Security Assertion Markup Language, or SAML, is one of IdeaScale’s several offerings for web browser Single Sign-On (SSO). SAML is an XML-based open standard for exchanging authentication and authorization between security domains. There are general two parties involved who exchange authentication information: first, there is the Identity Provider (IdP), who is the producer of assertions, and secondly, there is the Service Provider (SP) who consumes the assertions. IdeaScale uses SP initiated SSO.
 
Location: Community Settings --> Security -->  Single Signon Settings 

  1. Enable the setting and click ‘Add New’ 

     2. Select SAML 2.0 

     3. On IdeaScale you will need to plug in the below data: 

Display Name – name that will identify this SSO, can be anything (example: My companies SAML SSO)

SAML IdP Entity ID –  this will most likely be a URL indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). It is available in IdP Metadata XML in entityID attribute of EntityDescriptor Tag. 

SAML IdP Metadata --This is where you put in your providers Metadata. Generally it can be accessed from a well know URL for the IdP software or in IdP software admin/configuration section.

Pro tip - Key thing is the entity ID – this one needs to match our metadata’s ID 

We recommend always enabling the debugger which will be a useful tool for catching SSO issues 

Ensure you enable the ‘enabled’ toggle 

    4.On your database you will need to enter IdeaScale’s Metadata which can be   found by clicking the link under type (see screenshot below). More information regarding IdeaScale's metadata can be found below.
         a) You will also need to have the NameID

SAML General Settings: 

  1. IdP Login URL – your SSO login page that users will be redirected too
  2. Logout Success URL - your SSO logout page that users will be redirected too
  3. SSO Change Password URL – your SSO’s change password page 
  4. Change Password via popup (enable) – if you would like a popup to help users change their password
  5. Blacklisted Email Domains – any email addresses (aka domains) that you do not want users logging in with (example – gmail).

Shibboleth
Shibboleth supports standard SAML 2.0 protocol. IdeaScale SAML support is built on SAML 2.0. Reference to protocol support for Shibboleth should be removed from IdP metadata XML to get IdeaScale SAML support working with Shibboleth IdP.
 
IdeaScale SP Metadata
The SP metadata has to be installed in IdP configurations. The method for configuring IdP may vary from different IdP software. The IdeaScale SP metadata can be accessed from
http://your-community.ideascale.com/a/saml/metadata
Some IdP may ask you to enter the metadata as XML and some may ask you to enter each field individually. All required fields are present in metadata XML. The fields present in the metadata XML are:

  1. NameIDFormat accepted in preference order
  2. AssertionConsumerService URL and Bindings
  3. SingleLogoutService URL and Bindings.
  4. Signing and Encryption Certificate in X.509 format, this certificate should be added to IdP trust store. 

A valid IdP metadata is expected to provide following informations in XML:
    a. EntityID: a unique entity ID for IdP, generally the base URL for IdP       software
    b. IDPSSODescriptor: this must support urn:oasis:names:tc:SAML:2.0:protocol
    c. Signing and Encryption certificate in X.509 format. This certificate will be used to trust SAML messages originating from IdP software.
    d. NameIDFormat list. Preferred NameID supported by IdeaScale is emailAddress ((urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)). IdeaScale also supports any persistent NameID that does not change between login.
    e. SingleSignonService URL and Bindings, either or both of HTTP-Post and HTTP-Redirect must be present.
    f. SingleLogoutServer URL and Bindings, both HTTP-Post and HTTP-Redirect Bindings supported
 If a valid IdP metadata XML is not provided, the Single-Sign-On service will not operate correctly. The SingleLogoutService is optional.
 
