Generic | SAML

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

 

3. Prepare IDP

Copy the Reply URL add it to the corresponding field in your identity provider. This is typically done when you create a new “Client” application / Relying Party on the Identity Provider. The name of this field can vary, but it is typically also named callback URL, redirect URI or Assertion Consumer Service (ACS) URL. It must often also be pasted into the Entity ID field. This is the URL your identity provider will redirect the user back to after the user has authenticated with their credentials.

 

4. Metadata

SAML metadata is an XML document that gives the necessary information about the Identity Provider’s configuration, so that Kantega SSO as the relying party can establish trust with the Indentity Provider. Kantega SSO supports three different ways to obtain the SAML metadata from an Identity Provider:

 

4.1. Published document on Metadata URL

Copy the “App Federation Metadata Url” field from the IDP and paste into Metadata XML file published online (URL)

4.2. Upload metadata XML file

Download the metadata document from the Identity Provider and upload it by browsing the file

4.3. Paste metadata XML

Lastly, just copy the raw XML document and paste it.

 

Any one of these three options will give the necessary XML document to establish trust between Kantega SSO and the IDP.

 

5. Redirect URL

The redirect URL that Kantega SSO needs to redirect the user to the correct location (the SAML 2.0 login page) on the Identity Provider. This value is usually retrieved from the metadata document in the previous step:

 


If this is not retrieved from the metadata, the SAML 2.0 login endpoint is usually on the format https://idp.example.org/SAML2/SSO/Redirect.

6. Certificate

The SAML siginng certificate is usually imported from the metadata document in step 3. If this is not imported automatically, you will need to upload a PEM (Base64) encoded X.509 certificate

 

7. Summary

Check that all the values look good.

 

Login test

Test that logging in with your Identity Provider works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test, and then analyze the results on the test results page.