Configuring Your Identity Provider (IdP)

IdP Requirements

To use SAML with Faspex, you must already have an identity provider (IdP) that meets the following requirements:

  • Supports SAML 2.0
  • Able to use an HTTP POST Binding.
  • Able to connect to the same directory service that Faspex uses.
  • Not configured to use pseudonyms.
  • Can return assertions to Faspex that include the entire contents of the signing certificate.
  • If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

IdP Metadata Formats

You must configure formats to set up your IdP to work with Faspex:
Tag Format
NameID Format Faspex supports the following formats:
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:persistent
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Entity ID https://faspex_ip/aspera/faspex/auth/saml/metadata/saml_id
Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL https://faspex_ip/aspera/faspex/auth/saml/callback?id=saml_id

If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Faspex by going to https://server_ip/aspera/faspex/auth/saml/metadata/saml_id and saving the XML as an XML file.

Note: The saml_id specifies the SAML configuration. For example, in the case of multiple SAML configurations, the first configuration is associated with the SAML ID "1", the next configuration "2", and so on.

SAML Assertion Requirements

Faspex: expects assertion from an IdP to contain the following elements:

Default Attribute Faspex User Field Required
NameID / SAML_SUBJECT Username Yes, with the format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
email Email address Yes
given_name First name Yes
surname Last name Optional
member_of SAML group Necessary for SAML groups
Tip: You can configure the Faspex user fields to map to different attributes in the Faspex SAML configuration settings.