General settings for a SAML identity provider
Access Management uses the following settings to define identity providers that use the SAML authentication protocol:
- Key
-
A unique identifier for the IdP. The key is case sensitive and not editable once you save the new identity provider.
Optionally, you can include the key together with the user name from the identity provider to form a name that is specific to this provider. This may be useful when supporting multiple providers where user names could be duplicated. For more information, refer to the description of Separator.
- Name
-
A name for the IdP. This name will appear on the user sign-in screen to represent the IdP as an option to authentication. The name must be unique within Access Management.
- Description
-
Text that describes the IdP and its use. This description is visible only in Access Management.
- Icon URL
-
The URL of an icon that represents the IdP.
This icon will appear along with the IdP's name on the user sign-in screen as well as in the Access Management user interface. If you do not provide an icon, Access Management will use a generic IdP icon.
- Provider type
- The type of IdP, which in this case must be SAML.
- Redirect URL
-
The URL that the external IdP will use as the destination for all users following successful user authentication.
Access Management automatically generates the Redirect URL after you create and save a new IdP. In the external IdP, you must add this URL to the list of redirect URLs for the application you have registered for Access Management.
- Post-logout redirect URL
-
The URL that the external IdP will use as the destination for all users following user logout from the application.
Access Management automatically generates the Post-logout redirect URL after you create and save a new IdP. In the external IdP, you must add this URL to the logout redirect URLs for the application you have registered for Access Management.
- Issuer name
-
A URI that identifies the external SAML provider that will issue SAML requests to Access Management.
- Service provider name
-
The name of the SAML service provider that receives and accepts authentication assertions.
If you chose to set a specific Audience when registering the Access Management application in the external SAML provider, then you must use the value of the Audience in this field as the value for the Service provider name. For example:
spn:291b2fc7-847d-4082-aa42-a90ea4b180bf - Single sign-on service URL
-
The URL where Access Management will redirect users for authentication using SAML single sign-on.
- Single logout service URL
-
The URL where Access Management will redirect users after they log out using SAML single logout.
- Certificates
-
The X.509 certificate that the SAML provider uses to sign SAML tokens.
You can define multiple certificates. For each certificate, select Add new and paste the certificate in the field as a text.
When using Azure, certificates are contained in the following file:
https://login.microsoftonline.com/TENANT_ID/federationmetadata/2007-06/federationmetadata.xml
Where
TENANT_IDis assigned to Access Management when you register it with Azure. - Separator
-
A character that Access Management includes as part of the user name.
User names in Access Management are in the following format:
KEY<SEPARATOR>USERNAMEWhere:
KEYis the unique identifier assigned to the external IdP (when it is created).<SEPARATOR>is the character defined in this property, which is typically a colon (:) or other special character.USERNAMEis the name of the user as it comes directly from the external IdP.
Example:
azure:testuser - Username Claim
-
The claim in external IdP that Access Management will use as the User Subject when creating a user instead of the user name.
- Full name claim
-
The claim in external IdP that Access Management will use as Name when creating a user.