IdP Requirements
To use SAML with Shares, you must already have an identity
provider (IdP) that meets the following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Shares uses.
- Not configured to use pseudonyms.
- Can return assertions to Shares that include the entire contents of the signing
certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is
optional.)
IdP Metadata Formats
You must configure
formats to set up your IdP to work with
Shares:
| Tag |
Format |
| NameID Format |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Entity ID |
https://shares_ip/auth/saml/metadata/ |
| Binding |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| Callback URL |
https://shares_ip/auth/saml/callback |
| Tag |
Format |
| Entity ID: |
https://server_name_or_ip/aspera/console/auth/saml/metadata |
| ACS: |
https://server_name_or_ip/aspera/console/auth/saml/callback |
| Base URL: |
https://server_name_or_ip/aspera/console |
If the IdP is capable of reading SAML XML metadata for a service
provider, you can upload a saved XML metadata file to configure the IdP. You can
retrieve the XML metadata for an existing Shares by going
to https://server_ip/auth/saml/metadataaspera/console/auth/saml/metadata and
saving the XML as an XML file.
SAML Assertion Requirements
Shares: expects assertion from an IdP to contain the
following elements:
| Default Attribute |
Shares User Field |
Required |
| NameID / SAML_SUBJECT / id |
Username |
Yes, with the format:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| email |
Email address |
Yes |
| given_name |
First name |
YesOptional |
| surname |
Last name |
Optional |
| member_of |
SAML group |
Necessary for SAML groups |
Tip: All attributes other than NameID or
SAML_SUBJECT or id can also use the
urn:oasis:names:tc:SAML:2.0:attrname-format:basic format.