Skip to main content
Version: 4.5.x LTS

Configure SAML Authentication for Web Application

Preconditions

Make your web application accessible via nevisProxy as explained in Protecting a Web Application.

Supported IDPs

You can integrate a third-party IDP or setup your own IDP as described in Setup a SAML Identity Provider.

You need the following information about your IDP:

  • IDP Issuer
  • IDP Signer certificate
  • Single-Sign-On URL

Quickstart

Authentication via SAML (Web Browser SSO) requires:

  • a SAML Service Provider (SP)
  • integration of the SP with an IDP

The basic steps are:

  1. Assign a SAML SP Realm pattern to your web application.
  2. Enter an arbitrary value for the Issuer. Inform your IDP about the value you have chosen.
  3. Assign a SAML IDP Connector pattern.
  4. Configure the SAML IDP Connector pattern:
  5. Enter the Issuer of the IDP. Check the metadata of the IDP or base64-decode a received SAML Response to find out the correct value.
  6. Enter the Single Sign-On URL of the IDP. The SP may invoke the authentication process by sending an AuthnRequest message to this URL.
  7. Assign a pattern for SAML Signer Trust Store.

Using automatic key management for the SAML Signer Trust Store is discouraged as nevisAdmin does not yet offer a user interface for certificate management. You have to use the REST API to upload additional trusted certificates into this trust store. See Managing Key Material for Inventory for instructions on how to do this.

Session Upgrade

For SP-initiated authentication the SP sends an AuthnRequest to the IDP. The AuthnRequest contains the following element:

<samlp:RequestedAuthnContext>
 <saml:AuthnContextClassRef>urn:nevis:level:1</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

You can assign an Authorization Policy to an application to demand a higher authentication level.

When the session is not yet at this level the SP will send an additional AuthnRequest to the IDP.

The RequestedAuthnContext defines the minimum required authentication level.

Customize AuthnContext

The value of AuthnContext is not standard and may lead to issues when integrating with a third-party IDP.

You can remove the AuthnContext or replace the value in the SAML IDP Connector pattern by setting Custom Properties. Check the property help for details.

Integration multiple IDPs

You can assign multiple SAML IDP Connector patterns to a single SAML SP Realm.

When authentication is requested, the IDP is selected by evaluating a nevisAuth expression.

The expression can be set via the property Selection Expression which can be found in the SAML IDP Connector pattern in the Advanced Settings tab.

The expression must be true for exactly 1 IDP.

Selection of the IDP by the user is not yet supported.