Search
K

Integrations

SAML 2.0

Connect to your identity provider using SAML 2.0

SAML 2.0 is a widely used industry standard protocol for federated authentication. See the Security Assertion Markup Language (SAML) V2.0 Technical Overview for a more in-depth overview.

In this scenario the CHG IdentityProvider is the ServiceProvider (SP) and your identity provider is the IdentityProvider (IdP) entity.

Configuration

Required from the CHG IdentityProvider

  • Single sign on URL (or Application callback URL)
    The location where the SAML token is send with a HTTP POST or REDIRECT. This is often referred as SAML Assertion Consumer Service (ACS) URL.

Required to create a federation

  • Domain name
    The domain part of the user's email address in order to associate the user names with your federation.
  • SAML meta data
    • Issuer Id
    • IdP EntityId
    • Login URL and binding
      URL used for the login and its binding (POST or REDIRECT).
    • Certificate
      Base64 encoded X.509 certificate of the identity provider.
    • SP EntityId
      A unique identifier to define the intended audience of the SAML assertion. Can be provided separately or via meta data XML.

Additional attributes

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier required
    Contains the unique identifier for a user in the federated login provider. It is used to link CHG-MERIDIAN specific identity to the external IdentityProvider.
    Accepted alternatives:
    • sub
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress required
    Contains the email address of the user.
    Accepted alternatives:
    • urn:oid:0.9.2342.19200300.100.1.3
    • email
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier only if it contains a valid email
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Contains the users prefered username. Fallback is the users email address if none is provided.
    Accepted alternatives:
    • preferred_username
    • name
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Contains the users given name.
    Accepted alternatives:
    • given_name
    • FirstName
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Contains the users family name. Accepted alternatives:
    • family_name
    • LastName
  • nickname
    Can be used as fallback for the name that is displayed for the user. It's only used if the name claim is empty and no first and last name can be found.
  • generic other attributes
    If the external identity provider sends other attributes than the ones mentioned above the CHG IdentityProvider will forward them to authenticated client applications but will not store them. Please keep those attributes to a minimum to avoid hitting limits of the used protocols such as header sizes or similar. Also this avoids distributing the users information to multiple systems unnecessarily.