SAML and APOD / SOD

IBM Aspera Application Platform / Server On Demand (APOD / SOD) supports Security Assertion Markup Language (SAML) 2.0, an XML-based standard that allows secure web domains to exchange user authentication and authorization data. With the SAML model, you can configure APOD / SOD as a SAML online service provider (SP) that contacts a separate online identity provider (IdP) to authenticate users. Authenticated users can then use APOD / SOD to access secure content.

With SAML enabled, APOD / SOD redirects a user to the IdP sign-on URL. The user signs in with the IdP and the IdP sends a SAML assertion back to APOD / SOD, which grants the user access to APOD / SOD. When a SAML user logs in to APOD / SOD for the first time, APOD / SOD automatically creates a new user account based on the information provided by the SAML response. Any changes subsequently made to the account on the DS server are not automatically picked up by APOD / SOD. For more information about user provisioning for SAML users, see User Accounts Provisioned by Just-In-Time (JIT) Provisioning.

IdP Requirements

To use SAML with APOD / SOD, you must already have an identity provider (IdP) that meets the following requirements:

  • Supports SAML 2.0
  • Able to use an HTTP POST Binding.
  • Able to connect to the same directory service that APOD / SOD uses.
  • Not configured to use pseudonyms.
  • Can return assertions to APOD / SOD that include the entire contents of the signing certificate.
  • If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

Configure the SAML IdP

Before configuring SAML in APOD / SOD, make sure you configure your IdP to send a correct SAML response to APOD / SOD. For more information, see Configuring Your Identity Provider (IdP).

For instructions on configuring SAML in APOD / SOD, see Configuring SAML.

For instructions on configuring SAML in APOD / SOD, see Configuring SAML.

Note: APOD / SOD users with SAML accounts are affected by APOD / SOD session timeouts configured on the User Security page (Admin > Security > User Security). After session timeout, SAML users are redirected to the local login page. To log in again, click Log in using SAML Identity Provider.

SAML and Directory Services

APOD / SOD supports the use of both SAML and directory services. If you configure both services to APOD / SOD, ensure the services use different Active Directory domains. Aspera advises against configuring LDAP directly to APOD / SOD if the SAML IdP acts as a frontend for the same Active Directory domain.

Bypassing the Default SAML IdP

APOD / SOD provides a mechanism for users to bypass the SAML redirect and log in using a local username and password. This feature allows admins to correct server settings, including a mis-configured SAML setup, without logging in through SAML.

To bypass the SAML login, add login?local=true to the end of the login URL. For example:

https://198.51.100.48/login?local=true