Connecting SAML-enabled IDP

Instructions on how to connect a SAML-compliant IDP to ACP

Note

You can use the generic SAML-enabled IDP if you cannot find your connector among the templates available in the ACP administrator portal.

Prerequisites

To configure the connector, you need to retrieve metadata from your IDP.

Connect IDP

  1. Go to https://localhost:8443/app/default/admin for the ACP administrator portal and log in with your credentials.

    Result

    The administrator portal is displayed.

  2. Make sure you are in the Consumer workspace (selectable from the left sidebar) and select ADD IDENTITIES to add a new connection.

    Result

    The pop-up dialog box shows and lists available predefined IDP templates.

  3. Select the SAML template, enter the name for your new identity provider, and click Next.

    Result

    The Register SAML fill-in form opens with the redirect URL for registering your application.

  4. Fill in Sign in URL (URL where SAMLRequest is sent).

    Example

    https://test-dev-ed.my.salesforce.com/idp/endpoint/HttpPostCopy

    Note

    The HTTP POST binding is supported.

  5. Enter a certificate text into the IDP certificate field starting with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–.

    Example

    —–BEGIN CERTIFICATE—– MIIErDCCA5SgAwIBAgIOAXHuhl04AAAAAC1SH+cwDQYJKoZIhvcNAQELBQAwgZAx KDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA3TWF5MjAyMF8wOTQ1MTUxGDAWBgNV BAsMDzAwRDVJMDAwMDAydUpDdDEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAU BgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0Ew HhcNMjAwNTA3MDk0NTE1WhcNMjEwNTA3MDAwMDAwWjCBkDEoMCYGA1UEAwwfU2Vs ZlNpZ25lZENlcnRfMDdNYXkyMDIwXzA5NDUxNTEYMBYGA1UECwwPMDBENUkwMDAw MDJ1SkN0MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZy YW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMzbEd+lV4trjBOVa0uoTReCVIB2UjEoyVPsABVv /VTUc/iMXSSLlSQc00ffrqMjlNB4zxMnH3f8/MQsFpGT9A/5To2vCGoY5G8WmfaC xIavytLR39tz7sh2LVEb9y9bjjezxdVf1ifr7veQVYneFEDjmyIT122eO8VYmKKG mp5Zv3D7BVEjc4LYo42jdNp8tWB7xEOyHRKVFayK+amx+vgdoDxpE52pCuk1hIPS rvo4c3YZ3RagnsPa6P6RpTvrqmpnYDpp6iUAeYA8CrH+vPaViA4nP7eHnaGvJmnb Q3pvFldOL2nP5wQjaprmSxGpvp0o7UdqFfXcwup2E5ELnUcCAwEAAaOCAQAwgf0w HQYDVR0OBBYEFIvbQr9IUw2TwcgQ5Udf4XtLYwGCMA8GA1UdEwEB/wQFMAMBAf8w gcoGA1UdIwSBwjCBv4AUi9tCv0hTDZPByBDlR1/he0tjAYKhgZakgZMwgZAxKDAm BgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA3TWF5MjAyMF8wOTQ1MTUxGDAWBgNVBAsM DzAwRDVJMDAwMDAydUpDdDEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNV BAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFx 7oZdOAAAAAAtUh/nMA0GCSqGSIb3DQEBCwUAA4IBAQA2D339Ov7lcn7DEhjmE+yS HV2Yz0DQO2v8TepjnOLYU3hkwDUI2qQ1D/gOM7OLZlf7TEqftFQAPX4ZBIudT+cd zIOTs3CXyV1SBqnvx/nhOf3RsZ4diFkkyEGl/aY1XEKSbKkBLK7zmCxPN0nCpjdT qfxFW7ANBSBf5zErYwISXQSt8aGbR0OP5xsbL1BH5IaPQ9RRBTcKizR2MiV17ZYm Mmu3L9F1IdAptqGpzB0ztV2j5JQALZqEmOZCQmIXYXDeBYlpZz4F9pZsE5JFJJb3 7oHi2ldk9AApArf6jMd76gaUCUwJF1GLI9NtQuWm4UVHMZ982SmPHhAPXkSviS0w
    —–END CERTIFICATE—–

  6. To specify Identifier source, first choose between SUBJECT and ATTRIBUTE.

    Note

    • The identifier source is a unique user attribute that you want to use as an identifier in ACP, for example user ID.
    • IDP sends back SAMLResponse, which is a base64-encoded XML that includes <AttributeStatement> and <Subject> tags.
    • If you choose SUBJECT, you need to select Name ID format from the drop-down list (to be checked from your IDP).

      If you select the subject as the identifier source, the identifier is retrieved from SAMLResponse <Subject>.

    • If you choose ATTRIBUTE, you need to enter a user attribute name into the Identifier attribute field.

      If you select the attribute as the identifier source, the identifier is retrieved from SAMLResponse <AttributeStatement>. Any attribute from SAMLResponse <AttributeStatement> can be used for that purpose.

  7. Select Save.

Result

Your new identity provider has been created and listed in the Consumer Identity Providers view.

Values for Entity issuer and Redirect URL have been generated for your IDP. To preview the values, select the new identity provider from the list in the Consumer Identity Providers view and go to the CONFIGURATION tab.

Note

Another name for the redirect URL in the SAML terminology is Assertion Consumer Service (ACS) URL.

Enable the stateful authorization

This step is optional.

To have the user’s data cached in ACP and avoid re-authenticating within one use’s session, follow the instruction in Enable the stateful authZ in ACP.

Attributes settings

Attributes of your IDP correspond to the contents of the assertion (the xml received from IDP).

Example

Here’s a SAMLResponse with the <saml:AttributeStatement> tag and attributes issued by IDP:

<saml:AttributeStatement>
         <saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">0011I000000fVAf</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">test@cloudentity.com</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">test@cloudentity.com</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>

Add attributes

To configure attributes for your new IDP, select the identity provider from the list in the Consumer Identity Providers view and go to the ATTRIBUTES tab. Next, select ADD ATTRIBUTE and use the user object as a source.

Map attributes

To map attributes of your IDP to authentication context attributes, select the identity provider from the list in the Consumer Identity Providers view and go to the MAPPINGS tab. Next, select ADD MAPPING and configure the source name and the target name by selecting values from the drop-down lists.

Note

All attributes from SAMLResponse <AttributeStatement> have the user data as a source.

Register SP

  1. Create a service provider (SP) with your identity provider (IDP).

  2. Configure your SP with Entity issuer and Redirect URL generated for your new identity provider in the ACP administrator portal.

    Result

    After user authentication, IDP should send back the POST request to the specified redirect URL.

User’s test

Purpose

Test your new IDP as a user

Prerequisite

Your provider is configured as a user-authentication method by your administrator.

Test

  1. Go to https://localhost:8443/default/default/demo and select LOG IN TO DEMO APP.

  2. Select your configured IDP (if you have multiple ones) and, next, authenticate in IDP.

Result

ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.

Read more

For information on granting and managing ACP consents, see ACP OAuth consents.

Developer’s test

Purpose

Test your new IDP as a developer

Prerequisite

Your provider is configured as a developer-authentication method by your administrator. To register your IDP for the developer, follow instructions in Connect IDP, this time selecting the Developer workspace in step 2.

Test

  1. Go to https://localhost:8443/app/default/developer to access the ACP developer portal.

  2. Log in to your account by entering your login credentials and selecting LOG IN.

Result

You are logged in to the ACP developer portal with the newly-configured IDP.