in order to exchange artifacts for SAML assertions. Thus it is called directly by the SP and not the user's web browser. SingleSignOnService
-Tag at the bottom of the file. The Artifact-Binding is denoted by HTTP-Redirect
. Note that the idp.xml file must comply with the XML schema as specified in http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf.
The extended metadata file (usually idp-extended.xml) contains IAM-specific information and must not be given to the service provider unless the service provider is an Airlock IAM as well.
The following XML template file may be used as starting point.
hosted
attribute in the element EntityConfig
must be 1
or true
. metaAlias
attribute in the element IDPSSOConfig
must be a short identifying string that is suitable to be a part of an URL (e.g. /iamIdp
). It is part of all SAML endpoint URLs (see IDP metadata file above). If it is changed, make sure to change the idp.xml
and provide it to all SPs.KeyDescriptor
element with attribute use=signing
. KeyDescriptor
element with attribute use=encryption
.assertionEffectiveTime
defines how long assertions issued by the IDP are valid. Review the values and change them if required. Make sure to provide a reasonably high value for assertionNotBeforeTimeSkew
so SPs accept the assertions even if their clocks are not exactly synchronized with the IDP's clock.To complete the IDP configuration, open the IAM Config Editor and perform the following steps:
value https://iam.host.com/auth/saml/
.instances/auth/saml/idp.xml
instances/auth/saml/idp-extended.xml
This is sufficient for the SAML IDP to work. All advanced configuration options are covered in separate articles or described in the Config Editor.
The federation settings affect both the IDP and the SPs and are configured in a separate plugin:
instances/auth/saml/saml-keystore.jks
instances/auth/saml/.keystorepass
instances/auth/saml/.privatekeypass
Activate the configuration to make the changes effective.
Make sure to use an up-to-date Airlock Gateway mapping template file (IAM 7.6 or newer) and activate the SAML allow rule.
If any of the SAML metadata files are changed, a restart of the IAM instance may be necessary.
To configure the SPs, proceed with Adding SAML SPs to the IDP configuration for the Loginapp REST API .