Configuring SAML Protocol

IPI Enterprise Server – SAML Protocol

IPI Enterprise Server supports the SAML 2.0 (Security Assertion Markup Language) standard for user authentication. IPI is an Identity Provider (IdP) that enables SSO for all web applications Service Provider (SP) supporting SAML 2.0.

To set up IPI Server as an IdP, follow these steps:

Since IPI Server supports FIDO2 passwordless authorization, service providers automatically get the ability to authorize with hardware security keys without having to create and enter passwords.

Thanks to IPI Server's support for FIDO2 passwordless authorization, Service Providers (web applications) gain the ability to authorize users using hardware security keys, Passkey, and IPI Authenticator App, eliminating the need to create or enter passwords.

Supported sign-in options:

Configuring IPI Server as an Identity Provider (IdP)

  1. Go to Parameters →Settings → SAML.

  2. Here you can get the necessary data that you have to provide your Service Provider:

  • Download metadata

  • View metadata

  • Download certificate

Adding SP (Service Provider)

  1. Click Add Service Provider

  1. In the opened tab file, the corresponding fields:

Issuer - a random unique SP name you need to copy from the SP settings or extract from the metadata file.

Assertion Consumer Service – the login address on the side of the service provider. Redirection is done to this address following the successful login through the IPI Server. Single Logout Service – the address to log out of the account. If you exit IPI Server, this URL is opened in the loop for all web applications. Public x509 Certificate – the public key certificate of the service provider.

  1. Attribute Mapping

When a user authenticates through SAML, IPI Server generates a SAML assertion that contains information about the user (such as their name, email, roles, etc.). Attribute Mapping specifies how these attributes are matched and passed from the IPI Server (IdP) to the SP, and how they are subsequently used by the SP for authorization and access control.

  1. Assertion Attributes.

These attributes are provided by the IPI Server (IdP) in a SAML assertion to the Service Provider (SP) during the authentication process. The Service Provider uses these attributes to make authorization decisions and personalize the user's experience within the application.

Attribute names and formats are typically defined and agreed upon by IPI Server (IdP)and SP during the configuration of the SAML integration. This allows for seamless information exchange between the two entities.

After filling in and saving all the settings, you can check the integration by logging into the service provider. You should be redirected to the IES authentication page, where you will need to enter your username (email) and pass the security key verification.

Please, see some use cases for how to configure IPI as IdP on web services:

Here's a list of web applications (SP) where IPI Server can be implemented as an Identity Provider (IdP):

Last updated