Configuring the SAML Authentication Scheme

SAML SSO is enabled by adding a SAML Authentication Scheme to the station. The scheme must be configured for a particular IdP (Identity Provider). You will need to obtain several configuration metadata from your IdP and use them in configuring the scheme. You will also need to provide the IdP with your station’s SP metadata. These SAML metadata are used to share configuration information between the IdP and the SP (for more details refer to the Prerequisites section in this topic.). XML files define the metadata. Once the SAML authentication scheme is properly configured, the station is able to exchange SAML authentication messages with the IdP.

You have the saml palette open.
You have already obtained the necessary IdP configuration metadata that the IdP requires for authentication. Typically, the IdP SAML Server administrator provides these values. The configuration metadata, which may be provided in an XML file, are as follows:
- HTTP-Redirect URL (corresponds to IdP Host URL, IdP Host Port, and IdP Login Path properties)
- IdP Cert
Since SAML is an open standard, a number of third-party SAML Servers are available (i.e. OpenAM, Salesforce, etc.).
You have provided the IdP SAML server administrator with an XML file containing your station’s SP metadata and SAML public certificate. The SP metadata typically include the SP “Entity ID” and the “Assertion Consumer Service”. The IdP needs these metadata to uniquely identify the SP and validate the messages sent by the station.

The Entity ID is a unique name that you choose as an SP, usually a URL. For example, the Entity ID typically is something like this: https://controller.domain.com:portNumber/saml, where you would use your controller’s hostname. A port number is required. The “Assertion Consumer Service” would be another URL, for example: https://controller.domain.com:portNumber/saml/assertionConsumerService, again using your controller’s hostname. Once you have generated your SP metadata, save it in XML format and share the file with the IdP SAML server administrator.
You have already created an Alternate Default Prototype for SAML authentication using the UserPrototype component in the baja palette. This UserPrototype is required for SAML authentication.

In the Nav tree, expand the station’s Config > Services > AuthenticationService node and drag the SAMLAuthenticationScheme component from the saml palette onto the AuthenticationSchemes folder.
In the Name window, enter a name (or use the default text) and click OK.
Expand AuthenticationSchemes and double-click on the SAMLAuthenticationScheme to open a Property Sheet view.

Shown here is an example of the SAML Authentication Scheme configured for the third-party OpenAM Idp.
Enter values for the following properties:
On completion, click Save.
1. For Login Button Text enter the preferred text label for the SSO login button that appears on theLogin window.
2. For IdP Host URL enter the host of your Identity Provider (obtained from IdP admin).
3. For IdP Host Port enter the port number of your Identity Provider (obtained from IdP admin).
4. For IdP Login Path enter the location on the Identity Provider to which you must navigate to trigger the SAML authentication (obtained from IdP admin).
5. For IdP Cert enter the certificate used to encrypt messages sent to the IdP, and to validate messages signed by the IdP (obtained from IdP admin).
6. For SAML Server Cert enter the certificate used by the station to sign the messages being sent back to the IdP, and decrypt messages sent by the IdP.
  Note: For the IdP to read and validate the messages sent by the station, the certificate with its public key must be provided to the IdP SAML server administrator as well.