Generic SAML 2.0 integration
If your identity provider is not listed as one of the pre-configured ones in iconik then you can add a generic SAML 2.0 provider. This should work with any SAML 2.0 compatible Identity Provider which supports the required feature set.
Requirements
- The Identity Provider has to support SAML 2.0. We do not currently support other authentication protocols such as OAuth or OpenID Connect.
- The Identity Provider has to sign both the response and the list of assertions.
- iconik does not currently sign the request so the Identity Provider must not require this.
Configuration
When configuring a Generic IdP you can either upload the Metadata XML for the Identity Provider and have iconik automatically populate the form or enter the required values manually.
- Name - This is only used for display purposes in the Admin View of iconik.
- EntityID - The SAML EntityID of the Identity Provider. Each IdP has a uniqe EntityID which usually has the form of a url.
- Single Sign-On URL - This is the URL where the IdP listens to incoming requests. iconik uses the HTTP-POST method when issuing sign-on requests so make sure to use the correct URL for you IdP
- Single Logout URL - This is an optional URL where the IdP listens to Single Logout requests. When a user who has logged in via SAML selects logout in the iconik GUI their iconik session is terminated and they are redirected to this Logout URL at which point the IdP may log them out from their iconik session or it may log the user out from all services, depending on the IdP configuration. The Logout URL has to support the HTTP-Redirect method.
- Certificate - This is a base64 representation of the public half of the signing certificate used by the IdP to sign responses. iconik uses this certificate to validate that requests originate from the IdP and will disallow authentication attempts with invalid signatures.
Attributes
iconik can consume attributes sent by the Identity Provider. The only
required attribute is NameID
which has to be in the
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
format and
has to contain the email address of the user as this is the username
format iconik uses.
In addition to NameID
iconik can also consume the following attributes:
- first_name - The user's first name. If this is not set the first name will be set to the username part of the email address from NameID
- last_name - The user's last name. Optional.
- groups - A list of group names which the user is a member of. If any of these groups exist in iconik the user will be added to those groups. The user will be removed from any group the user has been added to via SAML which no longer is in this list.