SAML 2.0

You can establish a connection via SAML with an identity provider so that users are able to log in to Sensedia products using their credentials from that provider. The chosen provider must support the SAML 2.0 standard.

Configuring a connection with SAML2.0

The configuration of a connection to an identity provider has the following items:

  • Name: name of your SAML provider.

  • Enable IdP sign out flow: For single logout (having your user logout of your IdP as well), select this option and use the information presented in the two fields that will be displayed to configure your IdP:

    • Logout URL and

    • Signing certificate.

  • Callback URL: the URL to which your identity provider must return the user after authentication.

  • SP Entity ID: it is with this ID that your provider will identify your entity. Use this URN in the settings of your identity provider.

  • Metadata URL: the address to access the metadata. Check your identity provider’s documentation to get the Metadata URL and inform it in this field.

  • Policy: select the access policy to be applied to this access.

In case you have policies configured on your identity provider, they will override this one.

Those fields are explained in the video below:

Deactivating or editing a connection with SAML 2.0

Once active, the connection to the identity provider can be updated at any time. To do so, click on any field you wish to edit, make the appropriate changes and click UPDATE.

To disable an active connection, click the DISCONNECT button.

The DISCONNECT button will disable the access of all users from that integration. To reconnect, follow the steps above (Configuring a connection with SAML2.0).

The DISCONNECT button does not change your settings in your Identity Provider.

Login and control users

Unlike the log in process with Sensedia Platform, now the login with username and password is still possible even after configuring SAML 2.0.

A user will be able to log into Sensedia products either via SAML or separately.

Setting up an API Manager application on your identity provider

To enable a SAML 2.0 connection, an API Manager application must be registered in your identity provider.

Please check your provider’s official documentation to find help with the necessary settings.

Here is a configuration example.

Example of configuration with Okta

The connection via SAML 2.0 can be done with the ISP of your choice. There are several providers, one of them is Okta. To configure it, follow the steps listed below.

  1. If you don’t already have one, create an Okta account.
    Click https://developer.okta.com/signup/ to access the Okta Developer page.

  2. Create a SAML 2.0 app.
    For that, click Applications  Applications and then click on Create App Integration button, as illustrated in the figure below.
    okta step1a

    Then, in the modal screen that will open, select the SAML 2.0 option and click Next.

    SAML 2.0 option location

  3. Configure the app by providing the following information: a name for your integration, icon or logo (optional), and visibility options. Then click Next.

  4. On the next screen, fill in the fields:

    • Single sign on URL: Callback URL, which is based on your API Manager address: <MANAGER-URL>/api-manager/api/v3/saml/callback;

    • Audience URI (SP Entity ID): the value informed in this field will be used in the API Manager as "application ID";

    • Default RelayState: this field is not mandatory;

    • Name ID format: select EmailAddress.

      Further down on the same page, in Attribute Statements (image below), fill in the following fields:

    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ;

    • Name format: select basic ;

    • Value: select user.e-mail ;
      okta step4
      Click NEXT to complete the registration.

  5. On the screen that appears* when you click NEXT, export the metadata by clicking Identity Provider metadata is available if this application supports dynamic configuration, as shown in the image below.
    (*If the screen does not appear, go back to Applications  Applications and click on the name of the application you just created. On the next screen, click on the Sign On tab. You should see the screen below)
    okta step5
    The screen that opens next will show the content, which can be saved as metadata.xml.
    Take note of the URL. It will be used to configure your API Manager.

  6. Link the Okta user to the created app.
    Click the Assignments tab and then click Assign  Assign to People, as shown in the image below.
    okta step6

    On the screen that opens, click Assign, next to your name and email, as shown in the image below.

    okta step6b

    On the next screen, click the Save and Go Back button.

The user must be linked to the created app to be able to log in.

After configuring Okta, open your API Manager.

Return to the top of this page for more details on configuring an integration in the API Manager. In summary, under Access Control  Integrations, fill in the fields:

  • Name: name you registered in step 3;

  • SP Entity ID: name entered as Audience URI (SP Entity ID) in step 4;

  • Metadata URL: inform the URL from step 5;

    Click CONNECT.

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]