Working with SAML

IBM Aspera Faspex supports Security Assertion Markup Language (SAML) 2.0, an open, XML-based standard that allows secure web domains to exchange user authentication and authorization data. With the SAML model, you can configure the Faspex web application as a SAML "online service provider" (SP) that contacts a separate online "identity provider" (IdP) to authenticate users who will use Faspex to access secure content.

With SAML enabled and configured, a user logging into Faspex is redirected to the IdP sign-on URL. If the user has already signed in with the IdP, the IdP sends a SAML assertion back to Faspex. The user is now logged into Faspex.

When SAML is enabled, Faspex creates a user account based on the information provided by a SAML response, and therefore the Faspex user account does not need to be created manually. However, any changes to the account that are made on the DS server are not picked up by SAML.

These instructions assume you are already familiar with SAML and already have an identity provider (IdP) -- either third-party or internal -- that meets the following requirements:

can be configured to use an HTTP POST binding
can be connected to the same directory service being used by Faspex (however, SAML and DS cannot be used together)
will not be configured to use pseudonyms
can be configured to return assertions to the SP (Faspex) that include the entire contents of the signing certificate

Note: SAML and directory services should not be enabled together. Although there is a directory service behind a SAML IdP, Faspex users will not have access to it. If Faspex is being set up to use SAML, the following is recommended: (1) directory service sync should be disabled; and (2) existing directory service users should first be removed from the Faspex system.

Setting up an Identity Provider

Please refer to Configuring Your Identity Provider (IdP) for information on setting up an identity provider for Faspex.

Enabling SAML Authentication in Faspex

Please refer to Configuring SAML for instructions on how to enable SAML authentication in Faspex.

Setting Up Custom SAML Fields

Please refer to Setting Up Custom SAML Fields for instructions on how to set up custom SAML fields in Faspex.

Creating SAML Groups

Please refer to Creating SAML Groups for instructions on how to set up SAML groups in Faspex.

User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning

Please refer to User Accounts Being Provisioned by SAML Just-In-Time (JIT) Provisioning for information on SAML Just-In-Time (JIT) Provisioning for Faspex.

Note: Faspex provides a mechanism for administrators to bypass the SAML login and log in using a local username and password. This allows administrators to log in and correct server settings, including a misconfigured SAML setup. To bypass the SAML login and sign in with the regular login, add local=true to the end of the login URL. For example:

https://server_ip/login?local=true