How to register the application correctly#

Authentication in SAML terminology is the result of the interaction of three parties:

  • the identity provider (Identity Provider), which is Blitz Identity Provider;

  • the service provider (Service Provider), which is the connected application;

  • the user’s web browser (User Agent).

The first step when connecting an application is to register it as a service provider in Blitz Identity Provider. You must first prepare an XML file with the metadata of the service provider or the parameter values necessary for self-preparation of metadata.

The metadata of the service provider describes the settings for connecting the application to Blitz Identity Provider (for example, the URL of the application endpoints, keys for checking the item instance). The XML language is used to describe metadata.

Tip

See more about SAML metadata.

Attention

Metadata should be prepared based on the results of the work performed for adding the protocol support.

If the application is a ready-made software that supports SAML, then the metadata must be obtained according to the documentation for this software. Usually, such software provides a URL where metadata can be obtained.

If the software of the connected application does not provide for downloading metadata, but the software documentation describes the parameters that must be configured to connect the application, then you can specify these parameters so that the metadata based on them is independently prepared by the Blitz Identity Provider Administrator.

In this case, you must specify the following parameters:

  1. Service Provider ID (entityID) – should be specified only if the application needs a specific entityID. Otherwise, the entityID will be independently assigned by the Blitz Identity Provider Administrator.

  2. Application (service provider) public key certificate – should be specified only if the application signs the SAML request when sending to Blitz Identity Provider.

    Note

    The service provider certificate is different from the TLS certificate of the connected website. This is usually a self-signed certificate with a long validity period.

    Important

    RSA-2048 keys must be used.

    Note

    It is acceptable to use self-signed certificates with a long validity period.

  3. URL for receiving a response from Blitz Identity Provider SAML - the application must provide a handler that receives SAML-responses from Blitz Identity Provider with login results. This application setup is usually called Assertion Consumer Service.

  4. The URL for receiving a logout request from Blitz Identity Provider is a selective setting. If the application supports a single logout, then it can provide a single logout handler. This application setting is usually called Single Logout Service Location.

  5. The URL for redirecting the user to the application after a successful logout is an optional setting. If the application supports a single logout and can initiate a single logout, then it can provide a URL to return the user after the logout. This application setting is usually called Single Logout Service Response Location.

  6. The list of requested attributes (SAML Assertion).

    Available user attributes

    Attribute

    Description

    logonname

    Username of the user in the domain

    surname

    Last name

    firstname

    Name

    middlename

    Patronymic

    email

    Business email address

  7. Indicates whether attributes must be transmitted in encrypted form.

    Note

    Attributes in a SAML message are always passed signed. It is advisable to enable attribute encryption if the user should not be able to read the attribute value.