Configuring Your Identity Provider (IdP)

IdP Requirements

The following instructions to configure SAML for IBM Aspera Shares assume that you have an IdP that meets the following requirements:

You must set the following information to set up your Identity Provider to work with Shares:

Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Entity ID https://www.our-shares-server.com/aspera/shares/auth/saml/metadata
Binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL https://www.our-shares-server.com/aspera/shares/auth/saml/callback

You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML metadata for a service provider.

Assertion Message Elements

Shares expects assertion messages from an IdP to contain the following elements:

Element Required? Format
SAML_SUBJECT yes urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
email yes urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
given_name yes urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
id yes urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
surname yes urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Note: Shares users with SAML accounts may appear to be unaffected by session timeouts. Because a session cookie is still active on the IdP server, users are logged in again automatically without the login page.