Home / Configuring SSO Connections / saml/ / Current: Registering SAML Apps
...
Style | ||
---|---|---|
| ||
EmpowerID supports SAML-based identity transactions, allowing you to federate EmpowerID with any third-party
...
service providers that use SAML to exchange identity data
...
. EmpowerID provides templates for a number of popular service providers, to include ADP, Box, Google, Salesforce and more. Each template is pre-configured with the information required by that specific service provider. In situations where a template does not exist for a service provider, the Default template provides a starting point. This topic demonstrates using this template.
To register a SAML application in EmpowerID
...
icon | false |
---|---|
title | Related Content |
...
- In the Navigation Sidebar, expand Applications and click Manage Applications.
From the Actions pane of the Application Management page, click the Create Application action.
This opens the Application Details form for the new application. This form contains various tabs and fields for registering the SAML application.Info In the following image, the Navigation Sidebar has been collapsed to conserve screen real estate.
- From the General tab of the Application Details form, do the following:
- Enter a name Name, display name Display Name and description Description for the application in the Name, Display Name and Description fields, respectively. The Name must be the one word.
- Allow Access Requests - — Specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
- Allow Request Account - — Specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
- Allow Claim Account - — Specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
- Login Is Email Address - — Specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.
- Make me the Application Owner - — Specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
- Configure Advanced Claim and Request Account Options - — Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
- Click Leave the rest of the fields in the General tab as is and click the Single Sign-On tab and from .
- From the Single Sign-On Connection Type drop-down, select SAML.
- Select the Create a New SAML Connection checkbox.
- In the SAML Connection Information section that appears, do the following:
Select the template for your application from the SAML Application Template drop-down.
For example, if your SAML application configures your corporate Salesforce account for SSO with EmpowerID, select Salesforce SSO Connection Settings. This populates the SAML Connection Information section with the base information necessary for federating Salesforce.Info If you are configuring an application for SSO with EmpowerID and the application does not appear in the SAML Application Template drop-down, select Default SSO Connection Settings.
- Type a display name for the SAML Connection in the Display Name field.
- Select the appropriate certificate to sign the SAML assertions sent to the application from the Certificate drop-down.
- Edit the Assertion Consumer URL field as needed. This value is supplied by the service provider.
Default SSO Connection Settings template. This template provides a generic starting point for configuring SAML SSO connections for service providers.
Info You should see the Display Name field update to the name you gave the application earlier.
- Enter a Description in the Description field.
- Select the appropriate SAML Submission Method from the SAML Submission Method drop-down. In this example, HTTPPost is the selected method.
- Select the appropriate SAML Name Identifier Format from the SAML Name Identifier Format drop-down. In this example, Unspecified is the selected format.
- Enter the Assertion Consumer URL in the Assertion Consumer URL field. This value is supplied by the service provider. In this example, the value is https://sso.empoweriam.com/ABeansSaml/saml.acs.aspx.
- Edit the Initiating URL field, replacing <ServiceProviderName> with the name you gave to the application in the General section of the form.
- In the Single Logout Configuration section of the form, enter the Logout URL and Logout SAML Protocol provided by the service provider. If Single Logout is not supported by the service provider then leave these fields empty.
- In the Certificates section, select Enable Response Signature and then select the appropriate Signing Certificate.
On the Users tab, either create a new account directory for the application, or select an existing account directory from which to add accounts for the application. In this example, a new account directory is created.
Info If you create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store.
A tracking-only account store is a container within EmpowerID that stores user and group records for SSO or attestation without making a connection to the external directory of the application. This is helpful because it creates a one-to-one correlation between the account store and the application, and the SSO connection for the application. This example creates a new account directory.
- Optionally, add a group to the application by doing the following:
- Click the Groups tab and then click the Add Button (+) in the Groups grid. In the Group Information dialog that appears, search for the group you want to add to the application and then click the tile for that group.
- Click Add and repeat step b for any other groups. Optionally, define click the Extension tab and add extension attributes as needed.
Optionally, click the IP Ranges tab and define ranges of IP addresses that are allowed to access the application as needed. This lets you secure access to the application based on the location of the user.
For example, you can choose to deny access to users logging in from home, but allow them access from the internal network. Expand the drop-down box to see how.Rw ui expands macro Rw ui expand macro title To add IP address ranges - In the Assigned IP Ranges grid, click the IP Address Ranges tab and then click the Add Button (+).
In the Basic Information dialog that appears, if necessary, select Create a New IP Address Range and fill in the information for it. Otherwise, in the Select Existing IP Address Range field, enter the name of an existing IP Address Range and click the tile for that range.
See the discussion on IP Address Ranges in the Overview of Application Settings
topic for more details on adding IP Address Ranges to an application. - Click Add and repeat step b for any other IP Address Ranges.
- Click the Add to Cart button.
- Click the My Cart link located at the top of the page and in the Cart dialogue that appears type a reason for creating the application and then click Submit.
To claim an SSO application account
...