Create a new SAML IDP Profile#
A SAML IDP profile must be created and configured before it can be used to respond to SAML authentication requests. It is very simple to set up a SAML IDP profile using the Admin UI, the main requirement being an existing Authentication Service profile to handle user authentication.
Begin by navigating to the Admin UI, selecting “Create Profile,” and choosing the SAML IDP profile type.
The Setup Wizard will guide you through the necessary steps to create the profile, as well as defining and deploying an endpoint for the Single Sign On Service.
Configure a SAML IDP Profile#
The SAML IDP profile configuration is divided in the following sections:
- General: Includes settings to manage relationship with the Authentication Service and other generic profile settings.
- Assertion: Configure profile-wide settings for issuing SAML assertions, like if and how to sign assertions.
- Metadata: Configure how the SAML IDP profile exposes its metadata.
- Request Bindings: Manage which bindings the SAML IDP profile supports for receiving messages.
General Settings#
Authentication Service#
- Authentication Profile Select the Authentication Service profile that the SAML IDP profile will use to authenticate users
- Clock Skew Configure acceptable clock skew between the SAML IDP Profile and the Authentication Service profile.
Other settings#
- Issuer Override By default, the SAML IDP profile uses the profile’s Single Sign On Service URL as issuer. It relies on the Base URL settings for the scheme/host/port path of its value. If this is not suitable, you can override the issuer value here. The issuer value is constructed by combining the Base URL (scheme, host, and optional port) with the deployed SSO endpoint path and the /metadata suffix, unless an Issuer Override is defined, in which case the override value is used instead.
Assertion Settings#
- Time to Live The number of seconds an assertion will be valid. This can be overruled by individual service provider configuration.
- Signing KeyStore The key to sign assertions. If not set, assertions will not be signed.
- Enable Holder of Key binding Enable this to include the Holder of Key binding when issuing an assertion.
When a signing key is set, this key must also contain a certificate with the verification key (and not just a public key). When a signing key is set, both the assertion as well as the response will be signed with that key.
Holder of Key Settings#
The Holder of Key Web Browser SSO profile (HoK) allows the SAML Identity Provider (IdP) to issue SAML assertions that include the Holder of Key subject confirmation method. This method enhances security by binding the SAML assertion to a specific cryptographic key, which the subject (user) must prove possession of when accessing the Service Provider (SP).
When the Holder of Key binding is enabled, the following additional settings are available:
- Require Holder of Key Binding When enabled, the SAML IDP profile will only issue assertions with the Holder of Key subject confirmation method or return an error when no certificate was established to bind the assertion to. When disabled, a Holder of Key subject confirmation will be included when a certificate is available.
- Include X509 Certificate Include the X.509 certificate in the Holder of Key subject confirmation data. This is typically required by Service Providers to validate the key binding.
- Include Subject Name Include the certificate’s Subject Name in the Holder of Key subject confirmation data.
- Include Subject Key Identifier Include the certificate’s Subject Key Identifier in the Holder of Key subject confirmation data. If the certificate did not include this extension, it will be omitted (i.e. it will not be an error).
- Include Issuer Serial Include the certificate’s Issuer and Serial Number in the Holder of Key subject confirmation data.
- Name of Subject Attribute with Client Certificate The name of the attribute in which the client certificate that the assertion should be bound to is stored. It is the responsibility of the Authentication Service (e.g. an authenticator) to establish the client certificate and store it in this attribute.
The Holder of Key feature is described in two specifications, the Holder-of-Key Web Browser SSO Profile and the Holder-of-Key Assertion Profile. The former one describes the behaviour and the latter one describes the data formats.
Metadata Settings#
- Expose Metadata When enabled, the metadata is published at the SSO endpoint with /metadata appended to the path, and it can be used by SAML Service Providers to discover the SAML IDP Service and to configure their interactions with it.
For example, if the Curity instance is hosted at https://idp.example.com, and the SSO endpoint is deployed at /idp/sso, then the metadata (when enabled) is published at https://idp.example.com/idp/sso/metadata.
Notice that the default EntityId in this case is https://idp.example.com/idp/sso/metadata.
Request Bindings Settings#
SAML request bindings define how a Service Provider (SP) sends an authentication request (AuthnRequest) to the Single Sign-On (SSO) endpoint. The Curity SAML IdP supports the standard SAML 2.0 front-channel bindings. You can enable one or both bindings to meet your interoperability and security requirements.
HTTP-Redirect binding the authentication request is sent to the SSO endpoint through a browser redirect.
HTTP-POST binding the authentication request is submitted to the SSO endpoint using an HTML form.
Request bindings are configured at two levels: the SAML IdP profile and the Service Provider. The profile defines which bindings are permitted for the SSO endpoint (for example, HTTP-Redirect and/or HTTP-POST). Each Service Provider specifies which binding or bindings it will use. A binding configured for a Service Provider must also be enabled in the profile; otherwise, requests using that binding are rejected.