Configuring SAML Protocol
IPI Enterprise Server – SAML Protocol
IPI Enterprise Server supports the SAML 2.0 (Security Assertion Markup Language) standard for user authentication. IPI is an Identity Provider (IdP) that enables SSO for all web applications Service Provider (SP) supporting SAML 2.0.
To set up IPI Server as an IdP, follow these steps:
When a user logs into an application through SAML, the IPI ( as an IdP) transmits a SAML assertion to the user's browser, which is then forwarded to the Web application (as an SP). Then IPI Server authenticates the user.
Since IPI Server supports FIDO2 passwordless authorization, service providers automatically get the ability to authorize with hardware security keys without having to create and enter passwords.
Thanks to IPI Server's support for FIDO2 passwordless authorization, Service Providers (web applications) gain the ability to authorize users using hardware security keys, Passkey, and IPI Authenticator App, eliminating the need to create or enter passwords.
Supported sign-in options:
Username + password (not recommended)
Username + password + second factor (security key: hardware or platform, OTP, mobile authenticator)
Passwordless, Usernameless (without typing login and password)
Configuring IPI Server as an Identity Provider (IdP)
IPI Server (IdP) and Service Providers (SP, i.e., web applications) must exchange public key certificates or metadata.
Go to Parameters →Settings → SAML.
Here you can get the necessary data that you have to provide your Service Provider:
Download metadata
View metadata
Download certificate
Adding SP (Service Provider)
Click Add Service Provider
In the opened tab file, the corresponding fields:
Issuer - a random unique SP name you need to copy from the SP settings or extract from the metadata file.
Assertion Consumer Service – the login address on the side of the service provider. Redirection is done to this address following the successful login through the IPI Server. Single Logout Service – the address to log out of the account. If you exit IPI Server, this URL is opened in the loop for all web applications. Public x509 Certificate – the public key certificate of the service provider.
Some Service Providers provide users with metadata files. In this case, all required fields will be filled in automatically after importing the metadata file.
Otherwise, you can configure settings manually. In this case, the settings depend on the specific Service Provider.
You can download metadata files from your computer:
Attribute Mapping
When a user authenticates through SAML, IPI Server generates a SAML assertion that contains information about the user (such as their name, email, roles, etc.). Attribute Mapping specifies how these attributes are matched and passed from the IPI Server (IdP) to the SP, and how they are subsequently used by the SP for authorization and access control.
Assertion Attributes.
These attributes are provided by the IPI Server (IdP) in a SAML assertion to the Service Provider (SP) during the authentication process. The Service Provider uses these attributes to make authorization decisions and personalize the user's experience within the application.
Attribute names and formats are typically defined and agreed upon by IPI Server (IdP)and SP during the configuration of the SAML integration. This allows for seamless information exchange between the two entities.
Attribute Mapping and Assertion Attributes could be configured automatically after downloading the metadata file.
After filling in and saving all the settings, you can check the integration by logging into the service provider. You should be redirected to the IES authentication page, where you will need to enter your username (email) and pass the security key verification.
Please, see some use cases for how to configure IPI as IdP on web services:
Here's a list of web applications (SP) where IPI Server can be implemented as an Identity Provider (IdP):
Dropbox business DDropbox Businessropbox businesshttps://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwiR6OXayK-CAxXQBKIDHVrnOA8YABAAGgJsZQ&gclid=Cj0KCQiAuqKqBhDxARIsAFZELmLzMG2aMp1UMyIR60wF83b-leTmkt4gzOuvoMnBrPnD9E3sTAhF6kQaAlFpEALw_wcB&ei=-vVIZZ3dJM_XwPAPrNul4AM&ohost=www.google.com&cid=CAESVuD2AYTCfZVi341CIplY57k9Pfv8RI7Jt0BBVBh4E6zpTnLFMHkCeFAlkiDqmvZqfRJutawE1FPyzaZDw5L1SOgW5238rc8gcS9mqMWWwM87JH31XTy-&sig=AOD64_2_M0P1LIu40mOOL4uhMZ1ZCv1-ng&q&sqi=2&adurl&ved=2ahUKEwidwtzayK-CAxXPKxAIHaxtCTwQ0Qx6BAgIEAE
While the list provided is not exhaustive, each web service may have its own specific configuration. If you require assistance in integrating your web app with IPI Server using SAML, don't hesitate to contact us. We're here to help.
Last updated