Skip to main content
Version: 4.5.x LTS

Setup a SAML Identity Provider

Preconditions

You need a Realm pattern which defines the process for initial authentication.

See Configuring LDAP Login for Web Application for an example configuration.

Realm Patterns

You can use any Realm pattern for nevisAuth. The Authentication Realm is the most high-level and convenient pattern.

You can reuse an existing Realm pattern for your IDP. The SAML IDP pattern just exposes the Realm as an authentication service via nevisProxy.

To use the IDP you have to integrate at least one SP. You need the following information about the SP:

  • Signer certificate
  • SP Issuer
  • Assertion Consumer Service URL (used for IDP-initiated authentication only)

Quickstart

Provide an authentication service:

  1. Expose the Realm by assigning a SAML IDP pattern

  2. Configure the SAML IDP pattern (see screenshot)

  3. Set a Frontend Path or use the default.

  4. Enter a value for the SAML Issuer.

  5. The SP may need this information to valid SAML responses.

  6. Some SPs require the Issuer to be a URL which points to the IDP.

  7. Assign the Virtual Host where the Frontend Path shall be made accessible.

  8. Define the Default Signer by assigning a key store provider pattern.

  9. Assign a SAML SP Connector pattern to the SAML IDP pattern

  10. Configure the SAML SP Connector pattern

  11. Enter the SP Issuer

  12. Establish SP Signer Trust by assigning a trust store provider pattern

Key Management

For test setups and in case the SP is defined in the same nevisAdmin 4 project you can use automatic key management.

  • Assign an Automatic Trust Store pattern to SP Signer Trust
  • Link the Automatic Trust Store with the Automatic Key Store used by the SP via Trusted Key Stores

For production setups use either the nevisKeybox Store or PEM Trust Store / PEM Key Store provider patterns.

IDP-initiated Authentication

The SP URL on the SAML SP Connector pattern is required for IDP-initiated authentication.

IDP-initiated authentication will be supported in a future release.

Integrating multiple SPs

Configure and assign one SAML SP Connector pattern for each SP that you want to integrate.

Implementation Notes

For each SAML SP Connector an own IdentityProviderState AuthState will be added to the esauth4.xml of nevisAuth.

The correct IdentityProviderState is selected based on the Issuer of the incoming AuthnRequest.