SAMLConfiguration

From
Revision as of 13:23, 4 October 2020 by Thewikiadmin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the STS could re-direct the authorized users based on the target "Service" parameter submitted.   Each configuration can differ in these major elements:

  • Service and IdP Endpoints
  • Signing and Encryption Certificates
  • SAML Specification Version

 

Service

This is the label assigned to the entry.  When specifying a target service from the legacy application, the "Service" label must match the entry (not case-sensitive).  

AssertingParty

This is the string that will be inclused as part of the SAML payload.  This allows the receiving Service Provider to perform a quick check if this is coming from an authorized Identity Provider before typically checking for other aspects of the SAML such as expiry, digital signature, etc. Typically, this value would be a FQD that represents the STS server.  

EncryptSAML

This is set to "true" or "false".  If set to true, a public key certificate from your Service Provided must be configured and the SAML attributes will all be encrypted.  The recommended setting is to always encrypt, especially is patient health information is being transmitted. Note that the global setting EncryptSAMLAttributes will override this value if it's set to true.  If you wish to actually disable encryption, you need to set the global value to "false" as well.

TokenTimeSpan

Represents the time interval (in minutes) that the SAML payload will indicate to the Service Provider that the token is valid.  This a good way to control the potential risk in replay attacks with SAML.  The value should reflect any network latency and potential clock synchronization issues.  This value should not be higher than 2 minutes.  

appURL

This is a mandatory parameter. appURL is the entry endpoint for the Service Provider.  This is in most cases another Identity Provider that will do an authentication/authorization check on the user and the Orbital Lite STS.  This value will also be placed in the RelayState for the SAML POST.  

destinationURL

This is a mandatory parameter.  After the initial successful authentication/authorization, the Service Provider will re-direct the user to the actual destination.  

StaticRelayStateParameters

This optional string appends some additional attributes to the RelayState.  This is useful for profiles that require additional customization.  

SAMLSpecificationVersion

This optional parameter allows the administrator to control which SAML specification/profile to use.  If the value is left blank, then the global SAMLSpecificationVersion value will be used.  

AudienceRestriction

This optional parameter allows the administrator to state the AudienceRestriction value in the SAML subject header.  This permits the IdP to perform additional authorization checks.              

CertificateThumbprint

This value represents a unique signature that identifies the certificate in the Windows Server certificate store which will be used to sign the certificate. The administrator should make sure that the IIS (network) account has read access to the key, and that the key is marked as exportable, otherwise the application cannot get the private key.

To obtain the thumbprint of a certificate, please follow these steps:

  • Open Windows Server certificate store using the management console
  • Double-click on the certificate. A new window will appear with additional information for the certificate, at which point click on “Details”. You should find an element labeled “Thumbprint”.
  • Click on the item and select the data displayed in the window. The data can be imported with or without spaces, and is case insensitive.

CertificatePath and CertificatePassword 

If the Windows Server certificate store cannot be used, then a physical location may be used and a PFX file may be invoked.  The IIS (network) account would need read permissions to the certifcate.


CertificatePath

This would describe the physical path where the certificate (including the private key) is stored.


CertificatePassword

This is the password that the application will be using to access the private key.

EncryptionCertificateThumbprint

The target Service Provider should be providing a certificate that contains the public key in order to encrypt the SAML attributes. The thumbprint as stored in the Windows Certificate Store should be specified here. 

EncryptionCertificatePath

As an alternative to EncryptionCertificateThumbprint, the file location of the CER file can be provided in this attribute.

SPML

SPML Service Attributes provide the STS solution information about the SPML endpoint that can be used to update an external user registry:

SPMLService

this provides the target URL of the SPML Service.� SPMLAction: this is the SOAP request parameter used to invoke the SPML service.

SPMLAuthentication

The type of authentication used by the SPML service; it can be set to “none”, “username” or “certificate”.

SPMLCertificateThumbprint 

Used when the SPMLAuthentication is set to “certificate”, this will provide the certificate of the private key stored in the Windows Certificate tore that will be used to authenticate.

SPMLCertificatePath

used when the SPMLAuthentication is set to “certificate”, this will provide the file location of the PFX certificate file which contains the private key.

SPMLCertificatePassword

used to unlock the PFX file specified in SPMLCertificatePath.

SPMLUsername

the username send to the SPML service when the SPMLAuthentication is set to “username”.

SPMLPassword

the associated password with SPMLUsername.

SPMLDomain

the associated domain for the username specified in SPMLUsername.

 

Retrieved from "https://sts.radiusworks.com/wiki/index.php?title=SAMLConfiguration&oldid=91"