Registering SAML Apps
EmpowerID supports SAML-based identity transactions, allowing you to federate EmpowerID with any third-party service providers that use SAML to exchange identity data. EmpowerID provides templates for a number of popular service providers, to include ADP, Box, Google, Salesforce and more. Each template is pre-configured with the information required by that specific service provider. In situations where a template does not exist for a service provider, the Default template provides a starting point. This topic demonstrates using this template.
To register a SAML application in EmpowerID
- In the Navigation Sidebar, expand Applications and click Manage Applications.
From the Actions pane of the Application Management page, click the Create Application action.
This opens the Application Details form for the new application. This form contains various tabs and fields for registering the SAML application.- From the General tab of the Application Details form, do the following:
- Enter a Name, Display Name and Description for the application in the Name, Display Name and Description fields, respectively. The Name must be the one word.
- Allow Access Requests — Specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
- Allow Request Account — Specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
- Allow Claim Account — Specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
- Login Is Email Address — Specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.
- Make me the Application Owner — Specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
- Configure Advanced Claim and Request Account Options — Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
- Leave the rest of the fields in the General tab as is and click the Single Sign-On tab.
- From the Single Sign-On Connection Type drop-down, select SAML.
- Select the Create a New SAML Connection checkbox.
- In the SAML Connection Information section that appears, do the following:
Select the Default SSO Connection Settings template. This template provides a generic starting point for configuring SAML SSO connections for service providers.
You should see the Display Name field update to the name you gave the application earlier.
- Enter a Description in the Description field.
- Select the appropriate SAML Submission Method from the SAML Submission Method drop-down. In this example, HTTPPost is the selected method.
- Select the appropriate SAML Name Identifier Format from the SAML Name Identifier Format drop-down. In this example, Unspecified is the selected format.
- Enter the Assertion Consumer URL in the Assertion Consumer URL field. This value is supplied by the service provider. In this example, the value is https://sso.empoweriam.com/ABeansSaml/saml.acs.aspx.
- Edit the Initiating URL field, replacing <ServiceProviderName> with the name you gave to the application in the General section of the form.
- In the Single Logout Configuration section of the form, enter the Logout URL and Logout SAML Protocol provided by the service provider. If Single Logout is not supported by the service provider then leave these fields empty.
- In the Certificates section, select Enable Response Signature and then select the appropriate Signing Certificate.
On the Users tab, either create a new account directory for the application, or select an existing account directory from which to add accounts for the application. In this example, a new account directory is created.
If you create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store.
A tracking-only account store is a container within EmpowerID that stores user and group records for SSO or attestation without making a connection to the external directory of the application. This is helpful because it creates a one-to-one correlation between the account store and the application, and the SSO connection for the application. This example creates a new account directory.
- Optionally, click the Extension tab and add extension attributes as needed.
Optionally, click the IP Ranges tab and define ranges of IP addresses that are allowed to access the application as needed. This lets you secure access to the application based on the location of the user.
For example, you can choose to deny access to users logging in from home, but allow them access from the internal network. Expand the drop-down box to see how.- Click the Add to Cart button.
- Click the My Cart link located at the top of the page and in the Cart dialogue that appears type a reason for creating the application and then click Submit.