SAML 2.0 - FORMCYCLE Wiki

author	version	line-number	content
1	{{content/}}
2
3	When adding a //SAML 2.0// identity provider (e.g. //Shibboleth 2.0//) the parameters listed below can be configured.
4
5	{{info}}Please note that it will only be possible in a future version of {{formcycle/}} to generate an XML file with the configurations made here, which can be read by the identity provider.
6	{{html}} {{/html}}
7	If such an XML configuration file is absolutely necessary for theidentity provider, it must be generated manually based on the settings made in {{formcycle/}}. The structure and the required information of such an XML file is usually documented by the identity provider. Alternatively, there are free online services that can assist in generating a suitable XML configuration file from the corresponding information. Please note that it is not possibile to download a standard keystore that was generated in {{formcycle/}} or to access its public key. If the public key is required for the configuration of the identity provider, a new JKS keystore with a suitable key pair must be created outside of {{formcycle/}}, whose public key can then be extracted and transferred to the XML configuration file. Further information about such keystores can be found in the submenu [[Manage keystore>>\|\|anchor="keystore"]].{{/info}}
8
9	== Base settings ==
10
11	{{figure image="saml_base_settings_en.png" clear="h1"}}Basic settings for the configuration of the SAML 2.0 identity provider.{{/figure}}
12
13	=== Name ===
14
15	Name of the identity provider in {{formcycle/}}.
16
17	=== Different name on form login button ===
18
19	If a form has been configured to offer several authentication options, a dialog will be displayed when opening the form in which an authentication type has to be selected. The text content that should be on the button for this identity provider can be configured here.
20
21	If nothing is entered here, the name entered under //Name// is used.
22
23	=== Alias for callback URL (UUID) ===
24
25	Unique identifier that is used when the identity provider returns to {{formcycle/}}. This value is generated automatically, but can be changed if necessary.
26
27	=== Callback URL ===
28
29	The URL which is used when returning from the identity provider to {{formcycle/}} is shown here and can be copied to the clipboard by clicking the copy icon to the right of the URL.
30
31	== Initially visible buttons ==
32
33	Below the base settings there are initially 3 buttons whose functions are intended to help with the configuration of the Facebook identity provider.
34
35	=== Send email to provider ===
36
37	Opens the e-mail program set up in the system with a pre-formulated request regarding the information required for the configuration of the identity provider in {{formcycle/}}.
38
39	=== Help ===
40
41	Opens this help page in the browser.
42
43	=== Add configuration ===
44
45	If the required information has been provided by the identity provider, the area for the configuration of the identity provider can be opened by clicking on this button. Afterwards the area //configuration// which is described below opens.
46
47	{{figure image="saml_configuration_en.png" clear="h2"}}Configuration options for an SAML 2.0 identity provider.{{/figure}}
48	== Configuration ==
49
50	* Upload configuration: Pressing this button opens a file selection dialog, with which the configuration file supplied by the Identity Provider can be selected. By confirming the selection in the dialog, the file is uploaded.
51
52	* //FileName.xml//: After a configuration file has been uploaded and the configuration was saved, it is possible to download the file here. The download is started by clicking on the file name or the {{ficon name="download-circle-outline"/}} symbol.
53
54	=== Mapping to user attributes ===
55
56	By clicking on //Mapping to user attributes// the configuration fields for mapping individual attributes can be made visible. SAML attributes can be configured for the following data. In each case, the name of the //saml:attributes// node must be specified.
57
58	* Given name (firstname): first name of the user
59	* Last name (familyName): Last name of the user
60	* Display name (displayName): Display name of the user
61	* Username (userName): User name of the user
62	* Email (mail): Email address of the user
63	* Language (locale): Language of the user
64	* Location (location): Location of the user
65	* Picture url (pictureUrl): Picture URL of the user
66	* Profile url (profileUrl): Profile URL of the user
67
68	{{id name="keystore" /}}
69	=== Manage keystore ===
70
71	By clicking on //Manage keystore// the settings for the keystore become visible. There are the following two buttons:
72
73	* Create new keystore: Creates a new keystore with a new key pair
74	* Update keystore file: Opens a file selection dialog with which an existing keystore can be selected and uploaded.
75
76	After uploading your own keystore, the following input fields also appear:
77	* Keystore password: Password of the keystore
78	* Keypair password: Password of the key pair
79
80	{{info}}Own keystores must be Java keystores of type JKS, which contain a corresponding 2048-bit RSA key pair. Such a keystore can be generated, for example, with the utility program keytool for a certificate lifetime of approximately 10 years (3650 days) using the following command: {{code language="none"}}keytool -genkeypair -alias ihr-alias -keypass ihr-passwort -keystore samlKeystore.jks -storepass ihr-passwort -keyalg RSA -keysize 2048 -validity 3650{{/code}}{{/info}}
81
82	{{figure image="saml_extended_settings_en.png" clear="h2"}}Extended settings for configuring an SAML 2.0 identity provider.{{/figure}}
83	=== Extended settings ===
84
85	With a click on //Extended settings// further parameters for the connection with the Identity Provider can be configured.
86
87	==== Service provider entity ID ====
88
89	Optional ID for identification against the Identity Provider.
90
91	==== Force authentication ====
92
93	Specifies whether a user should be forced to log in even if a valid session is still present.
94
95	==== Passive authentication ====
96
97	Specifies whether an authentication without interaction with the user should be tried.
98
99	==== User name qualifier ====
100
101	Specifies whether the authentication request should also send the //NameQualifier//. This is not required by the SAML standard, but for some identity providers it is necessary.
102
103	==== Authentication request signed ====
104
105	Specifies whether the authentication request should be digitally signed.
106
107	==== Logout request signed ====
108
109	Specifies whether the logout request should be digitally signed.
110
111	==== Wants assertions signed ====
112
113	Specifies whether the SAML statements (assertions) are requested to be digitally signed.
114
115	==== Wants response signed ====
116
117	Specifies whether the SAML responses should be digitally signed.
118
119	==== Max. authentication lifetime (seconds) ====
120
121	Maximum duration of an exisitng login to the identity provider. The default value is {{code language="none"}}3600{{/code}} seconds.
122
123	==== Max. clock skew (seconds) ====
124
125	Maximum allowed difference in system clock times between the {{fcserver/}} and the identity provider. The default value is {{code language="none"}}300{{/code}} seconds.
126
127	==== Assertion consumer service index ====
128
129	Specifies the index of the Assertion Consuming Service to be used in the login request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider.
130
131	==== Attribute consumer service index ====
132
133	Specifies the index of the attribute consuming services which should be used for the authentication request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider.
134
135	==== Authentication request binding type ====
136
137	Specifies the transmission type with which {{formcycle/}} requests a login to the identity provider.
138
139	==== Response binding type ====
140
141	Specifies the transmission type with which the identity provider responds to a {{formcycle/}} login.
142
143	==== Logout request binding type ====
144
145	Specifies the transmission type with which {{formcycle/}} requests a logoff from identity provider.
146
147	==== Logout response binding type ====
148
149	Specifies the transmission type with which the identity provider responds to a logoff from {{formcycle/}}.
150
151	==== Signature canonicalization algorithm ====
152
153	Specifies the algorithm to be used to convert the signed request into a standardized XML form. {{code language="none"}}http://www.w3.org/2001/10/xml-exc-c14n#{{/code}} is used by default.
154
155	==== Black listed signature signing algorithms ====
156
157	Algorithms that are forbidden for signing.
158
159	==== Signature algorithms ====
160
161	Algorithms allowed for signing.
162
163	==== Signature reference digest methods ====
164
165	Specifies the hash algorithms that are allowed when signing the SAML statements (assertions).