 A sample IdP metadata XML is given here for reference:
 
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <EntityDescriptor entityID="http://idp.ssocircle.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 <KeyDescriptor use="signing">
 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:X509Data>
 <ds:X509Certificate>
 MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMC
 REUxEjAQBgNVBAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1
 NzIxWhcNMTYwODE3MTk1NzIxWjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NP
 Q2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNVBAMTEWlkcC5zc29jaXJjbGUuY29t
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/aC2gMqRVVaLdPJJE
 wpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78fP1c
 mt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4K
 U6zCsM622Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJ
 KoZIhvcNAQEEBQADggEBAJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YU
 cza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVg
 yyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6ZecUz6N24sSS7itEBC6n
 wCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBncYJn9NgN
 i3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJss
 DgakeL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q=
 </ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 </KeyDescriptor>
 <KeyDescriptor use="encryption">
 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:X509Data>
 <ds:X509Certificate>
 MIICjDCCAXSgAwIBAgIFAJRvxcMwDQYJKoZIhvcNAQEEBQAwLjELMAkGA1UEBhMC
 REUxEjAQBgNVBAoTCVNTT0NpcmNsZTELMAkGA1UEAxMCQ0EwHhcNMTEwNTE3MTk1
 NzIxWhcNMTYwODE3MTk1NzIxWjBLMQswCQYDVQQGEwJERTESMBAGA1UEChMJU1NP
 Q2lyY2xlMQwwCgYDVQQLEwNpZHAxGjAYBgNVBAMTEWlkcC5zc29jaXJjbGUuY29t
 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbzDRkudC/aC2gMqRVVaLdPJJE
 wpFB4o71fR5bnNd2ocnnNzJ/W9CoCargzKx+EJ4Nm3vWmX/IZRCFvrvy9C78fP1c
 mt6Sa091K9luaMAyWn7oC8h/YBXH7rB42tdvWLY4Kl9VJy6UCclvasyrfKx+SR4K
 U6zCsM622Kvp5wW67QIDAQABoxgwFjAUBglghkgBhvhCAQEBAf8EBAMCBHAwDQYJ
 KoZIhvcNAQEEBQADggEBAJ0heua7mFO3QszdGu1NblGaTDXtf6Txte0zpYIt+8YU
 cza2SaZXXvCLb9DvGxW1TJWaZpPGpHz5tLXJbdYQn7xTAnL4yQOKN6uNqUA/aTVg
 yyUJkWZt2giwEsWUvG0UBMSPS1tp2pV2c6/olIcbdYU6ZecUz6N24sSS7itEBC6n
 wCVBoHOL8u6MsfxMLDzJIPBI68UZjz3IMKTDUDv6U9DtYmXLc8iMVZBncYJn9NgN
 i3ghl9fYPpHcc6QbXeDUjhdzXXUqG+hB6FabGqdTdkIZwoi4gNpyr3kacKRVWJss
 DgakeL2MoDNqJyQ0fXC6Ze3f79CKy/WjeU5FLwDZR0Q=
 </ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
 <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
 </EncryptionMethod>
 </KeyDescriptor>
 <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/ArtifactResolver/metaAlias/ssocircle"/>
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloRedirect/metaAlias/ssocircle"/>
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPSloPost/metaAlias/ssocircle"/>
 <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/IDPSloSoap/metaAlias/ssocircle"/>
 <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniRedirect/metaAlias/ssocircle"/>
 <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/IDPMniPOSTmetaAlias/ssocircle" ResponseLocation="https://idp.ssocircle.com:443/sso/IDPMniPOST/metaAlias/ssocircle"/>
 <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/IDPMniSoap/metaAlias/ssocircle"/>
 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
 <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/ssocircle"/>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/ssocircle"/>
 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/ssocircle"/>
 <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.ssocircle.com:443/sso/NIMSoap/metaAlias/ssocircle"/>
 </IDPSSODescriptor>
 </EntityDescriptor>
 
 UserID mapping
 IdeaScale uses email address or any persistent NameID to map users from other security domain to IdeaScale communities. Its preferred that the email address is also passed along with NameID if NameID format is not emailAddress. The email address can be passed in 2 ways:
 1. Use email address as NameID, this works best
 2. Add an AttributeStatement in SAML Response with Name/Friendly name as “mail”. The AttributeStatement should follow the AuthnStatement. Here is a XML snippet as example:
 
 <saml:AttributeStatement>
 <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
 Name="mail">
 <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue>
 </saml:Attribute>
 </saml:AttributeStatement>
 
Certificate & Trust
IdeaScale uses own certificate for signing and encrypting SAML messages. For incoming SAML messages from IdP the system checks the signing certificate provided in the IdP metadata XML in community setting and uses it as trusted certificate.

Did this answer your question?