SAMLConfiguration

From
Revision as of 13:00, 4 October 2020 by Thewikiadmin (talk | contribs) (Created page with "This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the STS could re-direct the authorized users based on the target "Service" parameter submitted.   Each configuration can differ in these major elements:

  • Service and IdP Endpoints
  • Signing and Encryption Certificates
  • SAML Specification Version

 

Service

This is the label assigned to the entry.  When specifying a target service from the legacy application, the "Service" label must match the entry (not case-sensitive).  

AssertingParty

This is the string that will be inclused as part of the SAML payload.  This allows the receiving Service Provider to perform a quick check if this is coming from an authorized Identity Provider before typically checking for other aspects of the SAML such as expiry, digital signature, etc. Typically, this value would be a FQD that represents the STS server.  

EncryptSAML

This is set to "true" or "false".  If set to true, a public key certificate from your Service Provided must be configured and the SAML attributes will all be encrypted.  The recommended setting is to always encrypt, especially is patient health information is being transmitted. Note that the global setting EncryptSAMLAttributes will override this value if it's set to true.  If you wish to actually disable encryption, you need to set the global value to "false" as well.

TokenTimeSpan

Represents the time interval (in minutes) that the SAML payload will indicate to the Service Provider that the token is valid.  This a good way to control the potential risk in replay attacks with SAML.  The value should reflect any network latency and potential clock synchronization issues.  This value should not be higher than 2 minutes.  

appURL

This is a mandatory parameter. appURL is the entry endpoint for the Service Provider.  This is in most cases another Identity Provider that will do an authentication/authorization check on the user and the Orbital Lite STS.  This value will also be placed in the RelayState for the SAML POST.  

destinationURL

This is a mandatory parameter.  After the initial successful authentication/authorization, the Service Provider will re-direct the user to the actual destination.  

StaticRelayStateParameters

This optional string appends some additional attributes to the RelayState.  This is useful for profiles that require additional customization.  

SAMLSpecificationVersion

This optional parameter allows the administrator to control which SAML specification/profile to use.  If the value is left blank, then the global SAMLSpecificationVersion value will be used.  

AudienceRestriction

This optional parameter allows the administrator to state the AudienceRestriction value in the SAML subject header.  This permits the IdP to perform additional authorization checks.