Configuring Your Identity Provider (IdP)
IdP Requirements
To use SAML with Shares, you must already have an identity provider (IdP) that meets the following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Shares uses.
- Not configured to use pseudonyms.
- Can return assertions to Shares that include the entire contents of the signing certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)
IdP Metadata Formats
You must configure formats to set up your IdP to work with Shares:| Tag | Format |
|---|---|
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Entity ID | https://shares_ip/auth/saml/provider_id/metadata/ |
| Binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| Callback URL | https://shares_ip/auth/saml/callback |
If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Shares by going to an existing SAML configurations on the application (System Administration > Authentication > SAML Configurations), selecting a configuration, clicking the Metadata button,https://server_ip/auth/saml/metadata and saving the XML as an XML file.
SAML Assertion Requirements
Shares: expects assertion from an IdP to contain the following elements:
| Default Attribute | Shares User Field | Required |
|---|---|---|
| id | N/A | Yes |
| NameID / SAML_SUBJECT | Username | Yes, with the format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Email address | Yes | |
| given_name | First name | Yes |
| surname | Last name | Optional |
| member_of | SAML group | Necessary for SAML groups |