Configuring SAML Protocol

IPI Enterprise Server – SAML Protocol

Introduction of SAML protocol for Single Sign On

IPI Enterprise Server supports SAML 2.0 (Security Assertion Markup Language) for secure user authentication, acting as an Identity Provider (IdP) for single sign-on (SSO) across web applications (Service Providers, SP) that support SAML 2.0. By setting up IPI Server as an IdP, organizations can simplify login processes for users across integrated web applications.

Key Features

With IPI Server’s support for FIDO2 passwordless authorization, service providers gain the ability to authenticate users through:

Hardware security keys (e.g., IPI Key, YubiKey, etc.)
Passkeys (e.g., smartphones, laptops)
IPI Authenticator App

Username + password (not recommended)
Username + password + second factor (security key: hardware or platform, OTP, mobile authenticator)
Passwordless
- Username + Security key (hardware or platform)
Passwordless, User nameless (without typing login and password)
- Security key (hardware or platform)
- Mobile authenticator

Steps to Configure IPI Server as an Identity Provider (IdP)

1. Set Up IPI Server as an IdP

1. Access SAML Configuration:

In the IPI Server dashboard, navigate to Parameters → Settings → SAML.

2. Download or Create .pfx Certificate

The .pfx certificate contains both the public certificate and private key. You can:
- Download an existing certificate: Select the certificate, enter the password, and download.

Create a new self-signed certificate: Click Create and Download, enter the password, and download.

A certificate with the .pfxextension is a file that contains both the public certificate and its private key, as well as the complete certificate chain up to the root Certificate Authority (CA). The file is usually password-protected and used for authentication, encryption, and establishing secure connections

3. Download or View IdP Components

Identity Provider Public Certificate (.cer): Contains only the public key and is used for server authentication and data encryption.
Identity Provider Metadata: Provides essential IdP details required for interaction with SPs.

Identity Provider public certificate is a certificate with the .cer (or .crt) extension is a file that contains only the public key and certificate information but does not include the private key. Its primary purpose is to authenticate the server or user and to encrypt data.

.cer files are used to secure connections, such as HTTPS for websites, client and server authentication in networks, and in various corporate applications.

Identity Provider (IdP) metadata is a file or set of data that provides essential information about your IdP to enable proper interaction with Service Providers (SP) in a SAML (Security Assertion Markup Language) context.

Some Service Providers provide users with metadata files. In this case, all required fields will be filled in automatically after importing the metadata file.

Otherwise, you can configure settings manually. In this case, the settings depend on the specific Service Provider.

2. Add Service Provider (SP)

1. Configure Settings on the Service Provider Side (SP)

Here’s an example for Google Workspace:
- Go to admin.google.com.
- Navigate to Menu → Security → Authentication → SSO with third-party IdP.
- Under Third-party SSO profiles, click Add SAML profile.
- Enter a profile name (e.g., "IPI Server (IdP)").
- Paste values from IPI Server:
  - Issuer / IdP Entity ID (e.g., https:// <your ipi server name>) (1)
  - Login URL (e.g., https:// <your ipi server name>/saml/login) (2)
  - Logout URL (e.g., https:// <your ipi server name>/saml/logout) (3)
  - Upload the Identity Provider public certificate (.cer) file (4).

2. Add Service Provider in IPI Server (IdP)

In IPI Server, click Add Service Provider and enter the SP values:
- Name (e.g., ⁣Google Workspace-SAML)
- Issuer / SP Entity ID (e.g., https://accounts.google.com/samlrp/unique-id) (1)
- ACS URL (e.g., ⁣https://accounts.google.com/samlrp/unique-id/acs) (2)
- Click Add

3. Advanced Service Provider Settings

Single Logout Service: SP endpoint for terminating sessions during logout. Obtain this URL from the SP settings.
Name ID Format: Set based on SP requirements (Email, x509, etc.).
Enable Request Signature Validation: Adds security by validating incoming SAML requests.
Assertion Attributes: Configure attribute mappings to transfer necessary user details to the SP.

Some use cases for how to configure IPI as IdP on web services:

List of web applications (SP) where IPI Server can be implemented as an Identity Provider (IdP):

While the list provided is not exhaustive, each web service may have its own specific configuration. If you require assistance in integrating your web app with IPI Server using SAML, don't hesitate to contact us. We're here to help.

PreviousUser settings NextConfiguration OIDC (OpenID Connect)

Last updated 1 month ago

hashtagIntroduction of SAML protocol for Single Sign On

hashtagKey Features

hashtagSupported Sign-in Options

hashtagSteps to Configure IPI Server as an Identity Provider (IdP)

hashtag1. Set Up IPI Server as an IdP

hashtag1. Access SAML Configuration:

hashtag2. Download or Create .pfx Certificate

hashtag3. Download or View IdP Components

hashtag2. Add Service Provider (SP)

hashtag1. Configure Settings on the Service Provider Side (SP)

hashtag2. Add Service Provider in IPI Server (IdP)

hashtag3. Advanced Service Provider Settings

hashtagSome use cases for how to configure IPI as IdP on web services:

hashtagList of web applications (SP) where IPI Server can be implemented as an Identity Provider (IdP):