SAML Properties
Users of Onegini UMA can authenticate via a SAML Identity Provider instead of basic authentication. The application must be started with the Spring
profile saml to replace basic authentication with SAML. This can be done via the argument -Dspring.profiles.active=saml.
SAML properties
The following properties must be configured:
| Property | Default | Example | Description |
|---|---|---|---|
| saml.sp.spEntityId | com:onegini:idp:ccc | Unique entity Id for this application as SAML SP | |
| saml.sp.spEntityBaseUrl | http://localhost:7522 | Public Base URL for this application as SAML SP | |
| saml.sp.maxAuthenticationAgeInSeconds | 7200 | Maximum time between users authentication and processing of the AuthNResponse message | |
| saml.sp.clockSkewInSeconds | 60 | Maximum allowed time difference between the server of the SAML SP and the SAML IdP |
Strictly one of these properties needs to be set:
| Property | Default | Example | Description |
|---|---|---|---|
| saml.sp.idpMetadata.file | /tmp/metadata.txt | Location on the file system for the metadata of the SAML IdP | |
| saml.sp.idpMetadata.base64 | Base64 encoded text with metadata for the SAML IdP |
Authority mapping
Onegini UMA can restrict access to users based on the values of an attribute in the SAML authentication response. The name of this attribute and the mapping between the values and the functionality in Onegini UMA is configurable.
| Property | Default | Example | Description |
|---|---|---|---|
| saml.sp.authorities.fullAccessGranted | false | true or false | If true, all authenticated users have full access to Onegini UMA. The properties below will be ignored then. |
| saml.sp.authorities.attributeName | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | SAML attribute that contains roles for authorization. It matches on the Name attribute and ignores NameFormat and Friendly-Name. |
|
| saml.sp.authorities.usersAll[] * | customer_service | Value of the role that gives access to managing users. | |
| saml.sp.authorities.agentsRead[] * | employees_supervisor | Value of the role that gives access to supervise agents. | |
| saml.sp.authorities.statisticsRead[] * | system_admin | Value of the role that gives access to see application statistics. |
* this is a multivalue property. Increase the count between the [] for each individual value.
Example:
saml.sp.fullAccessGranted=false
saml.sp.attributeName=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
saml.sp.authorities.usersAll[0]=CustomerSupport
saml.sp.authorities.usersAll[1]=Supervisor
saml.sp.authorities.usersAll[2]=SysAdmin
saml.sp.authorities.agentsRead[0]=Supervisor
saml.sp.authorities.agentsRead[1]=SysAdmin
saml.sp.authorities.statisticsRead[0]=SysAdmin