Difference between revisions of "SAMLConfiguration"
Thewikiadmin (talk | contribs) (Created page with "This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the...") |
Thewikiadmin (talk | contribs) |
||
Line 1: | Line 1: | ||
− | This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the STS could re-direct the authorized users based on the target "Service" parameter submitted. Each configuration can differ in these major elements: | + | |
+ | This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the STS could re-direct the authorized users based on the target "Service" parameter submitted. Each configuration can differ in these major elements: | ||
+ | |||
*Service and IdP Endpoints | *Service and IdP Endpoints | ||
*Signing and Encryption Certificates | *Signing and Encryption Certificates | ||
Line 7: | Line 9: | ||
== Service == | == Service == | ||
− | This is the label assigned to the entry. When specifying a target service from the legacy application, the "Service" label must match the entry (not case-sensitive). | + | |
+ | This is the label assigned to the entry. When specifying a target service from the legacy application, the "Service" label must match the entry (not case-sensitive). | ||
+ | |||
== AssertingParty == | == AssertingParty == | ||
− | This is the string that will be inclused as part of the SAML payload. This allows the receiving Service Provider to perform a quick check if this is coming from an authorized Identity Provider before typically checking for other aspects of the SAML such as expiry, digital signature, etc. Typically, this value would be a FQD that represents the STS server. | + | |
+ | This is the string that will be inclused as part of the SAML payload. This allows the receiving Service Provider to perform a quick check if this is coming from an authorized Identity Provider before typically checking for other aspects of the SAML such as expiry, digital signature, etc. Typically, this value would be a FQD that represents the STS server. | ||
+ | |||
== EncryptSAML == | == EncryptSAML == | ||
− | This is set to "true" or "false". If set to true, a public key certificate from your Service Provided must be configured and the SAML attributes will all be encrypted. The recommended setting is to always encrypt, especially is patient health information is being transmitted. Note that the [https://sts.radiusworks.com/wiki/index.php?title=STSSettings#EncryptSAMLAttributes global setting EncryptSAMLAttributes] will override this value if it's set to true. If you wish to actually disable encryption, you need to set the global value to "false" as well. | + | |
+ | This is set to "true" or "false". If set to true, a public key certificate from your Service Provided must be configured and the SAML attributes will all be encrypted. The recommended setting is to always encrypt, especially is patient health information is being transmitted. Note that the [https://sts.radiusworks.com/wiki/index.php?title=STSSettings#EncryptSAMLAttributes global setting EncryptSAMLAttributes] will override this value if it's set to true. If you wish to actually disable encryption, you need to set the global value to "false" as well. | ||
+ | |||
== TokenTimeSpan == | == TokenTimeSpan == | ||
− | Represents the time interval (in minutes) that the SAML payload will indicate to the Service Provider that the token is valid. This a good way to control the potential risk in replay attacks with SAML. The value should reflect any network latency and potential clock synchronization issues. This value should not be higher than 2 minutes. | + | |
+ | Represents the time interval (in minutes) that the SAML payload will indicate to the Service Provider that the token is valid. This a good way to control the potential risk in replay attacks with SAML. The value should reflect any network latency and potential clock synchronization issues. This value should not be higher than 2 minutes. | ||
+ | |||
== appURL == | == appURL == | ||
− | This is a mandatory parameter. appURL is the entry endpoint for the Service Provider. This is in most cases another Identity Provider that will do an authentication/authorization check on the user and the Orbital Lite STS. This value will also be placed in the RelayState for the SAML POST. | + | |
+ | This is a mandatory parameter. appURL is the entry endpoint for the Service Provider. This is in most cases another Identity Provider that will do an authentication/authorization check on the user and the Orbital Lite STS. This value will also be placed in the RelayState for the SAML POST. | ||
+ | |||
== destinationURL == | == destinationURL == | ||
− | This is a mandatory parameter. After the initial successful authentication/authorization, the Service Provider will re-direct the user to the actual destination. | + | |
+ | This is a mandatory parameter. After the initial successful authentication/authorization, the Service Provider will re-direct the user to the actual destination. | ||
+ | |||
== StaticRelayStateParameters == | == StaticRelayStateParameters == | ||
− | This optional string appends some additional attributes to the RelayState. This is useful for profiles that require additional customization. | + | |
+ | This optional string appends some additional attributes to the RelayState. This is useful for profiles that require additional customization. | ||
+ | |||
