IBM Aspera Shares on Demand supports Security Assertion Markup Language (SAML) 2.0,
an XML-based standard that allows secure web domains to exchange user authentication and
authorization data. With the SAML model, you can configure Shares as a SAML online
service provider (SP) that contacts a separate online identity provider
(IdP) to authenticate users. Authenticated users can then use Shares to access
secure content.
With SAML enabled, Shares redirects a user to the IdP sign-on URL. The user signs in with
the IdP and the IdP sends a SAML assertion back to Shares, which grants the user access to
Shares. When a SAML user logs in to Shares for the first time, Shares automatically creates
a new user account based on the information provided by the SAML response. Any changes
subsequently made to the account on the DS server are not automatically picked up by Shares.
For more information about user provisioning for SAML users, see User Accounts Provisioned by Just-In-Time (JIT) Provisioning.
IdP Requirements
To use SAML with Shares, you must already have an identity provider (IdP) that meets the
following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Shares uses.
- Not configured to use pseudonyms.
- Can return assertions to Shares that include the entire contents of the signing
certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is
optional.)
Configure the SAML IdP
Before configuring SAML in Shares, make sure you
configure your IdP to send a correct SAML response to Shares. For more information, see
Configure Your Identity Provider (IdP).
SAML and Directory Services
SAML and directory services should not be
enabled together. Although there is a directory service behind a SAML IdP, Shares users do not
have access to it. When configuring SAML with Shares, the following is recommended:
- Disable directory service sync.
- Remove existing directory service users from the system.
Bypassing the Default SAML IdP
Shares provides a mechanism for users to
bypass the SAML redirect and log in using a local username and password. This feature allows
admins to correct server settings, including a mis-configured SAML setup, without logging in
through SAML. To bypass the SAML login, add
login?local=true to the end of the login
URL. For example:
https://198.51.100.48/login?local=true