When adding a //SAML 2.0// identity provider (e.g. //Shibboleth 2.0//) the parameters listed below can be configured.

{{info}}Please note that it will only be possible in a future version of {{formcycle/}} to generate an XML file with the configurations made here, which can be read by the identity provider.

6

{{html}} {{/html}}

7

If such an XML configuration file is absolutely necessary for theidentity provider, it must be generated manually based on the settings made in {{formcycle/}}. The structure and the required information of such an XML file is usually documented by the identity provider. Alternatively, there are free online services that can assist in generating a suitable XML configuration file from the corresponding information. Please note that it is not possibile to download a standard keystore that was generated in {{formcycle/}} or to access its public key. If the public key is required for the configuration of the identity provider, a new JKS keystore with a suitable key pair must be created outside of {{formcycle/}}, whose public key can then be extracted and transferred to the XML configuration file. Further information about such keystores can be found in the submenu [[Manage keystore>>||anchor="keystore"]].{{/info}}

== Base settings ==

{{figure image="saml_base_settings_en.png" clear="h1"}}Basic settings for the configuration of the SAML 2.0 identity provider.{{/figure}}

=== Name ===

Name of the identity provider in {{formcycle/}}.

16

17

=== Different name on form login button ===

18

19

If a form has been configured to offer several authentication options, a dialog will be displayed when opening the form in which an authentication type has to be selected. The text content that should be on the button for this identity provider can be configured here.

20

21

If nothing is entered here, the name entered under //Name// is used.

22

23

=== Alias for callback URL (UUID) ===

24

25

Unique identifier that is used when the identity provider returns to {{formcycle/}}. This value is generated automatically, but can be changed if necessary.

=== Callback URL ===

The URL which is used when returning from the identity provider to {{formcycle/}} is shown here and can be copied to the clipboard by clicking the copy icon to the right of the URL.

30

31

== Initially visible buttons ==

32

33

Below the base settings there are initially 3 buttons whose functions are intended to help with the configuration of the Facebook identity provider.

34

35

=== Send email to provider ===

36

37

Opens the e-mail program set up in the system with a pre-formulated request regarding the information required for the configuration of the identity provider in {{formcycle/}}.

=== Help ===

Opens this help page in the browser.

42

43

=== Add configuration ===

44

45

If the required information has been provided by the identity provider, the area for the configuration of the identity provider can be opened by clicking on this button. Afterwards the area //configuration// which is described below opens.

