Create a Single Sign-On application
To create a Custom Single Sign-On application:
- Log in as admin to the Specops Authentication Web.
- Click Single Sign-On.
- Click Add new.
- Select Application Template: Custom.
- Select Application Protocol: SAML.
- Click Next.
- Under General Settings, type an application name and optionally a description for the application.
- Under Configuration Source, select one of the following:
- Select Metadata URL to load the configuration from a Metadata URL provided by your service provider. This is the recommended option. Unlike Metadata URL under Manual, which imports and saves the metadata once, this option loads the configuration from the URL each time a user signs in with Specops SSO.
- Select Manual to either import and save the metadata once or configure the values manually.
- Under Metadata Import, select one of the following sources to provide the metadata to import. Then click Load metadata:
- Metadata URL - enter a metadata URL provided by your service provider.
- Metadata file (.xml) - upload a metadata file.
- XML input - paste the metadata content into the field.
- To configure the values manually, continue to the next step.
- Under Metadata Import, select one of the following sources to provide the metadata to import. Then click Load metadata:
- For Entity ID, enter the unique identifier used to identify the service provider.
- For Assertion Consumer Service (ACS) URL, enter the URL where the authentication response will be posted to the service provider.
- For SP Single Logout (SLO) URL, enter the Service Provider URL where Specops Authentication (IdP) should post logout responses, if the service provider supports single logout. Note that SLO requests must be signed. Continue to the next step and consider the SLO and Signing Validation Rules.
-
Under Request Signing Scope, do the following:
- For Signing Scope, select which incoming SP requests must be signed:
- None
- Authentication requests only
- Logout request
- Authentication and logout requests
- For Signing Certificate(s), enter the Service Provider public X.509 certificate (PEM or Base64) used to verify signed requests.
- For Signing Scope, select which incoming SP requests must be signed:
-
Under Name ID, select a Name ID AD attribute that will be mapped to the NameId, and a Name ID Claim Format.
Warning
"Name ID" needs to be mapped to an AD attribute that is immutable and uniquely identifies the user. Never map "Name ID" to, for example, the "EmailAddress" attribute since this could allow a malicious user to gain access to another user's account. The "Name ID" is mapped to "objectGUID" as default.
-
Under Standard Claim Mapping, optionally click Add Mapping to add the claims that should be sent to the service provider during authentication.
- Claim: Select a name from the list of predefined names or select Custom... to enter a custom name.
- AD Attribute or Custom Value: Select a value from the list of Active Directory attributes or select Custom... to enter a custom name. If an AD attribute is selected, the claim will be populated from the user during authentication. If Custom is selected, a fixed value is used.
-
Click Next: Group Claim Mapping.
Note
The standard claims added in Standard Claim Mapping are always sent to the service provider. The group claims entered in Group Claim Mapping are additional claims added to the SAML assertion for users who are members of the selected AD groups.
This configuration does not control which users can access the application. Access to the application is controlled through Policy Configuration which means that users in the selected groups must also be included in a policy to access the application.
-
Under Add new group claims, optionally add claims for security groups. Enter the name of a group in Active Directory and click Add.
- Enter one or more claims and claim values for the group and click Save.
- Continue to Configure the Authentication Policy.
SLO and Signing Validation Rules
When configuring SP Single Logout (SLO) URL and Request Signing Scope, consider the following rules:
- If SP Single Logout (SLO) URL is configured, a Signing Certificate(s) value is required.
-
If Signing Scope is set to:
-
Logout request or Authentication and logout requests:
Both Signing Certificate(s) and SP Single Logout (SLO) URL values are required.
-
Authentication requests only:
A Signing Certificate(s) value is required and SP Single Logout (SLO) URL must be empty.
Logout endpoints are not supported for the application and the logout URL is not published in metadata.
-
-
For Signing Certificate(s), the added certificate must be a valid Base64-encoded X.509 certificate with an RSA public key.