Panel | ||||
---|---|---|---|---|
|
...
SAML Profile | Binding | Endpoint |
---|---|---|
Web Single Sign-on | HTTP-POST, HTTP-Artifact | scheme://server:port/contextPath/saml/SSO |
Single Logout | HTTP-POST, HTTP-Redirect | scheme://server:port/contextPath/saml/SingleLogout |
...
Note | ||
---|---|---|
| ||
Starting with Java 1.8.0_162, JCE unlimited policy is enabled by default. You no longer need to install the policy file in the JRE or set the security property crypto.policy. |
Debugging
The uc.saml.log.level property can be configured in the uc.properties to enable debug logging for the SAML framework. However, as a best practice, saml.log.level should remain at INFO under normal operation.
...
An administrator can turn on/off and configure SAML Single Sign-On through the user interface.
Note | ||
---|---|---|
| ||
Each Universal Controller cluster node maintains its own Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes. The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node. |
Step 1 | From the Administration navigation pane, select Configuration > Single Sign-On Settings. The Single Sign-On Settings page displays. |
---|---|
Step 2 | Enter / select your Single Sign-On Settings, using the field descriptions below as a guide.
|
Step 3 | Click the button. |
...
Field Name | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
Details | This section contains detailed information on the Single Sign-On settings. | ||||||||
SAML Single Sign-On | If enabled, turns on SAML Single Sign-On. | ||||||||
| If enabled, turns on the provisioning of users through SAML assertion attributes. | ||||||||
SP Entity ID | Read-only; Unique identifier of the Universal Controller Service Provider. | ||||||||
SP Entity ID Subdomain | Customize the SP Entity ID with a unique subdomain. | ||||||||
SP Entity Base URL | Base URL to construct SAML endpoints from; must be a URL with protocol, server, port. and context path. If one is not specified, it defaults to values from the initial request in this format: | ||||||||
Identity Provider Metadata Source
| Specifies Identity Provider Metadata Source:
| ||||||||
Identity Provider Metadata File | If Identity Provider Metadata Source = File; Identity Provider metadata file location. | ||||||||
Identity Provider Metadata URL | If Identity Provider Metadata Source = URL; Identity Provider metadata URL location. | ||||||||
| Link to download the Service Provider metadata for the Universal Controller node. | ||||||||
Key Management | |||||||||
KeyStore File | Keystore file location. | ||||||||
KeyStore Password | Password used to protect the integrity of the keystore. Default is ucsaml. | ||||||||
Private Key Alias | Alias of the private key (with either self-signed or CA-signed certificate) used to digitally sign SAML messages. Default is ucsaml. | ||||||||
Private Key Password | Password used to protect the integrity of the private key. Default is ucsaml. See SAML KeyStore. | ||||||||
| If User Provisioning is enabled; This section allows you to configure a mapping between user fields and attributes from the attribute statement of a SAML assertion. It is displayed only when User Provisioning is enabled. See User Attribute Mapping for more details. | ||||||||
First Name | Name of an attribute, of type | ||||||||
Middle Name | Name of an attribute, of type | ||||||||
Last Name | Name of an attribute, of type | ||||||||
Name of an attribute, of type | |||||||||
Active | Name of an attribute, of type | ||||||||
Groups | Name of a multi-valued attribute, of type | ||||||||
Title | Name of an attribute, of type | ||||||||
Department | Name of an attribute, of type | ||||||||
Manager | Name of an attribute, of type | ||||||||
Business Phone | Name of an attribute, of type | ||||||||
Mobile Phone | Name of an attribute, of type | ||||||||
Home Phone | Name of an attribute, of type | ||||||||
Buttons | This section identifies the buttons displayed above and below the Single Sign-On Settings that let you perform various actions. | ||||||||
Update |
| ||||||||
Refresh | Refreshes any dynamic data displayed in the Single Sign-On Settings. |
...