| Settings |
Term |
Description |
|
General
|
Client ID
|
Unique identifier for the Service Provider (SP)
|
|
Redirect URIs
|
Redirect URIs are the valid endpoints to which the identity provider (IdP) will send
the authorization code or tokens after the authentication process is completed.
|
|
Login URL
|
The Login URL is the endpoint where users are directed to authenticate themselves.
This URL typically points to the login page of the identity provider.
|
|
Post Logout URL
|
The Post Logout URL is the endpoint to which users are redirected after they have logged
out of the application. You can add either a + or a – value.
- + value means that the application should dynamically determine the appropriate
URL
from a list of valid redirect URIs.
- – value does not allow any post-logout redirect URIs.
|
|
IdP-Initiated SSO URL Name
|
This URL is the starting point for an IdP-initiated SSO flow. An Identity Provider (IdP)
uses this URL to initiate the SSO process. When a user accesses this URL, the IdP
authenticates the user and then redirects them to the Service Provider (SP) along with a
SAML assertion, which contains the user's authentication details. The URL you will
reference from your browser will
be:{server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}. Leave this
field empty to disable IdP Initiated SSO.
|
|
IdP Initiated SSO Relay State
|
Relay state is an optional parameter used in SAML to pass information between the
Identity Provider (IdP) and the Service Provider (SP) during the SSO process. In
IdP-initiated SSO, the Relay State is often used to direct the user to a specific page
or resource within the service provider's application after authentication. For example,
if a user starts the authentication process from the IdP and a Relay State is included,
once the authentication is successful, the user is redirected to the URL specified in
the Relay State.
|
|
Master SAML Processing URL
|
If configured this will be the primary endpoint on the Service Provider (SP) for
handling the Assertion Consumer Service (ACS) URL (SAML authentication requests) and the
Single Logout Service URL (users are logged out of both the SP and the IdP
simultaneously). If a login request contains a specific Assertion Consumer Service URL,
the SP will use the specified ACS URL for that particular request overriding the Master
SAML Processing URL.
|
|
SAML Capabilities
|
NameID Policy Format
|
Defines the format of the unique identifier that the Identity Provider (IdP) uses to
represent the user (subject) when communicating with the Service Provider
(SP). This format is utilized when no name ID policy is specified in a
request, or when the Force Name ID Format attribute is enabled. There are four
specific ways of representing the user's identity within SAML assertions as
described below:
- Email: Represents the user's email address.
- Username: Flexible format where the specific type of
identifier isn't mandated.
- Persistent: Consistent identifier across sessions.
- Transient: Temporary and unique identifier per session or
assertion.
|
|
Force Name ID Format
|
If a request has a name ID policy, ignore it and use the Admin configured value for the
Name ID Format.
|
|
Force Artifact Binding
|
SAML Artifact Binding method separates the assertion from the message between the IdP
and SP. Instead of directly embedding the SAML assertion within an HTTP POST or Redirect
message, the IdP sends a lightweight token, known as an artifact, to the SP. When
enabled, the responses are returned through the SAML ARTIFACT binding
system.
|
|
Force POST Binding
|
When enabled, it directs the SAML protocol to exclusively use the POST Binding method
for sending assertions even if the original request used the redirect binding.
|
|
Include AuthnStatement
|
When enabled, the SAML login responses include how (password) and when
(timestamp of the login) a user was authenticated and the session expiration. By
default, this must be enabled, otherwise the clients cannot determine the maximum
session length, which can create client sessions that do not expire.
|
|
Include OneTimeUse Condition
|
Specifies whether SAML assertions should contain a OneTimeUse condition, ensuring
assertions are valid for only a single use.
|
|
Optimize REDIRECT Signing Key Lookup
|
Enable this option to optimize the process of signing key retrieval during SAML
assertions transmitted via HTTP REDIRECT binding. This option is only relevant when Sign
Documents is enabled. When signing SAML documents in the REDIRECT binding for an SP
secured by an Identity Provider adapter, the ID of the signing key should be included in
the SAML protocol message within the <Extensions> element. This approach optimizes
signature validation by allowing the validating party to use a single specified key
instead of attempting validation with every known key.
|
|
Signature and Encryption
|
Sign Documents
|
When enabled, the SAML documents are signed using the private key associated with the
IdP (Unifyia platform).
|
|
Sign Assertions
|
When enabled, assertions, which contain information about authentication and user
attributes, are signed by the private key associated with the IdP (Unifyia platform)
and securely embedded within the SAML XML Authentication Response.
|
|
Public Client
|
Confidential clients provide client secrets during the exchange of temporary codes
for tokens. Public clients, on the other hand, do not need to provide client
secrets. Public clients can be secure when HTTPS is strictly enforced and redirect
URIs registered for the client are tightly controlled. HTML5/JavaScript clients are
categorized as public clients because there is no secure method to transmit a client
secret to them.
Enable this option (mandatory) as the Service Providers (SSO
applications) are public clients that have HTTPS strictly enforced for secure
transmission of data. If you disable this option, your redirect URIs will fail.
|
|
Signature Algorithm
|
The algorithm used in signing SAML documents. Preferable to use 256 or higher
algorithms.
|
|
SAML Signature Key Name
|
Signed SAML documents transmitted via POST binding include the identification of the
signing key within the KeyName element. This behavior is configurable through the
SAML Signature Key Name option, which dictates the content of the KeyName. Possible
values are:
KEY_ID: The KeyName contains the key ID. This is the default
setting.
CERT_SUBJECT: The KeyName includes the subject from the certificate
associated with the realm key. This setting is commonly used with Microsoft Active
Directory Federation Services.
NONE: The KeyName hint is entirely omitted from the SAML message.
|
|
Canonicalization Method
|
The Canonicalization Method refers to the process of standardizing the format and
structure of XML data within SAML assertions and messages.
Exclusive Canonicalization: This method processes XML content by
excluding portions of the document that are not referenced in the digital signature.
Inclusive Canonicalization: This method includes all elements and
attributes in the document, regardless of whether they are referenced in the digital
signature.
Inclusive with Comments: This method includes XML comments in the
canonicalized output.
Exclusive without Comments: This method excludes XML comments from
the canonicalized output.
|
|
Logout Settings
|
Front Channel Logout
|
Refers to a mechanism in SAML SSO where a user's logout request is initiated and
communicated directly between the Identity Provider (IdP) and Service Provider (SP)
via the user's web browser (front channel). If disabled, the IdP initiates a
background SAML request to log out of the application.
|
|
Advanced
|
Assertion Consumer Service POST Binding URL
|
Refers to the endpoint on the Service Provider (SP) where SAML authentication
responses (assertions) are sent by the Identity Provider (IdP) during the SAML SSO
process.
|
|
Logout Service Redirect Binding URL
|
Refers to the endpoint used for initiating Single Logout (SLO) requests from the SP
to the IdP using the SAML Redirect Binding.
|
|
Signing Keys Configuration
|
Client Signature Required
|
Enable this option to mandate the signing of the documents coming from a client
application (Service Provider). The Unifyia platform will validate
this signature using the client’s public key or certificate set up in the
Keys tab.
|
|
Certificate
|
Client (Service Provider) certificate for validating JSON Web Token (JWT) issued by the client and
signed with the client's private key.
|
|
Encryption Keys Configuration
|
Encrypt Assertions
|
Enable this option to encrypt the assertions in SAML documents with the IdPs private
key. The AES algorithm uses a key size of 128 bits.
|
|
Certificate
|
Client certificate generated in the Keys tab for encrypting the
assertions.
|