Configuring SAML 2.0 Authentication for Web Login

When configuring web login, you can configure authentication through an external SAML Identity Provider.

To set up the SAML 2.0 authentication for web login:

  1. In Workbench in Project Explorer, expand your project > Security > Global Settings and go to the Web Login tab.

  2. In the Authentication section in Type, select SAML 2.0, and then complete the additional settings specific to this type.

    Setting

    Description

    Assertion Consumer Service (ACS)

    Informational only; the value may be required when setting up the external SAML Identity Provider.

    SP metadata URL

    Informational only. You can download a SAML metadata document from this URL after enabling web login and saving the Global Settings changes. This document will very likely be required when setting up the external SAML Identity Provider.

    SP Entity ID

    The value is required when setting up the setting up the external SAML Identity Provider.

    IdP metadata document

    Saves the metadata XML from the external IdP. Click one of the links on the left to download the document from a URL or load it from a file.

    Security currently does not support loading the metadata from a URL dynamically.

    The metadata XML file can be one of the following:

    • Empty—The SAML login will not work, but the SAML protocol in the server will be partially set up to at least produce the SP metadata document on the SP metadata URL above.

    • A SAML document with a single Identity Provider specified (most common)—The metadata XML contains an <EntityDescriptor> element at the root level.

    • A Federated SAML document that contains a single Identity Provider—The metadata XML contains an <EntitiesDescriptor> element at the root level, which contains a single child <EntityDescriptor> element.

    Force authentication

    (Optional) Instructs the SAML Identity Provider to re-prompt the user for some information.

    Include the WantAssertionsSigned attribute in metadata

    Makes the IdP require signed authorization requests by adding a WantAuthnRequestsSigned="true" attribute in the SPSSO Descriptor element of the metadata generated by the GENESIS Security SAML integration.

    This setting has no effect on the actual signature checking logic.

    Support SAML Authentication Request Signing / Decrypting Assertion

    Select the checkbox when the Include the WantAssertionsSigned attribute in metadata option is selected. GENESIS Security then digitally signs outgoing authorization requests using the certificate defined in the following fields.
    This setting also allows GENESIS Security to decrypt inbound SAML assertions, and is necessary to participate in SAML Single Logout.

    Select certificate by

    Specifies how to find the signing/decryption certificate in the Windows Certificate Store or in the file system.

    If multiple valid certificates in the Windows Certificate Store match the criteria, only the oldest certificate (with the earliest Not After or Valid To property) is used to sign authentication requests, but any of the certificates are used for decryption. This behavior can be used for certificate rollover.

    When using the file system, an exact file path is specified, and only one certificate can match.

    Certificate identifier

    Enter the value of the parameter specified in Select certificate by (Subject Distinguished Name, Thumbprint, or file path) that identifies the desired certificate(s).

    If the certificate(s) that match the criteria specified by Select certificate by and Certificate identifier change, the new certificate(s) will not get reloaded until you restart the FrameWorX server or re-apply the Global Settings dialog.

    Certificate password

    (Optional) Click to select the stored certificate password.

  3. Complete the settings in the SAML Authentication User Mapping section, and then click Apply.

    • Use this SAML claim—Specifies what information from the SAML token to use when mapping to an existing user. These rules apply when Security extracts information from the SAML token and assigns them to individual claims:

      • The <Subject> → <NameID> element gets mapped to claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      • Each value of an <Attribute> element gets mapped to a claim with the same name as the <Attribute> (using the Name attribute of the <Attribute> element). If there are multiple values in the <Attribute> element, only the first one is used.
    • Find existing user by—Select the parameter of the GENESIS user settings to which the claim should be mapped. Learn more