Back to Search Back to Search Results

Configuring SAML Security Profiles

How to set up a Titania Delivery security profile to use an external SAML IdP for portal authentication.
Note: Titania Delivery administrators who are creating SAML security configurations should have a basic understanding of SAML 2.0 as described in the SAML V2.0 Technical Overview. Titania administrators must work with a SAML administrator in their organization who can configure the chosen SAML Identity Provider (IdP) application to register Titania Delivery as a SAML Service Provider (SP), and configure it appropriately. The details of registering service providers with an IdP varies by vendor; consult your IdP's documentation for details on how to register and configure service providers.

Overview

The high-level steps to set up a TD security configuration for a SAML IdP are:

  1. (Titania Administrator) Export the Titania Delivery SAML Service Provider metadata as an XML file. This is the "SP metadata".
  2. (SAML Administrator) Register Titania Delivery with the chosen SAML IdP, using the information in the SP metadata, and additional requirements as specified in SAML Identity Provider SSO Configuration.
  3. (SAML Administrator) Export the "federated metadata" from the IdP, or provide the URL for the federated metadata.
    Note: Alternatively, the required information can be entered manually in the TD security configuration form. See Manual SAML Security Configuration.
  4. (Titania Administrator) Set up the SAML security profile in Titania Delivery, either manually, or by importing the federated metadata.
  5. (Titania Administrator) As needed, associate the SAML security configuration with portal(s) that will use this IdP for authentication. See Portal Security

SP Metadata and certificates

The OrganizationsAuthentication Systems admin page provides persistent links to the following SAML resources, under the SAML 2.0 Identity Providers heading:

Service Provider Metadata
The Entity Descriptor (SP metadata) XML for Titania Delivery, for use in configuring IdPs to accept authentication requests from Titania Delivery. The URL for this metadata is persistent for the Titania Delivery platform, and can be registered with IdP services that support automatic metadata refresh.
SP Signing Certificate
The certificate corresponding to the key that will be used by Titania Delivery when signing authentication requests.
SP Encryption Certificate
The certificate that must be used by Identity Providers when encrypting authentication responses being sent to Titania Delivery.
Important: The keys used by all SAML services generally have expiration dates of 6 months to 1 year, and will be replaced over time. Be sure to consult your Identity Providers and Titania Software to ensure that keys used for SAML authentication remain up-to-date.

Entity ID and IdP-Initiated SSO

If you plan to use IdP-initiated SSO (as described in SAML V2.0 Technical Overview, Section 5.1.1), you should configure your SAML identity provider to send SAML SSO <Response> messages with a form control or URL query parameter named RelayState whose value is the fully-qualified URL of the requested portal. Otherwise, if there are multiple SAML IdP Configurations with the same Entity ID on the TD platform (across all organizations), Titania Delivery may fail to fulfill the request. If the RelayState parameter is not provided, then Titania Delivery will not display a portal page.

If you create SAML IdP Configurations with duplicate Entity IDs, and do not use IdP-initiated SSO, this will not be a problem. Duplicate Entity IDs will typically be created automatically when importing IdP federated metadata from the same provider.

Additional SAML user assertions

SAML IdPs may be configured to include additional assertions (properties) about the user with a successful authentication response. These properties are stored with the portal user object, and are available for use in portal themes and for dynamic content filtering.

Is it possible for the authentication request to specify what properties to include in the response, or is it entirely up to the IdP?

SAML user assertions do not need to be registered with Titania Delivery in advance. All such assertions in an authentication response are put into a map object, using the SAML technical name as the key. This map is available as the user.properties property.

Provide example of Assertion markup and freemarker code to access user property.

Microsoft ADFS IdP requirements

From TD version 4.5.0 and on, Microsoft ADFS SAML IdP Relying Party Trusts property must be set as described below.

An ADFS administrator must use a PowerShell command to modify the SamlResponseSignature property of any relevant Relying Party Trusts.

Use the following PowerShell command to view the property: 

Get-AdfsRelyingPartyTrust -Name [Relying Party Trust Name]
where [Relying Party Trust Name] is the Display Name of the trust. Search for the value of the SamlResponseSignature property. The required value is MessageAndAssertion.

Use the following PowerShell command to set the property: 

Set-AdfsRelyingPartyTrust -Name [Relying Party Trust Name] -SamlResponseSignature MessageAndAssertion
where [Relying Party Trust Name] is the Display Name of the trust.

In this section:

  1. Manual SAML Security Configuration
    Manually creating a SAML security configuration.
  2. Importing SAML IdP Settings
  3. SAML Identity Provider SSO Configuration
    Configuring a SAML Single Sign-On (SSO) provider for security and compatibility with Titania Delivery.
Parent topic: Portal Security Configuration