46

47

{{figure image="saml_configuration_en.png" clear="h2"}}Configuration options for an SAML 2.0 identity provider.{{/figure}}

48

== Configuration ==

49

50

* **Upload configuration**: Pressing this button opens a file selection dialog, with which the configuration file supplied by the Identity Provider can be selected. By confirming the selection in the dialog, the file is uploaded.

51

52

* **//FileName.xml//**: After a configuration file has been uploaded and the configuration was saved, it is possible to download the file here. The download is started by clicking on the file name or the {{ficon name="download-circle-outline"/}} symbol.

53

54

=== Mapping to user attributes ===

55

56

By clicking on //Mapping to user attributes// the configuration fields for mapping individual attributes can be made visible. SAML attributes can be configured for the following data. In each case, the name of the //saml:attributes// node must be specified.

57

58

* **Given name (firstname)**: first name of the user

59

* **Last name (familyName)**: Last name of the user

60

* **Display name (displayName)**: Display name of the user

61

* **Username (userName)**: User name of the user

62

* **Email (mail)**: Email address of the user

63

* **Language (locale)**: Language of the user

64

* **Location (location)**: Location of the user

65

* **Picture url (pictureUrl)**: Picture URL of the user

66

* **Profile url (profileUrl)**: Profile URL of the user

67

68

69

=== Manage keystore ===

70

71

By clicking on //Manage keystore// the settings for the keystore become visible. There are the following two buttons:

72

73

* **Create new keystore**: Creates a new keystore with a new key pair

74

* **Update keystore file**: Opens a file selection dialog with which an existing keystore can be selected and uploaded.

75

76

After uploading your own keystore, the following input fields also appear:

77

* **Keystore password**: Password of the keystore

78

* **Keypair password**: Password of the key pair

79

80

{{info}}Own keystores must be Java keystores of type JKS, which contain a corresponding 2048-bit RSA key pair. Such a keystore can be generated, for example, with the utility program keytool for a certificate lifetime of approximately 10 years (3650 days) using the following command: {{code language="none"}}keytool -genkeypair -alias ihr-alias -keypass ihr-passwort -keystore samlKeystore.jks -storepass ihr-passwort -keyalg RSA -keysize 2048 -validity 3650{{/code}}{{/info}}

81

82

{{figure image="saml_extended_settings_en.png" clear="h2"}}Extended settings for configuring an SAML 2.0 identity provider.{{/figure}}

83

=== Extended settings ===

84

85

With a click on //Extended settings// further parameters for the connection with the Identity Provider can be configured.

86

87

==== Service provider entity ID ====

88

89

Optional ID for identification against the Identity Provider.

90

91

==== Force authentication ====

92

93

Specifies whether a user should be forced to log in even if a valid session is still present.

94

95

==== Passive authentication ====

96

97

Specifies whether an authentication without interaction with the user should be tried.

98

99

==== User name qualifier ====

100

101

Specifies whether the authentication request should also send the //NameQualifier//. This is not required by the SAML standard, but for some identity providers it is necessary.

102

103

==== Authentication request signed ====

104

105

Specifies whether the authentication request should be digitally signed.

106

107

==== Logout request signed ====

108

109

Specifies whether the logout request should be digitally signed.

110

111

==== Wants assertions signed ====

112

113

Specifies whether the SAML statements (assertions) are requested to be digitally signed.

114

115

==== Wants response signed ====

116

117

Specifies whether the SAML responses should be digitally signed.

118

119

==== Max. authentication lifetime (seconds) ====

120

121

Maximum duration of an exisitng login to the identity provider. The default value is {{code language="none"}}3600{{/code}} seconds.

122

123

==== Max. clock skew (seconds) ====

124

125

Maximum allowed difference in system clock times between the {{fcserver/}} and the identity provider. The default value is {{code language="none"}}300{{/code}} seconds.

126

127

==== Assertion consumer service index ====

128

129

Specifies the index of the Assertion Consuming Service to be used in the login request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider.

130

131

==== Attribute consumer service index ====

132

133

Specifies the index of the attribute consuming services which should be used for the authentication request. The default value is {{code language="none"}}-1{{/code}}, which is the default of the identity provider.

134

135

==== Authentication request binding type ====

136

137

Specifies the transmission type with which {{formcycle/}} requests a login to the identity provider.

138

139

==== Response binding type ====

140

141

Specifies the transmission type with which the identity provider responds to a {{formcycle/}} login.

142

143

==== Logout request binding type ====

144

145

Specifies the transmission type with which {{formcycle/}} requests a logoff from identity provider.

146

147

==== Logout response binding type ====

148

149

Specifies the transmission type with which the identity provider responds to a logoff from {{formcycle/}}.

150

151

==== Signature canonicalization algorithm ====

152

153

Specifies the algorithm to be used to convert the signed request into a standardized XML form. {{code language="none"}}http://www.w3.org/2001/10/xml-exc-c14n#{{/code}} is used by default.

154

155

==== Black listed signature signing algorithms ====

156

157

Algorithms that are forbidden for signing.

158

159

==== Signature algorithms ====

160

161

Algorithms allowed for signing.