Configuring remote applications
This document provides step-by-step instructions for connecting applications (Service Providers, SPs) to Secfense IdP using the SAML protocol. The SAML integration gives control over identity verification to Secfense IdP and ensures secure Single Sign-On (SSO) functionality, allowing users to authenticate via the IdP and access various SPs without re-entering credentials.
Service Provider (SP) part
Service Provider section defines the specifics related to the app that would consume Secfense IdP responses.
Automatic configuration
If the remote application provides a metadata file, it should be used to automatically configure the SP part. Give application a name, upload the metadata file and save the configuration.
Manual configuration
Input the following required information from the SP:
-
Entity ID: A unique identifier for the SP (can be found in the SP’s SAML configuration).
-
Assertion Consumer Service: The SP’s endpoint (or endpoints) where the IdP will send SAML assertions (usually provided by the SP).
-
Sign Assertions: By default the entire SAML Response is signed by the IdP. When this option is enabled, each assertion with be signed individially.
-
Require signed Authn Request: When this option is enabled, it ensures that the authentication request comes from a legitimate SP, preventing unauthorized requests from being processed. Single Logout Services: The endpoint on the IdP where SPs will send a logout request if the user logs out from the SP side.
-
Relay State: This is an optional parameter used to maintain the state or context of the user session across the Service Provider (SP) and Identity Provider (IdP). It allows the SP to pass additional information to the IdP (such as the URL the user was trying to access) and receive it back once authentication is complete. This is particularly useful for redirecting users back to a specific resource or page after successful authentication.
-
Name ID attribute: Used to uniquely identify the user between the Identity Provider (IdP) and the Service Provider (SP). The NameID typically represents a unique identifier like an email address, username, or a unique user ID, and it is included in the assertion sent from the IdP to the SP after authentication.
-
SAML Attributes: Additional pieces of user information that are passed from the Identity Provider (IdP) to the Service Provider (SP) within the SAML assertion. These attributes provide details about the authenticated user
Identity Provider (IdP) part
Identity Provider section contains all the necessary information for the SP to start talking to Secfense IdP.
Automatic configuration
If the remote application supports IdP metadata import, download metadata and upload it on the SP side.
Manual configuration
Configure the SP with the following IdP information:
- Entity ID: A unique identifier for the IdP, used by the SP to recognize and trust the IdP.
- SSO Post: The IdP endpoint for receiving authentication requests via HTTP POST and sending SAML responses back to the SP.
- SSO Redirect: The endpoint for receiving authentication requests via HTTP Redirect, typically used for URL-encoded requests.
- SLO Post: The endpoint for handling logout requests via HTTP POST, ensuring the user logs out from all connected SPs.
- SLO Redirect: The endpoint for handling logout requests via HTTP Redirect, enabling logout through a browser redirect.
- IdP Certificate: The public certificate used by the IdP to sign SAML messages, ensuring message integrity and trust.