or Create a profile

Home Knowledge Base Setup

SAML Single Sign-On at IdeaScale

Security Assertion Markup Language, or SAML, is one of IdeaScale’s several offerings for web browser Single Sign-On (SSO). An IdeaScale Enterprise level license is required to utilize this feature. SAML is an XML-based open standard for exchanging authentication and authorization between security domains. There are general two parties involved who exchange authentication information: first, there is the Identity Provider (IdP), who is the producer of assertions, and secondly, there is the Service Provider (SP) who consumes the assertions.

IdeaScale SP Metadata

The SP metadata has to be installed in IdP configurations. The method for configuring IdP may vary from different IdP software. The IdeaScale SP metadata can be accessed from

http://your-community.ideascale.com/a/saml/metadata

Some IdP may ask you to enter the metadata as XML and some may ask you to enter each field individually. All required fields are present in metadata XML. The fields present in the metadata XML are:

  1. NameIDFormat accepted in preference order
  2. AssertionConsumerService URL and Bindings
  3. SingleLogoutService URL and Bindings
  4. Signing and Encryption Certificate in X.509 format, this certificate should be added to IdP trust store

SAML Settings To setup SAML in Single Sign-On Settings you will have to provide the following information:

  1. Single-Signon Type: SAML 2.0
  2. SAML IdP Entity ID: provide the Entity ID from IdP metadata. Its available in IdP Metadata XML in entityID attribute of EntityDescriptor Tag. For details read on.
  3. SAML IdP Metadata: The IdP metadata is provided by the IdP software. Generally it can be accessed from an well know URL for the IdP software or in IdP software admin/configuration section.
  4. SSO Login URL: automatically set by IdeaScale system, need not specify.
  5. SSO Logout URL: automatically set by IdeaScale system, need not specify.
    A valid IdP metadata is expected to provide following information in XML:

a. EntityID: a unique entity ID for IdP, generally the base URL for IdP software
b. IDPSSODescriptor: this must support urn:oasis:names:tc:SAML:2.0:protocol
c. Signing and Encryption certificate in X.509 format. This certificate will be used to trust SAML message originating from IdP software.
d. NameIDFormat list. Preferred NameID supported by IdeaScale is emailAddress ((urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress). IdeaScale also supports any persistent NameID that does not change between login.
e. SingleSignonService URL and Bindings, either or both of HTTP-Post and HTTP-Redirect must be present.
f. SingleLogoutServer URL and Bindings, both HTTP-Post and HTTP-Redirect Bindings supported

If a valid IdP metadata XML is not provided, the Single-Sign-On service will not operate correctly. The SingleLogoutService is optional.

A sample IdP metadata XML is given here for reference:


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="http://idp.ssocircle.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMC
REUxEjAQBgNVBAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1
NzIxWhcNMTYwODE3MTk1NzIxWjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NP
Q2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNVBAMTEWlkcC5zc29jaXJjbGUuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/aC2gMqRVVaLdPJJE
wpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78fP1c
mt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4K
U6zCsM622Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJ
KoZIhvcNAQEEBQADggEBAJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YU
cza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVg
yyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6ZecUz6N24sSS7itEBC6n
wCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBncYJn9NgN
i3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJss
DgakeL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q=
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMC
REUxEjAQBgNVBAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1
NzIxWhcNMTYwODE3MTk1NzIxWjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NP
Q2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNVBAMTEWlkcC5zc29jaXJjbGUuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/aC2gMqRVVaLdPJJE
wpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78fP1c
mt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4K
U6zCsM622Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJ
KoZIhvcNAQEEBQADggEBAJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YU
cza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVg
yyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6ZecUz6N24sSS7itEBC6n
wCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBncYJn9NgN
i3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJss
DgakeL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q=
                   </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
</EncryptionMethod>
        </KeyDescriptor>
        <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle"/>
        <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle"/>
    </IDPSSODescriptor>
</EntityDescriptor>

UserID mapping

IdeaScale uses email address or any persistent NameID to map users from other security domain to IdeaScale communities. Its preferred that the email address is also passed along with NameID if NameID format is not emailAddress. The email address can be passed in 2 ways:
1. Use email address as NameID, this works best
2. Add an AttributeStatement in SAML Response with Name/Friendly name as “mail”. The AttributeStament should follow the AuthnStatement. Here is a XML snippet as example:


`<saml:AttributeStatement>
            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                Name="mail">
                <saml:AttributeValue xsi:type="xs:string">user@domain.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>`

Other Attributes

The other attribute IdeaScale suports in “displayName”. This attribute is only used when a SAML authentication response contains an email which does not map to any existing member in IdeaScale. A new member account will be created and “displayName” attribute will be used to map to Full Name of the member.

Certificate & Trust

IdeaScale uses own certificate for signing and encrypting SAML messages. For incoming SAML messages from IdP the system checks the signing certificate provided in the IdP metadata XML in community setting and uses it as trusted certificate.

Section:
Setup
Last Updated:
24 Dec, 2011 06:33 AM

Recent Discussions

16 May, 2012 09:13 PM Links in email notifications do not work
16 May, 2012 07:01 PM Reports

Recent Articles

Custom Field Settings
Reports: Export Idea Data
Uploading your Company Logo for Branded Emails
Global System Settings: Abuse Notification Threshold
Look & Feel Settings: Site HTML Pages