Configuring SAML and WS-Federation#

Connection via SAML 1.0/1.1/2.0#

When connecting an application via SAML, you must make the following settings:

  • load the SAML metadata of the application to be connected;

  • make sure that the SAML Profile switch is set to “SAML 2.0 Web SSO Profile”;

  • in the “SAML profile” block, click “Configure”. In the fields that appear, specify:

    • specify whether to sign SAML attributes (SAML Assertions) in Blitz Identity Provider responses;

    • specify whether to encrypt SAML-attributes in Blitz Identity Provider responses;

    • specify whether to encrypt SAML identifiers (SAML NameIds) in Blitz Identity Provider responses;

    • specify whether to include a list of assertions with attributes in Blitz Identity Provider responses;

  • specify which SAML user attributes from the Blitz Identity Provider to pass to the application. SAML attributes must be pre-configured in the “SAML” section of the Management Console (see Configuring SAML attribute).

:size=80%

SAML protocol settings for the application

Connection via WS-Federation#

When connecting an application via WS-Federation, the following settings must be configured:

  • load the metadata of the application to be connected;

  • set the SAML profile switch to “WS-Federation Passive Requestor Profile”;

  • in the “SAML profile” block, click “Configure”. In the fields that appear, specify:

    • specify whether to sign assertions (Assertions) in Blitz Identity Provider responses;

    • specify the lifetime of assertions in the response. ISO 8601 format should be used to specify the duration of the period, e.g. PT5M - 5 minutes;

    • specify whether to include a list of assertions with attributes in Blitz Identity Provider responses;

  • specify which user attributes from the Blitz Identity Provider to pass to the application. Attributes must be pre-configured in the “SAML” section of the Management Console (see Configuring SAML attribute).

:size=80%

WS-Federation protocol settings for the application

Configuring SAML attribute#

The “SAML” section of the Management Console is used to register user SAML attributes with the Blitz Identity Provider.

To add a new SAML-attribute you must:

  1. Click on the “Add a new SAML attribute “ link.

  2. Enter:

    • name of the SAML-attribute (this is what will be displayed when connecting SAML applications);

    • attribute source (all attributes defined in the “Data sources” section are displayed).

  3. Press “Add”. The attribute will be added.

  4. Define attribute encoders. This requires:

    • click on the link “Add Encoder”;

    • choose the type of encoder; it should be noted that the type of encoder depends on the protocol version the service provider (connected application) works with;

    • name of the SAML attribute that will be sent to the service provider (within this encoder type);

    • a short name to be given to the service provider (within this encoder type);

    • name format.

If necessary, multiple encoders of the selected SAML attribute can be defined (each encoder must belong to a different encoder type).

:size=80%

Configuring SAML attribute