SAML Identity Provider SSO Configuration
Best practices for configuring a SAML identity provider to register Titania Delivery as a service provider.
Signing Requests and Responses
Requiring signed requests is one way the IdP can verify that requests are sent from a trusted relying party. The IdP should configured to required signed requests, and to send signed responses.
Assertion Consumer Service URL
The Assertion Consumer Service of a SAML relying party is responsible for
receiving and processing SAML responses . On the Titania Delivery platform, the assertion
consumer service is available at a URL like
https://[td-hostname]/portals/saml2/assert. The
<AssertionConsumerServiceURL> element of the TD service provider
metadata XML file contains the specific value for each TD platform. When registering
Titania
Delivery as a service provider with your IdP, the configuration will include this
URL, which is
used to route responses from the IdP to Titania Delivery.
The assertion consumer service URL provided in the SP metadata may be over-ridden
in SAML
authentication requests to the IdP. All requests originating from Titania Delivery
will include
an <AuthnRequest>/@@AssertionConsumerServiceURL attribute
with a value like https://[td-hostname]/portals/saml2/assert/[registration-id],
where [registration-id] is an arbitrary alphanumeric string. The SAML 2.0 Core specification requires IdPs to:
- Recognize URLs like this as valid assertion consumer service URLs for this service
provider. Different IdPs will have different ways of configuring this. It might be
possible to
define the valid assertion consumer service URLs using a pattern with a wildcard,
such as
https://[td-hostname]/portals/saml2/assert/*. In other IdPs, if the requests are signed, they will use the assertion consumer service URL provided in the request. - Return the authorization reponse to the URL provided in the request (including the
registration-id).
RelayState
The SAML 2.0 Bindings specification defines a "RelayState" mechanism for preserving state between SAML entities during message exchanges. The specification requires responders to faithfully include any received relay state data in their response. In HTTP POST and redirect protocols, relay state is transmitted as a URL-encoded value of a URL parameter (or form control) named "RelayState".
Authentication requests originating from Titania Delivery will include a "RelayState" URL parameter (or form control) with a value representing the secured portal URL. This value must be returned with the authorization response.
For IdP-initiated authentication, the SAML authorization response sent to the assertion consumer service must include a "RelayState" parameter with the URL-encoded value of the URL of the requested portal.