Manual SAML Security Configuration

From the Organizations ⇒ Authentication Systems page in the TD admin application, click the New... button next to the SAML 2.0 Identity Providers heading. This dialog allows the manual configuration of the Identity Provider settings.

Name

The display name for the configuration. This is not used in the authentication process, and is simply a label for the configuration.

Organization Name

The Organization Name for the IdP.

Entity ID

The entity ID for the IdP service.

NameID Policy

The NameID policy to specify when making authentication requests with the IdP.

Note: Not all Identity Provider implementations honor the NameID policy specified in authentication requests. It is often the case that the NameID value must be separately configured in the Identity Provider service's configuration settings.

Important: The NameID provided by the IdP is used as the persistent user ID within the portal for purposes of tracking comments made by the user, and assemblies owned by the user. SAML 2.0 allows for transient NameIDs, such that every authentication results in a different value for the same user. While this will work for authentication purposes, Titania Delivery will treat each new session as if it were a new user, and so the ability to manage assemblies and comments from previous sessions will be lost. In general, we strongly recommend using a persistent NameID value, such as e-mail address or other persistent ID.

Display Name Attribute

The attribute that will be included in any authorization response which corresponds to the user's display name.

Single Sign-On (SSO) Endpoint URL

The URL that the IdP service uses to accept authentication requests. This may be found in the federated metadata provided by the IdP, or directly from the IdP configuration.

Request Mode (SSO)

The mode to use when issuing authentication requests to the IdP service. It is recommended to use "HTTP POST".

Single Log Out (SLO) Endpoint URL

The URL that the IdP service uses to accept logout requests. This is typically the same URL as the Single Sign-On Endpoint URL. It may be found in the federated metadata provided by the IdP, or directly from the IdP configuration.

Request Mode (SLO)

The mode to use when issuing logout requests to the IdP service. It is recommended to use "HTTP POST".

Sign Authorization Requests

When checked, authorization requests sent to the IdP will be signed using the key corresponding to Titania Delivery's signing certificate. It is recommended always to sign requests, for greatest security.

X.509 Certificate String

The Base64-encoded string representing the certificate that will be used to verify signed values in authentication responses provided by the IdP. This value is provided in the IdP''s federated metadata, or it can be obtained directly from the IdP configuration. It is recommended to configure your IdP to sign responses, for greatest security.