== SAMLSpecificationVersion == | == SAMLSpecificationVersion == | ||
− | This optional parameter allows the administrator to control which SAML specification/profile to use. If the value is left blank, then the [https://sts.radiusworks.com/wiki/index.php?title=STSSettings#SAMLSpecificationVersion global SAMLSpecificationVersion value] will be used. | + | |
+ | This optional parameter allows the administrator to control which SAML specification/profile to use. If the value is left blank, then the [https://sts.radiusworks.com/wiki/index.php?title=STSSettings#SAMLSpecificationVersion global SAMLSpecificationVersion value] will be used. | ||
+ | |||
== AudienceRestriction == | == AudienceRestriction == | ||
+ | |||
This optional parameter allows the administrator to state the AudienceRestriction value in the SAML subject header. This permits the IdP to perform additional authorization checks. | This optional parameter allows the administrator to state the AudienceRestriction value in the SAML subject header. This permits the IdP to perform additional authorization checks. | ||
+ | |||
+ | == CertificateThumbprint == | ||
+ | |||
+ | This value represents a unique signature that identifies the certificate in the Windows Server certificate store which will be used to sign the certificate. The administrator should make sure that the IIS (network) account has read access to the key, and that the key is marked as exportable, otherwise the application cannot get the private key. | ||
+ | |||
+ | To obtain the thumbprint of a certificate, please follow these steps: | ||
+ | |||
+ | *Open Windows Server certificate store using the management console | ||
+ | *Double-click on the certificate. A new window will appear with additional information for the certificate, at which point click on “Details”. You should find an element labeled “Thumbprint”. | ||
+ | *Click on the item and select the data displayed in the window. The data can be imported with or without spaces, and is case insensitive. | ||
+ | |||
+ | == CertificatePath and CertificatePassword == | ||
+ | |||
+ | If the Windows Server certificate store cannot be used, then a physical location may be used and a PFX file may be invoked. The IIS (network) account would need read permissions to the certifcate. | ||
+ | |||
+ | === <br/> CertificatePath === | ||
+ | |||
+ | This would describe the physical path where the certificate (including the private key) is stored. | ||
+ | |||
+ | === <br/> CertificatePassword === | ||
+ | |||
+ | This is the password that the application will be using to access the private key. | ||
+ | |||
+ | == EncryptionCertificateThumbprint == | ||
+ | |||
+ | The target Service Provider should be providing a certificate that contains the public key in order to encrypt the SAML attributes. The thumbprint as stored in the Windows Certificate Store should be specified here. | ||
+ | |||
+ | == EncryptionCertificatePath == | ||
+ | |||
+ | As an alternative to EncryptionCertificateThumbprint, the file location of the CER file can be provided in this attribute. | ||
+ | |||
+ | == SPML == | ||
+ | |||
+ | SPML Service Attributes provide the STS solution information about the SPML endpoint that can be used to update an external user registry: | ||
+ | |||
+ | === SPMLService === | ||
+ | |||
+ | this provides the target URL of the SPML Service.� SPMLAction: this is the SOAP request parameter used to invoke the SPML service. | ||
+ | |||
+ | === SPMLAuthentication === | ||
+ | |||
+ | The type of authentication used by the SPML service; it can be set to “none”, “username” or “certificate”. | ||
+ | |||
+ | === SPMLCertificateThumbprint === | ||
+ | |||
+ | Used when the SPMLAuthentication is set to “certificate”, this will provide the certificate of the private key stored in the Windows Certificate tore that will be used to authenticate. | ||
+ | |||
+ | === SPMLCertificatePath === | ||
+ | |||
+ | used when the SPMLAuthentication is set to “certificate”, this will provide the file location of the PFX certificate file which contains the private key. | ||
+ | |||
+ | === SPMLCertificatePassword === | ||
+ | |||
+ | used to unlock the PFX file specified in SPMLCertificatePath. | ||
+ | |||
+ | === SPMLUsername === | ||
+ | |||
+ | the username send to the SPML service when the SPMLAuthentication is set to “username”. | ||
+ | |||
+ | === SPMLPassword === | ||
+ | |||
+ | the associated password with SPMLUsername. | ||
+ | |||
+ | === SPMLDomain === | ||
+ | |||
+ | the associated domain for the username specified in SPMLUsername. | ||
+ | |||
+ | |
Latest revision as of 12:23, 4 October 2020
This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the STS could re-direct the authorized users based on the target "Service" parameter submitted. Each configuration can differ in these major elements:
- Service and IdP Endpoints
- Signing and Encryption Certificates
- SAML Specification Version
Contents
- 1 Service
- 2 AssertingParty
- 3 EncryptSAML
- 4 TokenTimeSpan
- 5 appURL
- 6 destinationURL
- 7 StaticRelayStateParameters
- 8 SAMLSpecificationVersion
- 9 AudienceRestriction
- 10 CertificateThumbprint
- 11 CertificatePath and CertificatePassword
- 12 EncryptionCertificateThumbprint
- 13 EncryptionCertificatePath
- 14 SPML
Service
This is the label assigned to the entry. When specifying a target service from the legacy application, the "Service" label must match the entry (not case-sensitive).
