Configuring Your Identity Provider (IdP)

IdP Requirements

The following instructions to configure SAML for IBM Aspera Shares assume that you have an IdP that meets the following requirements:

Supports SAML 2.0
Able to use an HTTP POST binding.
Able to connect to the same directory service being used by Shares.
Not configured to use pseudonyms.
Can return assertions to Shares that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

You must set the following information to set up your Identity Provider to work with Shares:

Name ID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Entity ID	https://shares.example.com/auth/saml/metadata
Binding	urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL	https://shares.example.com/auth/saml/callback

You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML metadata for a service provider.

Assertion Message Elements

Shares expects assertion messages from an IdP to contain the following elements:

Element	Required?	Format
SAML_SUBJECT	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
email	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
given_name	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
id	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
surname	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
NameID	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
member_of	Necessary for SAML groups	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`

Note: Shares users with SAML accounts are affected by Shares session timeouts configured on the User Security page (Admin > Security > User Security). After session timeout, SAML users are redirected to the local login page. To log in again, click Log in using SAML Identity Provider.