1. Administration and Configuration Guide
  2. Generic Configurations
  3. SSO Authentication (SAML) Configuration
  4. SAML Service Provider Metadata Configuration without Certificate

SAML Service Provider Metadata Configuration without Certificate

For SAML Service Provider Metadata Configuration without Certificate, update the following information in the sp_metadata.xml file:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="$ENTITYID$"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$CONSUMERSERVICEURL$" index="0"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$LOGOUTSERVICEURL$"/> </md:SPSSODescriptor> </md:EntityDescriptor>

  • $ENTITYID$ - OFSAAI URL till context name.

    For example, http(s)://hostname:port/<context>

  • $CONSUMERSERVICEURL$ - OFSAAI login URL

    For example, http(s)://hostname:port/<context>/login.jsp

  • $LOGOUTSERVICEURL$ - OFSAAI logout URL

    For example: http(s)://hostname:port//signoff.jsp

OFSAA generated SAMLRequest is unsigned and sent to “Identity Provider (IdP)” using “HTTP Redirect” method. “Identity Provider (IdP)” sends back SAMLResponse using “HTTP POST” method. Authenticated user can be sent as one of the attribute (e.g. "uid”) in SAMLResponse or in “Subject”.

If user is sent in attribute, same user attribute has to be specified in “SAML User Attribute” in OFSAA Configuration screen.

If user is sent in subject, then NameID format in SAML response should be “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.