Configuring Your Identity Provider (IdP)

IdP Requirements

The following instructions to configure SAML for IBM Aspera Faspex on Demand assume that you have an IdP that meets the following requirements:

Supports SAML 2.0
Able to use an HTTP POST binding.
Able to connect to the same directory service being used by Faspex on Demand.
Not configured to use pseudonyms.
Can return assertions to Faspex on Demand that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

You must set the following information to set up your Identity Provider to work with Faspex on Demand:

Name ID Format	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
Entity ID	`https://www.our-faspex-server.com/aspera/faspex/auth/saml/metadata`
Binding	`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`
Callback URL	`https://www.our-faspex-server.com/aspera/faspex/auth/saml/callback`

You can retrieve this data directly from auth/saml/metadata if the IdP is capable of reading SAML XML metadata for a service provider.

Assertion Message Elements

Faspex on Demand expects assertion messages from an IdP to contain the following elements:

Element	Required?	Format
SAML_SUBJECT	yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
email	yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
given_name	yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
id	yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
surname	yes	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`

Note: Faspex on Demand users with SAML accounts may appear to be unaffected by session timeouts. Because a session cookie is still active on the IdP server, users are logged in again automatically without the login page.