Configuring the Identity Provider for the SAML Integration
This section describes the information you need to configure your identity provider (IdP) product for the SAML integration.
Note the following requirements:
-
IdP services must support SAML 2.0. In particular IdP services must support Redirect/POST bindings, and POST responses containing the SAML authentication assertion must be digitally signed.
-
IdP services must allow custom assertions.
-
SAML assertion encryption is optional, but should be used.
-
Make sure you review the best practice guidelines before deploying SAML SSO on your OpenAir account or changing over to a new identity provider (IdP) — See SAML Deployment Best Practice Guidelines.
The following IdP configuration steps are required before SAML authentication assertions can be exchanged between the IdP and the OpenAir service provider (SP). Specific IdP products may require custom configuration — refer to the IdP product documentation for details.
-
Import the OpenAir service provider (SP) metadata — See OpenAir SAML Metadata.
-
Configure the assertion attributes required by the OpenAir SP — Either of the attribute
NameIDoruser_nicknamemust be included in the SAML assertion. See SAML Assertion Attributes. -
Download the IdP metadata XML file — You will need to upload the IdP metadata XML file when configuring OpenAir to work with the IdP service, or when you need to update the metadata (after a new security certificate for your IdP service, for example).
OpenAir SAML certificates on sandbox and production environments have a finite lifetime. OpenAir rotates SAML certificates that are about to expire. When OpenAir rotates the SAML certificates you must update the SAML signing and encryption certificates for the OpenAir service provider profile in your identity provider product. See Updating the OpenAir SAML Signing and Encryption Certificates in the Identity Provider Configuration.
This guide includes steps to set up the following identity provider products with OpenAir SAML SSO.
The third party product setup steps are given for illustration purposes only. OpenAir does not support specific identity provider products or product versions. Refer to the product documentation for your identity provider for detailed and updated instructions. For additional questions about setting up your identity provider, please contact the Support services for your identity provider product.