Configuring SAML-based SSO with another Identity Provider

 Show all Hide all

You can configure SAML 2.0-based Single Sign-on with a Softadmin® system as Service Provider and many SAML 2.0 compatible servers as Identity Provider.

What Softadmin® needs

Service Provider Metadata Url

The Softadmin® system gets all the information about the Identity Provider that it needs by reading a SAML metadata file that Identity Provider publishes. Set the system setting SingleSignOnSamlMetadataUrl to the location of this metadata.

If the IdP does not publish metadata then you can trick Softadmin® by creating your own metadata file by hand and serving it from any location. This will, however, require you to update the metadata file each time the IdP rotates its signing certificates.

A stored procedure to receive assertions

Set SingleSignOnLoginProcedure to the name of the stored procedure that will extract user attributes from the SAML Assertion. Exactly how this assertion looks will depend on the Identity Provider. If the IdP administrator can not provide you with a sample then you best bet is to start with a procedure that simply logs the received assertion, configure a SAML integration to capture an assertion and then write the rest of the procedure based on the logged XML.

Name ID format

The format the Softadmin® system wants to receive usernames in. You can usually leave this as unspecified, but if the Identity Provider demands that another format is used then you can use the system setting SingleSignOnSamlNameIdFormat to change the format that the Softadmin® system will request.

What the Identity Provider needs

The Identity Provider will require some subset of the following information.

Service Provider metadata URL

The Softadmin® system publishes metadata describing it at /saml/sp (for example https://softadmin.example.com/saml/sp).

Service Provider identity

The value assigned to the system setting SingleSignOnSamldentity.

Assertion consumer service

The location the Softadmin® system receives SAML assertions at. It is located at /LoginPostback.aspx (for example https://softadmin.example.com/LoginPostback.aspx).

Binding used to receive assertions

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Name ID format

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified unless the system setting SingleSignOnSamlNameIdFormat has been changed (see above).

Does Softadmin® sign its SAML Requests?

No.