Configuring SAML

Aspera®Shares™ supports Security Assertion Markup Language (SAML) 2.0, an open, XML-based standard that enables secure web domains to exchange user authentication and authorization data. With SAML, you can configure the Aspera Shares web application as a SAML online service provider (OSP) that contacts a separate online identity provider (IdP) to authenticate users who will use Aspera Shares to access secure content.

With SAML enabled and configured, a user logging into Aspera Shares is redirected to the IdPs sign-on URL. If the user has already signed in with the IdP, the IdP sends a SAML assertion back to Aspera Shares. The user is now logged into Aspera Shares.

Note: If SAML is enabled, accessing links in emails that were sent from a Shares 1.5 or earlier will send users to the SAML login page instead of the local user login page.
Note: When SAML is enabled, Aspera Shares creates a user account based on the information provided by a SAML response. Therefore, you do not need to create the Aspera Shares user account manually. However, SAML does not register any changes to the account made on the DS server.

These instructions assume that you have an IdP that meets the following requirements:

Note: Do not enable SAML and DS together. Although a DS exists behind a SAML IdP, Aspera Shares users do have access to it. If Aspera Shares is being set up to use SAML, Aspera recommends the following:
  • Disable DS sync.
  • Remove existing DS users from the Aspera Shares system.
Note: If you log in as a SAML user, you are automatically added.
  1. In Aspera Shares™, navigate to Admin > Directories.
  2. For the SAML IdP entry, click Edit.
    The Detail tab appears with the following form:



  3. Select the check box Log in using a SAML Identity Provider.
  4. In the text box IdP Single Sign-On URL, type the SAML entry-point address provided by the IdP..
  5. In the following fields, pass in either the IdP Certificate Fingerprint or the IdP Certificate.
  6. Click Save to keep your changes, or click Cancel to cancel your changes.

    A Shares administrator can bypass the SAML login and sign in with the regular login form by adding the local=true parameter to the login URL, for example:

    https://10.0.176.30/login?local=true
  7. Set up an identity provider and provide the following information:
    Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    Entity ID https://www.our-shares-server.com/aspera/shares/auth/saml/metadata
    Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    Callback URL https://www.our-shares-server.com/aspera/shares/auth/saml/callback

    You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML metadata for a service provider.

    Aspera Shares expects assertion messages from an IdP to contain the following elements:

    Element Format
    SAML_SUBJECT urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    email urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    given_name urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    id urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    surname urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    Note: Aspera Shares users with SAML accounts may appear to be unaffected by session timeouts. Because a session cookie is still active on the IdP server, users are logged in again automatically without the login page.