Access the Application by Using SAML Realm

This section provides information on managing users who can access the application with Identity Provider (IdP or IDP). The IdP acts as the Single Sign-On (SSO) service provider for implementations between the application, Investigation Toolkit, and Enterprise Case Management. This configuration prevents separate login for each application.

An identity provider (IdP) is a service that stores and verifies user identity. IdPs work with single sign-on (SSO) providers to authenticate users. An identity provider (IdP or IDP) stores and manages users' digital identities. An IdP checks user identities via username-password combinations and other factors, or it may simply provide a list of user identities that another service provider (like an SSO) checks.

See the User Groups section for Pre-configured Groups to access the application using SAML Realm.

Note:

You can configure SAML in the following ways:
  • SAML for Authentication and AAI for Authorization
  • SAML for Authentication and SAML for Authorization

    For more information, see the respective sections in the Installation Guide.

To integrate the application with IDP as the SSO provider, follow these steps:
  1. Create the following Group in the IDP system. For more information on creating groups in IDP, see the OFS Admin Console User Guide.
    • Create the new groups with the same name as the pre-configured groups. For more information, see the User Groups section.
  2. Create a SAML application in IDP.
  3. Configure the SAML application. Key configurations in the SAML application is as follows:
    • Entity ID: https://<FQDN of <application name> Linux Server>:7001/<application name>
    • Assertion Consumer URL: http://<FQDN of <application name> Linux Server>:7001/<application name>/home

      Note:

      • If the application Gateway service is enabled, then the value of this port will be the GATEWAY PORT. For example, 7071.
      • Response in SAML response must be signed.
    • Include Signing Certificate in Signature: Enabled
    • Signature hashing algorithm: SHA-256
    • Enable Single Logout: Enabled
    • Logout Binding: POST
    • Single Logout URL (SAML_LOGOUT_URL): http://<FQDN of <application name>>:7001/<application name>/signoff

      Note:

      If the application Gateway service is enabled, then the value of this port will be the GATEWAY PORT. For example, 7071.
    • Logout Response URL: http://<FQDN of <application name>>:7001/<application name>/signoff

      Note:

      If the application Gateway service is enabled, then the value of this port will be the GATEWAY PORT. For example, 7071.
    • Encrypt Assertion: Disabled
    • SAML Attribute Configuration

      Update the SAML attribute configuration as described in the following table.

      Table 6-5 Attribute Configuration

      Name Format Type Value Condition
      ofs_mapped_groups Basic User Attribute Group Member All Groups
      email Basic User Attribute Primary Email -
      username Basic User Attribute Last Name -
  4. Create a user and map the user groups to the respective user based on the user roles.