SAML2 Authentication Method

Since: 1.1 (Previous version: 1.0 )

The SAML2 (Security Assertion Markup Language v2.0) Authentication method enables the OpenASelect Server to act as a SAML2 compliant Service Provider (SP) for one or more SAML2 Identity Providers (IdP). This authentication method is a so called federated authentication method, which is used to authenticate users at a SAML2 IdP hosted outside the OpenASelect environment.

The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. For more information, visit the SAML2 website.

Requirements

The SAML2 authentication method requires the SAML2 Profile to be installed.

If it is not desired to enable the SAML2 Profile as a full IdP profile you can enable it with only a limited installation. This installation should contain the deployment of the SAML2 Profile component with a minimum configuration, that is:

Installation

These instructions require a working OpenASelect Server installation.

  1. Download the latest binary distribution from the download section and extract it to a temporary directory.
  2. Copy the extracted folders files into the <OpenASelect-Root> directory of your OpenASelect installation.

Alias storage

The SAML2 Profile requires storage of TGT specific IDP Role aliasses.

If the OpenASelect Server runs in a redundant environment (storing TGT's in a JDBC storage), this functionality must specifically be enabled in the TGT Factory (see: TGT Alias Store configuration). This requires also that the alias_store_idp table (see the SQL script supplied by the release in setup/postgresql/oa_redundant.saml2.postgresql.sql) is available.

Configuration

  1. Remote SAML2 authentication method
    1. SAML2 Authentication Method
      1. Organizations
      2. Logout
      3. Selector
      4. ID mapper
      5. Attribute mapper
    2. SAML2 Profiles

Usage

The following steps need to be taken to enable remote SAML2 authentication:

  1. Add the SAML2 authentication method configuration section to the OpenASelect configuration and tailor the values
  2. Configure the ResponseEndpoint as a profile in the SAML IdP Profile.
  3. Restart the application server. (The introduction of new libraries forces a full restart.)

Documentation

OpenASelect Server

Overview

Features

Interconnectivity

Guide & References

Developers

OpenASelect

Integrators

Discussion

Browse source

Tickets

Downloads

 
© Alfa & Ariss B.V. All rights reserved | Privacy | Disclaimer | Contact