Configure Advanced Settings for a SAML ConnectionConfigure Advanced Settings for a SAML Connection
Advanced configuration settings for a connection between a SAML-enabled web application and SecurID are optional. Complete these settings only if you are adding a connection to a SAML application with a non-standard configuration.
Before you begin
You must be a Super Admin for the Cloud Administration Console to perform this task.
This topic assumes you have configured the minimum required settings on the Connection Profile page in the wizard to add a SAML connection, as described in Add a SAML Application.
On the Connection Profile page of the wizard, scroll to the bottom and click Show Advanced Configuration.
In the Attribute Extension section, specify one or more NameID attributes. Each extended attribute can either map to a single identity source/attribute pair, or, with attribute hunting, map to multiple identity source/attribute pairs.
- Select Identity Source to specify an Attribute Name that maps to a selected Identity Source and Property (attribute) pair.
- Select Constant to specify an Attribute Name and Property (attribute) pair to map to the specified attribute.
Enter the name of the extended attribute.
Select an identity source.
If you have selected Identity Source in Attribute Source, select an attribute from the list in the Property field. Only the attributes that were selected in the Policies column on the Users > Identity Source > User Attributes page are available for the SAML application configuration.
If you have selected Constant in Attribute Source, enter the value in Property field manually.
To specify multiple identity source/attribute pairs to map to the extended attribute specified in the Attribute Name column, do this:
Click the pencil icon.
In the Attribute Hunting Details dialog box, select a Identity Source and Property (attribute) pair to map to the specified attribute.
To map additional identity source and property pairs to the attribute, click ADD.
To specify a constant attribute name and add multiple values to the specified attribute:
Click the pencil icon.
In the Constant dialog box, select an Attribute Name and Property (attribute value) pair to map to the specified attribute.
To add multiple values to the specified attribute, click ADD.
Note: Any value that contains a special character is automatically prefixed with \ in the Property of the specified constant attribute in the Attribute Extension section. The prefix \ ensures that the value is in valid JSON format.
In the NameID Modification section, specify options to modify the name identifier to use the format that the service provider expects. Select all that apply.
Change the NameID string to all Upper case or all Lower case letters.
Enter a prefix for the NameID.
Enter a suffix for the NameID.
Enter a regular expression to delete matching characters in the NameID. For example, if NameID is an email address (such as email@example.com), the regular expression <userinput>@(.*)$</userinput> removes the @ character and the domain name (the result is jdoe).
Enter user attributes to append their values to the NameID.
Specify Uncommon SAML Response Formatting Options to include in the outgoing SAML response.
This step completes the optional, advanced Connection Profile settings for the SAML configuration. Do one of the following:
Sign Outgoing Assertion, select one of the following options for signing the SAML response:
Entire SAML response (default)
Assertion within response
- Select hash code algorithms:
Signature Algorithm – The algorithm used to sign the outgoing assertion.
Digest Algorithm – The digest or hash code algorithm that is used while signing the outgoing assertion.
Select Encrypt Assertion to encrypt the SAML assertion with the public key on the IdP so that it can only be decrypted by the private key loaded in the SSO settings on the SP.
Select the encryption parameters, as requested by the SP, to apply to the Encryption Algorithm and the Encryption Key Transport.
Select Send encoded URL in outgoing assertion to specify that the identity router URL encodes the Relay State in the SAML response that the SP receives.
Select Send PasswordProtectedTransport as AuthnContextClassRef in the SAML response if you want the identity provider to send AuthnContextClassRef in the SAML response as PasswordProtectedTransport. This indicates that the password exchange must use a secure transport method. When unselected, AuthnContextClassRef is sent as Password.
Select For multivalued attributes, send each value in a separate attributeValue element if you want multivalued attributes to send each value in a separate attributeValue element. When unselected, values are separated by commas.
Include Issuer NameID Format to override the default format of the SAML Issuer Entity ID, and then select one of the following formatting options:
X.509 Subject Name
Windows Domain Qualified Name
Kerberos Principal Name
If you have completed all required steps in the configuration wizard as described in Add a SAML Application, perform the remaining steps in this procedure.
If you have not completed the required User Access or Portal Display pages of the wizard, return to step 10 in Add a SAML Application, and complete the steps in that topic.
- For Sign Outgoing Assertion, select one of the following options for signing the SAML response:
When you finish making changes, and no other changes are required on other pages, go to the last page of the wizard and click Save and Finish.
(Optional) To publish this configuration and immediately activate it on the identity router, click Publish Changes.
After saving the SAML application configuration, you can export the IdP metadata from My Applications, and send it to the SP administrator. For instructions on exporting SAML metadata, see Export SAML Metadata From an Application on the Identity Router.