Configuring Single Sign-On
General Settings
- Complete the General settings:
| Field | Notes |
|---|---|
| Identity Provider label | Enter a label for the Identity Provider. This label will be used on the "Login with..." sign in button on the login page. For example: The label should be descriptive to your users. |
| Strict | When this is enabled, more extensive validation will be performed on the responses received from the Identity Provider. This is recommended for production environments as it offers a higher level of security. We recommend first configuring the adapter without it enabled, and testing the sign in process (and sign out where supported), as this will narrow down the possible settings which may need to be corrected in the case of any issues. It should then be enabled, and further testing carried out. When this setting is enabled, settings within the Security tab can be used to control some of the additional checks that are carried out. |
| Debug | Enable debug mode to include "info" level log entries in the control centre logs. |
- Click Save before proceeding to the Service Provider tab.
Service Provider Settings
- Complete the Service Provider settings:
| Field | Notes |
|---|---|
| NameID Format | The constraint used to represent the name identifier. The suggested default value is unspecified which acts as a wildcard, and the NameId can be set based on the received assertions list. This can be changed if the Identity Provider expects a specific format and the value will be shown in the Identity Provider metadata file under * `md:NameIDFormat* |
| X509Cert | X509Cert used by the Service Provider. Used for signing and encrypting the SAML Assertions, this requires a 2048 bit unencrypted RSA private key and the corresponding x509 certificate to be provided. |
| Private key | The private key used by the Service Provider. Used for signing and encrypting the SAML Assertions, this requires a 2048 bit unencrypted RSA private key and the corresponding x509 certificate to be provided. |
| Entity ID | Optionally specify a custom value for EntityId. By default this will be set to the metadata URL. Some Identity Providers require this to be overridden with a specific value, which can be entered here. |
- Click Save before proceeding to the Identity Provider tab.
Identity Provider Settings
- Complete the Identity Provider settings:
| Field | Notes |
|---|---|
| Entity ID | The Entity ID field is a mandatory field and is the URL that will be the unique identifier for the Identity Provider application and is information that is provided by your Identity Provider. This is usually found in the EntityDescriptor tag of the metadata. |
| Single Sign-On URL | The Single SignOn URL is a mandatory field that represents the URL to send the initial authentication request to. This is usually found in the SingleSignOnService tag, only the HTTP-Redirect binding tag is currently supported. |
| Bypass Login Page | If Bypass Login Page is enabled, users will be redirected directly to the Identity Provider (IdP) for authentication instead of seeing the Jadu Connect login page. If they are already signed in at the IdP, they will not need to re-enter their credentials and will be logged into Jadu Connect automatically. |
| Account URL | Account URL is an optional field. If set, any “change details” links within the application will direct the user to the provided URL. |
| X509Cert | X509 Cert is a mandatory field which holds the Identity Provider’s X509Cert. It is usually found in X509Certificate tag. |
- Click Save before proceeding to the Security Settings tab.
Security Settings
- Complete the Security Settings:
| Field | Notes |
|---|---|
| NameID Encrypted | Indicates if the Identity Provider expects the name ID in the logout request to be encrypted. We recommend this feature to be disabled under testing, and enabling it after successful login/logout flow in order to eliminate any misconfiguration by this field. |
| Authn Requests Signed | Indicates whether the samlp:AuthnRequest messages sent by this Service Provider should be signed. We recommend this field to be enabled, however some Identity Providers do not support this feature. |
| Logout Response Signed | Indicates whether the samlp:logoutResponse message sent by this Service Provider should be signed. We recommend this feature to be disabled under testing, and then enabled after successful login/logout flow in order to eliminate any misconfiguration by this field. |
| Logout Requests Signed | Indicates whether the samlp:logoutRequest message sent by this Service Provider should be signed. We recommend this feature to be disabled under testing, and then enabled after successful login/logout flow in order to eliminate any misconfiguration by this field. |
| Require Password based Auth | Enabling this will tell the Identity Provider that the admin must be authenticated via a password, rather than another method that the Identity Provider supports (e.g one time code, etc). Disabling this will send the required authentication method as “unspecified”, meaning that the Identity Provider is free to use any method for authentication. |
| Require Signed Messages | If enabled, the admin adapter will check that all message tags in the SAML response are signed. If they are not, the admin will not be signed in. If Debug is enabled, an error will be logged. This setting only has an effect when the Strict option is enabled in the General tab. |
| Require Encrypted Assertions | If enabled, the admin adapter will check that all assertions are encrypted. If they are not, the admin will not be signed in. If Debug is enabled, an error will be logged. When this setting is enabled, the Service Provider metadata file will contain the X509Cert used for the encryption process. |
| Require Signed Assertions | If enabled, the admin adapter will check that all assertion tags are signed. If they are not, the admin will not be signed in. If Debug is enabled, an error will be logged. When this setting is enabled, the Service Provider metadata file will include the property WantAssertionsSigned="true" for the md:SPSSODescriptor tag. |
| Require encrypted NameID | If enabled, the admin adapter will check that the NameId value is encrypted in the SAML Response. If the value is not encrypted, the admin will not be signed in. If Debug is enabled, an error will be logged. This setting only has an effect when the Strict option is enabled in the General tab, if Strict mode is disabled the destination will never be validated. |
| XML Validation | If enabled, the admin adapter will validate the XML sent by the Identity Provider. This setting only has an effect when the Strict option is enabled in the General tab. |
| Relaxed Destination Validation | If enabled, the admin adapter will not validate the destination attribute in the Response sent by the Identity Provider. This setting only has an effect when the Strict option is enabled in the General tab, if Strict mode is disabled the destination will never be validated. |
| Sign Service Provider Metadata | Indicates whether the Service Provider should sign the metadata (ds:SignedInfo). |
| Lowercase Url Encoding | ADFS URL-Encodes SAML data as lowercase. By default the integration uses uppercase. Enable this setting for ADFS compatibillity on signature verification. |
| Signature Algorithm | The signature algorithm that is used for the signing process. Defaults to rsa-sha256, but can be changed if the Identity Provider expects a different algorithm. |
| Digest Algorithm | Digest Algorithm algorithm used for the digest process. Defaults to sha256, but can be changed if the Identity Provider expects a different algorithm |
warning
Jadu Connect SAML integration does not support SHA1 signature or digest algorithms. These is the default on Azure AD B2C, as such ensure your signature algorithm is set to SHA256 or better at the Identity Provider.
- Click Save before proceeding to the Matching Attributes tab.
Matching Attributes Settings
- Complete the Matching Attributes settings:
| Field | Notes |
|---|---|
| User email attribute | The SAML attribute which holds the email address for the admin. |
| First name attribute | The SAML attribute which holds the first name for the admin. |
| Last name attribute | The SAML attribute which holds the last name for the admin. |
| User Type | The user type newly created users will be set after login. |
| Group | The group newly created users will be set after login |
| Role | The role newly created users will be set after login |
New User Permissions
The user type, group and role set here will determine what new users signing in using SAML can do within Connect. A least permissive approach should be taken and users validated before assigning the user elevated permissions.
- Click Save to complete configuring SAML Admin Authentication setup.