SAML2 IDP

Configure Identity Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol to authenticate and authorize users. TrustBuilder will act as a Service Provider when sending an Authentication Request to the Identity Provider.

You can whether configure a Custom SAML IDP manually or Upload SAML IDP.

Configure a custom SAML IDP

From the admin portal, go to Identity Providers tab > Custom SAML IDP.

Setting	Description
Display Name	The display name of the Identity Provider If a known name is used (such as Facebook, Google, LinkedIn) the corresponding logo will automatically be provided.
Description	The Identity Provider description
Provisioning Workflow	Select a workflow that will be executed after the Authentication is complete. The workflows can be used, for instance, to provision users in a user database.
Type	"SAML2"
Subject	Primary attribute that is used to identify the Subject
Manage Certificates	You can manage certificates from the Certificates configuration page. You can also add or import certificates from the Identity provider configuration. Context → Defines what the certificate is used for. Key - Signing: Used to sign messages to the IDP Key - Encryption: Used to decrypt the messages (assertions) sent from the IDP Key - TLS: Used to initiate a secure connection (TLS) to the IDP Trust - Signing: Used to verify the signature of messages sent by the IDP Trust - TLS: Used to accept a secure connection (TLS) from the IDP Certificate Alias → The alias of the certificate to use for this context. Used From → Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Key - TLS). Used Until → Defines until when this certificate may be used. See Certificates
Entity ID	This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2
Authentication Request Signed	This indicates whether to digitally sign the Authentication Request or not. This requires a "Key Signing" certificate to be added. =
SSO Binding Type	The communication method that is used to transport the messages: Post → enables SAML protocol messages to be transmitted within an HTML form by using base64-encoded content Redirect → enables SAML protocol messages to be transmitted within URL parameters
SSO Post Location	Endpoint of the Identity Provider, where the Authentication Request is sent.
SLO Endpoints	A list of endpoints where the SLO (Single Log-Out) requests can be sent. Binding: the method used to provide the SLO Request. HTTP Post HTTP Redirect Location → URL of the Endpoint where the log-out request is sent Response Location → URL where the Log-out response is received from the IDP.
SLO Signed	Defines if the SLO (Single Log Out) request to the IDP is signed. This requires a "Key Signing" certificate to be added.
Include X509 Certificate	Includes the complete certificate in the signature.
Include X509 Alias	Includes the singing certificate alias in the signature
Include PK Name	Includes the public key name in the signature.
Signature Method	Define which algorithm is used to sign the Authentication Request.
Attribute Consuming Services	Attribute Consuming Services define which set(s) of User Attributes are being requested from the Identity Provider. This information is optional (if there is no Attribute Consuming Services defined: all attributes will be requested), but it's recommended for privacy reasons. Index → The numerical identifier of the Attribute Set. This index is included in the Authentication Request, without having to specify all the attributes. Service Name → The name of the Attribute Consuming Service. If none is provided, the Attribute Set name is applied. Attribute Set → Select the attribute set (containing the attributes to be requested).Note: an attribute can belong to multiple Attribute Sets, and therefore also multiple AttributeConsumingServices. Default → Once AttributeConsumingServices are defined in the Metadata, the default will be applied if noAttributeConsumingServicesIndex is provided in the Authentication Request.
Post Profile Template	A template form that is used to execute some JavaScript (eg. to log in) before accessing the Identity Provider
Artifact Resolve Location	Optional. In this alternative approach, Identity Provider will make the assertion available on this URL. TrustBuilder will go to this location to get the assertion, rather than that the assertion is passed via the client.
Audience	The Audience field is provided in an assertion and is verified by TrustBuilder. If the audience matches, then the assertion can be accepted. If no value is provided, the IDHub Entity ID is used.
Subject Recipient	Needs to correspond to the Subject Recipient in the assertion. If no value is provided, the Subject Recipient is not validated.
Assertion consumer Service Index	This value is filled in the AssertionConsumingServiceIndex in an AuthenticationRequest
Add extensions to Authentication Request	Add the Extension Elements to an Authentication request.
IDHub Entity ID	The Entity ID that identifies TrustBuilder to the IDP

Upload SAML IDP

From the admin portal, go to Identity Providers tab > Upload SAML IDP.

Setting	Description
Display Name	The display name of the Identity Provider If a known name is used (such as Facebook, Google, LinkedIn) the corresponding logo will automatically be provided.
Description	The Identity Provider description
Type	"SAML 2 Upload XML"
Subject	Primary user attribute that is used to identify the user.
Manage Certificates	You can manage certificates from the Certificates configuration page. You can also add or import certificates from the Identity provider configuration. Context → Defines what the certificate is used for. Key - Signing: Used to sign messages to the IDP Key - Encryption: Used to decrypt the messages (assertions) sent from the IDP Key - TLS: Used to initiate a secure connection (TLS) to the IDP Trust - Signing: Used to verify the signature of messages sent by the IDP Trust - TLS: Used to accept a secure connection (TLS) from the IDP Certificate Alias → The alias of the certificate to use for this context. Used From → Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Key - TLS). Used Until → Defines until when this certificate may be used. See Certificates
Upload SAML 2	Upload an XML file (from PC) that contains the SAML configuration parameters. This is the metadata which is supplied by the Identity Provider.

Click "Upload XML and create IDP" to start downloading. The Identity Provider will be created when the download is complete.