Adding a SAML Application

Create a Security Assertion Markup Language (SAML) application and grant it to users so that your users can single sign-on (SSO) into your SaaS applications that support SAML for SSO.

  1. In the Identity Cloud Service console, click Applications.
  2. Click Add.
  3. In the Add Application window, click SAML Application.
  4. In the App Details and Display Settings sections of the Add SAML Application page, enter a name and description, upload an Application Icon, define an application URL, add App Links, and specify whether you want the SAML App to be listed on the My Apps page. Select the User can request access check box if you want the app to be listed in the Catalog. This option allows end users to request access to the app from their My Apps page by clicking Add and then selecting the app from the Catalog. Don’t forget to activate the application so that users can request access.
    • For applications with lengthy names, the application name appears truncated in the My Apps page. Consider keeping your application names as short as possible.

    • Click Add to add App Links that are associated with the application. The Link window appears. App Links are services such as Mail or Calendar that are offered by applications such as Google or Office 365.

      In the Link window:
      1. In the Name field, enter the App Link name.

      2. In the Link field, enter the URL used to access the application.

      3. Click Upload to upload an icon.

      4. Select Visible if your application supports Identity Provider-supported SSO and you want the application to appear automatically on each user’s My Apps page.

      5. Click Add.

      The App Link information appears in the App Details section of the application page.

      To remove an App Link, select the row, and then click Remove.

      Note:

      There is a delay (a few seconds) between clicking Remove and the App no longer appearing on the My Apps page. App Link deletion (and grants related to those App Links) is asynchronous. Wait a few seconds for the asynchronous task to remove the App and its grants before trying My Apps again.
  5. Click Next to configure SSO details for the SAML application.
  6. In the General section of the SSO Configuration page, define the Entity ID, Assertion Consumer URL, NameID format and value, and upload the signing certificate.
    • When you select the NameID Value, select how you want to identify the user that is logged in, either by the User Name or by the user’s Primary Email address.
    • When you upload the signing certificate that is used to encrypt the SAML assertion, note that some browsers show file paths prepended with c:\fakepath\. This behavior is a security feature of the browser and does not disrupt the upload process.
  7. Expand Advanced Settings on the SSO Configuration page, and then use the following table to define a more fine-grained SAML configuration.
    Option Description
    Signed SSO

    Select Assertion to indicate that you want the SAML assertion signed. Select Response when you want the SAML authentication response signed.

    Include Signing Certificate in Signature

    Select the check box to include the signing certificate in the signature, for example, when the application requires that the signing certificate is sent along with the assertion.

    Signature Hashing Algorithm

    Select the type of signing algorithm that you want to use to sign the assertion or the response, either SHA-256 or SHA-1. SHA-256 generates a fixed 256-bit hash. SHA-1 generates a 160-bit hash value known as a message digest.

    Enable Single Logout

    Select to configure SAML single logout. Single logout enables a user to lot out of all participating sites in a federated session almost simultaneously. This check box is selected by default. Clear it if you do not want to enable single logout.

    Logout Binding

    Select whether the log out request is sent as a REDIRECT (transported using HTTP 302 status-code response messages) or a POST (transported in HTML form-control content, which uses a base-64 format). This list box appears only if you select the Enable Single Logout check box.

    Single Logout URL

    Enter the location (HTTP or HTTPS) where the log out request is sent. This field appears only if you select the Enable Single Logout check box.

    Logout Response URL

    Enter the location (HTTP or HTTPS) where the log out response is sent. This field appears only if you select the Enable Single Logout check box.

    Encrypt Assertion

    Select if you want to encrypt the assertion, and then define the encryption algorithm that you want to use and upload the encryption certificate.

    Encryption Algorithm

    Select which encryption algorithm that you want to use to encrypt the SAML assertion. This list box appears only if you select the Encrypt Assertion check box.

    Encryption Certificate

    Click Upload to upload the encryption certificate that is used to encrypt the SAML assertion. This button appears only if you select the Encrypt Assertion check box.

  8. Expand Attribute Configuration on the SSO Configuration page to add user-specific and group-specific attributes to the SAML assertion. This is useful if your application uses user-specific or group-specific attributes, and you want to send that information as part of the SAML assertion.
  9. Click the plus sign next to User Attributes, and then use the following table to specify the user attribute that you want to include. User information in the attribute statement contains a list of attributes. Each attribute includes a name and a list of values (in the case of multiple attribute values). Each value includes a value and the format of the value.
    Option Description
    Name

    Enter the name of the SAML assertion attribute.

    Format

    Select the type of SAML assertion: Basic, URI Reference, or Unspecified.

    User Attribute

    Select the user attribute that you want to send as part of the assertion.

  10. Click the plus sign next to Group Attributes, and then use the following table to specify the group attributes that you want to include. Group information in the attribute statement contains one attribute with a list of values. You can filter the group information that you want to send as part of the SAML assertion. For example, an Identity Cloud Service administrator might want to filter groups that are sensitive so that it is not revealed that a user has security administrator group access, but only that the user is part of the Manager group. The administrator would filter the group attributes by the Manager group so that the filter is applied against any group assigned to the user.
    Option Description
    Name

    Enter the name of the SAML assertion attribute.

    Format

    Select the type of SAML assertion: Basic, URI Reference, or Unspecified.

    Condition
    Select the condition for how you want to filter the group memberships that you want to send as part of the SAML assertion:
    • Equals: Filters the group memberships by exactly what you enter in the Value box.

    • Starts with: Filters the group memberships by any group that starts with what you enter in the Value box.

    • All Groups: Select to include all groups.

    Value

    Specify the filter value to use when filtering the group memberships that you want to send as part of the SAML assertion.

  11. To import the Identity Cloud Service signing certificate into your application, click Download Signing Certificate to first download the certificate file in PEM format. This certificate is used by the SAML application to verify that the SAML assertion is valid.
  12. To import the Identity Cloud Service Identity Provider metadata into your application, click Download Identity Provider Metadata to first download the metadata file in XML format. The SAML application needs this information so that it can trust and process the SAML assertion that is generated by Identity Cloud Service as part of the federation process. This information includes, for example, profile and binding support, connection endpoints, and certificate information.
  13. Click Finish. The application is added in a deactivated state. To activate your application, see Activating Applications.