1. Using B2C Service
  2. Create an SSO Service Provider

Create an SSO Service Provider

Follow the steps outlined in this procedure used to create an SSO provider.

Before you start

Before you can create an SSO service provider, you must add the Single Sign-On Configurations component to the configuration list for the Configuration button. See Create a Navigation Set for the Administrator.

Here's what to do

  1. Click Configuration on the navigation pane.
  2. Double-click Single Sign-On Configurations in your navigation list.
    The Single Sign-On Configurations tree opens with the SAML tab active.
  3. Click New on the ribbon, then select SSO Service Provider.
    The Service Provider editor opens.
  4. Enter field information.

    Service Provider Editor

    Field Description
    Provider Entity ID Enter a unique name for the service provider in this field.
    Enabled Clear this check box to prevent the service provider from being enabled for single sign-on integrations. After you're ready to use the service provider and its associated service applications, select the check box to enable it.
    Use as Template Select this check box to use the values for this service provider as your template values. If designated as the template, this service provider values are used for generating the SAML token when an Add-In requests a SAML token without specifying a specific service provider ID.

    Only one service provider can be designated as the template.
    Audience Type Click the drop-down list to select the type of audience for the service provider. Options include:
    • None—Generated SAML token is valid for all domains and URLs.
    • Restricted—Generated SAML token is valid only for the specific domains and URLs defined by the token.
    • Custom—Generated SAML token is valid for the domains and URLs defined in the Custom Audience URL field.

    The default value is Restricted.
    Custom Audience URL Enter the domains and URLs you want to specify as valid in this field.

    This field displays only when the Audience Type is set to Custom.
    Labels Click the arrow next to Labels to expand this section. Enter the name as you want it to display for the service provider in the Label column. You can specify different names to use for different interfaces and languages.
    SAML Token Parameters Click the arrow next to SAML Token Parameters to expand this section and enter information to configure the SAML assertion.
    Assertion Consumer Service URL Enter the URL where the SAML token will be posted. SAML responses and assertions will be sent to this location using HTTP POST binding.
    Assertion Audience Restriction Enter the domain for which the SAML assertion is intended or for which it's valid.
    Assertion Validity Duration Enter the time, in seconds, for which the SAML assertion is valid. Values can be from 0 to 86,400 (24 hours).

    The default value is 300 (5 minutes).
    Assertion Validity Start Enter the relative offset, in seconds, to the current time when a generated SAML assertion’s validity should start. Values can be from -1800 to +1800.

    The default value is 0.
    Include InResponseTo element in Assertion Select this check box to include the InResponseTo element in the SAML assertion.

    The default value is No (unchecked).
    Logout Parameters Click the arrow next to Logout Parameters to expand this section.

    The fields in this section are used to configure single logout for external service applications when using B2C Service as the identity provider. See Single Logout for SSO Applications.
    Logout URL Enter the URL where the identity provider sends the logout request to the service provider.
    Logout Validity Duration (in seconds) Enter the number of seconds the identity provider’s logout request will be valid.
    Certificates Click the arrow next to Certificates to expand this section.

    The fields in this section are used to configure certificates for single logout for external service applications when using B2C Service as the identity provider.

    Do Not Verify Trust Chain for Certificates Select this check box to prevent verification of the trust chain for the certificates you import. This lets you use self-signed certificates or certificates that don't adhere to OpenSSL trust chain verification.
    Import Certificate Click the folder next to the field name to select the location of the certificate you want to use. The certificate displays in the Certificate field.
    Import Alternate Certificate Click the folder next to the field name to select the location of an alternate certificate to use when validation fails using the primary certificate. The certificate displays in the Alternate Certificate field.
    Signing Parameters Enter information to configure the signing method in this section.
    Add Certificate to Signature Clear this check box to prevent the signing certificate from being added to the SAML response/assertion signature.
    Sign Response Clear this check box to prevent the response part of the SAML token from being signed.
    Sign Assertion Clear this check box to prevent the assertion part of the SAML token from being signed.
    Sign Method Click this drop-down list to select the XML signature method used to sign the SAML token. You can select:
    • RSA + SHA-1
    • RSA + SHA-256
    • RSA + SHA-512
    Sign Digest Method Click this drop-down list to select the digest method used to sign the SAML token signature. You can select:
    • SHA-1
    • SHA-256
    • SHA-512
  5. Click Save.