SAML 2.0 SP Configuration

SAML 2.0 Service Provider Configuration Overview

Encompass can be configured to work with a SAML 2.0 for user authentication. Encompass utilized the Apache Shibboleth plugin

Generally the SP (Service Provider) side is configured and installed during a typical installation, this application note does not describe the installation of the SP itself rather  an overview of whats required to authorize the Encompass SP.

Basic Setup:

  Apache 2.x + shibboleth packages

  Tomcat 7 + Encompass Application WAR

  Java 7 JVM

General Flow:

Apache is configured as an https endpoint, and the shibboleth module handles communicating with the Identify Provider. Assuming the user is  authorized by the IP, Apache reverse proxies the connection via HTTP , placing the agreed to user ID i the header to the Tomcat server hosting Encompass. Encompass then opens an application session for the userid specified and the user begins work.

SP Configuration

To configure the Service Provider a meta-data exchange between the SP and IP is required.  This establishes the trust relationship. 

To begin:

1) The IDP generally provides its "meta-data" files to the SP, this is done via simple XML file exchange via email/fileshare etc. This is usually known as the partner-metadata.xml &  shibboleth2.xml. This file most importantly will include the IDP's public Key.

2) The SP processes the meta-data, with information about the SP, such entityID (unique identifier for us that the IdP authorizes) and the URL to POST the assertions to. This creates a signed deliverable which needs communicated  back to the IdP 

3) Encompass is configured to pick up the agreed to user ID in the headers

User ID:

Encompass only requires a unique identifier be supplied in the HTTP headers, shibboleth allows for the configuration of what this ID can be. Perception Software recommends using the users corporate username, or email address as the identifier. This identifier is what is utilized inside Encompass to reference the users profile, and logging events.




Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk