SAML Properties
Users of Onegini UMA can authenticate via a SAML Identity Provider instead of basic authentication. The application must be started with the Spring
profile saml to replace basic authentication with SAML. This can be done via the environment variable SPRING_PROFILES_ACTIVE=saml.
SAML properties
The following properties must be configured:
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_ENABLED | false | true | Enables SAML capabilities |
| SAML_SP_SP_ENTITY_ID | com:onegini:idp:uma | Unique entity Id for this application as SAML SP | |
| SAML_SP_SP_ENTITY_BASE_URL | http://localhost:7522 | Public Base URL for this application as SAML SP | |
| SAML_SP_MAX_AUTHENTICATION_AGE_IN_SECONDS | 7200 | Maximum time between user's authentication and processing of the AuthNResponse message | |
| SAML_SP_CLOCK_SKEW_IN_SECONDS | 60 | Maximum allowed time difference between the server of the SAML SP and the SAML IdP |
Strictly one of these properties needs to be set:
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_IDP_METADATA_FILE | /tmp/metadata.txt | Location on the file system for the metadata of the SAML IdP | |
| SAML_SP_IDP_METADATA_BASE64 | Base64 encoded text with metadata for the SAML IdP |
Onegini UMA can auto generate a SAML certificate or use predefined one. The following environment variables are required to configure a certificate.
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_SIGNING_KEY_STORE_PASSWORD | password | Key store password | |
| SAML_SP_SIGNING_PRIVATE_KEY | MIIEpQIBAAKCAQEAuLmNPSanYb0wJl/f+yU... | Private key in Base64 | |
| SAML_SP_SIGNING_CERTIFICATE | MIIDmDCCAoACCQC1yJJAA/4CcDANBgkq... | Certificate in Base64 |
Authority mapping
Onegini UMA can restrict access to users based on the values of an attribute in the SAML authentication response. The name of this attribute and the mapping between the values and the functionality in Onegini UMA is configurable.
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_FULL_ACCESS_GRANTED | false | true or false | If true, all authenticated users have full access to Onegini UMA. The properties below will be ignored then. |
| SAML_SP_ATTRIBUTE_NAME | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | SAML attribute that contains roles for authorization. It matches on the Name attribute and ignores NameFormat and Friendly-Name. |
|
| SAML_SP_AUTHORITIES_USERS_ALL * | customer_service | Value of the role that gives access to managing users. | |
| SAML_SP_AUTHORITIES_AGENTS_READ * | employees_supervisor | Value of the role that gives access to supervise agents. | |
| SAML_SP_AUTHORITIES_STATISTICS_READ * | system_admin | Value of the role that gives access to see application statistics. |
* this is a multivalue property. Separate values with a comma.
Example:
SAML_SP_FULL_ACCESS_GRANTED=false
SAML_SP_ATTRIBUTE_NAME=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
SAML_SP_AUTHORITIES_USERS_ALL=CustomerSupport,Supervisor,SysAdmin
SAML_SP_AUTHORITIES_AGENTS_READ=Supervisor,SysAdmin
SAML_SP_AUTHORITIES_STATISTICS_READ=SysAdmin