Configuring Your Identity Provider (IdP)

IdP Requirements

The following instructions to configure SAML for IBM Aspera Faspex assume that you have an IdP that meets the following requirements:

Supports SAML 2.0
Able to use an HTTP POST binding.
Able to connect to the same directory service being used by Faspex.
Not configured to use pseudonyms.
Can return assertions to Faspex that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

You must set the following information to set up your Identity Provider to work with Faspex:

Name ID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Entity ID	https://faspex.example.com/aspera/faspex/auth/saml/metadata
Binding	urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Callback URL	https://faspex.example.com/aspera/faspex/auth/saml/callback

You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML metadata for a service provider.

Assertion Message Elements

Faspex expects assertion messages from an IdP to contain the following elements:

Element	Required?	Format
SAML_SUBJECT	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
email	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
given_name	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
id	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
surname	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
NameID	Yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
member_of	Necessary for SAML groups	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`

Note: Faspex users with SAML accounts may appear to be unaffected by session timeouts. Because a session cookie is still active on the IdP server, users are logged in again automatically without the login page.