AssertingParty
This is the string that will be inclused as part of the SAML payload. This allows the receiving Service Provider to perform a quick check if this is coming from an authorized Identity Provider before typically checking for other aspects of the SAML such as expiry, digital signature, etc. Typically, this value would be a FQD that represents the STS server.
EncryptSAML
This is set to "true" or "false". If set to true, a public key certificate from your Service Provided must be configured and the SAML attributes will all be encrypted. The recommended setting is to always encrypt, especially is patient health information is being transmitted. Note that the global setting EncryptSAMLAttributes will override this value if it's set to true. If you wish to actually disable encryption, you need to set the global value to "false" as well.
TokenTimeSpan
Represents the time interval (in minutes) that the SAML payload will indicate to the Service Provider that the token is valid. This a good way to control the potential risk in replay attacks with SAML. The value should reflect any network latency and potential clock synchronization issues. This value should not be higher than 2 minutes.
appURL
This is a mandatory parameter. appURL is the entry endpoint for the Service Provider. This is in most cases another Identity Provider that will do an authentication/authorization check on the user and the Orbital Lite STS. This value will also be placed in the RelayState for the SAML POST.
destinationURL
This is a mandatory parameter. After the initial successful authentication/authorization, the Service Provider will re-direct the user to the actual destination.
StaticRelayStateParameters
This optional string appends some additional attributes to the RelayState. This is useful for profiles that require additional customization.
SAMLSpecificationVersion
This optional parameter allows the administrator to control which SAML specification/profile to use. If the value is left blank, then the global SAMLSpecificationVersion value will be used.
AudienceRestriction
This optional parameter allows the administrator to state the AudienceRestriction value in the SAML subject header. This permits the IdP to perform additional authorization checks.
CertificateThumbprint
This value represents a unique signature that identifies the certificate in the Windows Server certificate store which will be used to sign the certificate. The administrator should make sure that the IIS (network) account has read access to the key, and that the key is marked as exportable, otherwise the application cannot get the private key.
To obtain the thumbprint of a certificate, please follow these steps:
- Open Windows Server certificate store using the management console
- Double-click on the certificate. A new window will appear with additional information for the certificate, at which point click on “Details”. You should find an element labeled “Thumbprint”.
- Click on the item and select the data displayed in the window. The data can be imported with or without spaces, and is case insensitive.
CertificatePath and CertificatePassword
If the Windows Server certificate store cannot be used, then a physical location may be used and a PFX file may be invoked. The IIS (network) account would need read permissions to the certifcate.
CertificatePath
This would describe the physical path where the certificate (including the private key) is stored.
CertificatePassword
This is the password that the application will be using to access the private key.
EncryptionCertificateThumbprint
The target Service Provider should be providing a certificate that contains the public key in order to encrypt the SAML attributes. The thumbprint as stored in the Windows Certificate Store should be specified here.
EncryptionCertificatePath
As an alternative to EncryptionCertificateThumbprint, the file location of the CER file can be provided in this attribute.
SPML
SPML Service Attributes provide the STS solution information about the SPML endpoint that can be used to update an external user registry:
SPMLService
this provides the target URL of the SPML Service.� SPMLAction: this is the SOAP request parameter used to invoke the SPML service.
SPMLAuthentication
The type of authentication used by the SPML service; it can be set to “none”, “username” or “certificate”.
SPMLCertificateThumbprint
Used when the SPMLAuthentication is set to “certificate”, this will provide the certificate of the private key stored in the Windows Certificate tore that will be used to authenticate.
SPMLCertificatePath
used when the SPMLAuthentication is set to “certificate”, this will provide the file location of the PFX certificate file which contains the private key.
SPMLCertificatePassword
used to unlock the PFX file specified in SPMLCertificatePath.
SPMLUsername
the username send to the SPML service when the SPMLAuthentication is set to “username”.
SPMLPassword
the associated password with SPMLUsername.
SPMLDomain
the associated domain for the username specified in SPMLUsername.