IdP Requirements
To use SAML with Shares, you must already have an identity provider (IdP) that meets the
following requirements:
- Supports SAML 2.0
- Able to use an HTTP POST Binding.
- Able to connect to the same directory service that Shares uses.
- Not configured to use pseudonyms.
- Can return assertions to Shares that include the entire contents of the signing
certificate.
- If prompted, set to sign the SAML response. (Signing the SAML assertion is
optional.)
IdP Metadata Formats
You must configure formats to set up your IdP to
work with Shares:
| Tag |
Format |
| NameID Format |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Entity ID |
https://shares_ip/auth/saml/metadata/ |
| Binding |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| Callback URL |
https://shares_ip/auth/saml/callback |
If the IdP is capable of reading SAML XML metadata for a service
provider, you can upload a saved XML metadata file to configure the IdP. You can
retrieve the XML metadata for an existing Shares by going to
https://shares_ip/auth/saml/metadata/
and saving the XML file.
SAML Assertion Requirements
Shares expects assertion from an IdP
to contain the following elements:
| Default Attribute |
Shares User Field |
Required |
| NameID
|
Username |
Yes |
| email |
Email address |
Yes |
| given_name |
First name |
Yes |
| surname |
Last name |
Optional |
| member_of |
SAML group |
Necessary for SAML groups |
The
NameID attribute requires the
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified format. All other
attributes can also use the
urn:oasis:names:tc:SAML:2.0:attrname-format:basic
format.
Note: Some IdPs may refer to the NameID attribute as
SAML_SUBJECT.
Note: Shares users with SAML
accounts are affected by Shares session timeouts configured on the User Security
page (Admin > Security > User Security). After session
timeout, SAML users are redirected to the local login page. To log in again, click
Log in using SAML Identity Provider.