Configuring Your Identity Provider (IdP)

IdP Requirements

To use SAML with Orchestrator, you must already have an identity provider (IdP) that meets the following requirements:

Supports SAML 2.0
Able to use an HTTP POST Binding.
Able to connect to the same directory service that Orchestrator uses.
Not configured to use pseudonyms.
Can return assertions to Orchestrator that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

IdP Metadata Formats

You must configure formats to set up your IdP to work with Orchestrator:

If the IdP is capable of reading SAML XML metadata for a service provider, you can upload a saved XML metadata file to configure the IdP. You can retrieve the XML metadata for an existing Orchestrator by going to and saving the XML as an XML file.

SAML Assertion Requirements

Orchestrator: expects assertion from an IdP to contain the following elements:

Default Attribute	Orchestrator User Field	Required
`NameID` / `SAML_SUBJECT`	Username	Yes, with the format: `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`
`email`	Email address	Yes
`given_name`	First name
`surname`	Last name	Optional
`member_of`	SAML group	Necessary for SAML groups