Defining Options for a SAML 2.0 Service Provider

You can use Access Manager as an identity provider for several service providers.You can configure a specific authentication contract that is required for a service provider. If you have configured more than one authentication contract for a service provider, the contract with minimum level is selected.

When providing authentication to a service provider, Identity Server ensures that the user is authenticated by the required contract. When a user is not authenticated or when a user is authenticated, but the authenticated contracts do not satisfy the required contracts, user is prompted to authenticate with the required contract. This is called step up authentication.

If no required contract is configured, then the default contract is executed.

NOTE:For SAML 2.0, this step up authentication is supported for Intersite Transfer Service (for both identity provider initiated and service provider initiated requests). For Liberty, it works only for identity provider initiated requests.

Perform the following steps to define options for a SAML 2.0 service provider:

  1. Click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Service Provider > Options.

  2. Select OIOSAML Compliance to make the service provider OIOSAML compliant.

    The OIOSAML attribute set is automatically populated with the required attributes to send with authentication after selecting this option.

  3. Select the required step up authentication contracts from Available contracts and move them to Selected contracts. This is to provide the step up authentication for the service provider.

    NOTE:Only the contract that is listed first in Selected contracts list will be executed. This is applicable only for SAML 2.0.

  4. Click New.

    The following table lists the available properties:

    Property Type

    Description

    SAML ASSERTION INCLUDE MILLISECS

    Select true to get SAML responses for this service provider including the timestamp in millisecond in IssueInstant.

    SAML2 AVOID AUDIENCE RESTRICTION

    Select true to avoid sending the audience restriction information with assertion to this service provider.

    SAML2 AVOID AUTHNCONTEXT CLASS REFERENCE

    Set this to true to exclude AuthnContextClassRef as part of the SAML 2.0 assertion response for this service provider.

    SAML2 AVOID AUTHNCONTEXT DECLARATION REFERENCE

    Set this to true to exclude AuthnContextDeclRef as part of the SAML 2.0 assertion response for this service provider.

    SAML2 AVOID CONSENT

    Select true to not include Consent as part of the SAML 2.0 request.

    SAML2 AVOID SIGN AND VALIDATE ASSERTIONS TRUSTED PROVIDERS

    If you select true, the cluster will sign SAML 2.0 POST responses (excluding the assertion) for this provider.

    SAML2 AVOID SPNAMEQUALIFIER

    Select true to not include SPNAMEQUALIFIER in NAMEIDENTIFER in the assertion.

    SAML2 AVOID SPNAMEQUALIFIER TO

    Select true to send SPNAMEQUALIFIER in NAMEIDENTIFER with the assertion.

    SAML2 NAMEID ATTRIBUTE NAME

    Specify the LDAP attribute name that will be sent in the name identifier in a SAML response for this service provider.

    SAML2 POST DEFLATE TRUSTEDPROVIDERS

    If you select true, the cluster will send deflated post messages to this provider.

    SAML2 POST SIGN RESPONSE TRUSTEDPROVIDERS

    If you select true, the identity provider will sign the entire SAML 2.0 response for this service provider.

    SAML2 REQUEST IGNORE AUTHCONTEXT

    If you select true, the identity provider ignores any specific authentication available in a SAML request from this service provider.

    SAML2 SHOW SHARED ATTRIBUTE NAMES

    If you select true, the attributes shared with the SAML 2 service provider are displayed on the user portal page.

    SAML2 SIGN METHODDIGEST SHA256

    If you select true, assertion will use the SHA 256 algorithm as a hashing algorithm for this service provider.

    SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST

    This property helps in identifying the contract that Identity Server can use for authenticating users for a specific service provider.This option is useful when Identity Server acts as a local identity provider and mediates communication between a trusted identity provider (any remote identity provider) and a trusted service provider.

    For example, a service provider sends an authentication request (authnrequest) to a remote identity provider. The request contains the AuthnContextClassRef attribute. The local identity provider (Identity Server) performs the following actions:

    1. Verifies the value of AuthnContextClassRef in the service provider’s SAML request.

    2. Identifies if the value matches with the SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST of any of the configured identity providers in Identity Server.

    3. When a match is found for a configured remote identity provider and it requires Identity Server to redirect the request, then Identity Server (acting as a service provider for the remote identity provider) sends the request to that trusted remote identity provider.

    Example: If authnrequest includes the following details:

    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

    Identity Server verifies all the configured identity providers. If any of the configured identity providers in Identity Server has the value of SAML2 CUSTOM AUTHNCONTEXT CLASS REF LIST as classes:Password, the request is redirected to that identity provider. Therefore, the authentication happens using the remote identity provider.

    OTHER

    Specify Property Name and Value if you want to configure any other property for this service provider.

    IGNORE_ACS_METADATA_CHECK

    If the Assertion Consumer Service URL is configured in an unsigned request, the authentication fails. To prevent this scenario, configure this option to true as follows:

    Click Other and specify the following details:

    Property Name: IGNORE_ACS_METADATA_CHECK

    Property Value: true

  5. Click OK > Apply.