SAML 2.0

You can establish a connection via SAML with an identity provider so that users are able to log in to Sensedia products using their credentials from that provider. The chosen provider must support the SAML 2.0 standard.

It is not possible to generate Client Credentials using federated logins.

Configuring a connection with SAML2.0

The configuration of a connection to an identity provider has the following items:

Name: name of your SAML provider.
Enable IdP sign out flow: For single logout (having your user logout of your IdP as well), select this option and use the information presented in the two fields that will be displayed to configure your IdP:
- Logout URL and
- Signing certificate.
Callback URL: the URL to which your identity provider must return the user after authentication.
SP Entity ID: it is with this ID that your provider will identify your entity. Use this URN in the settings of your identity provider.
Metadata URL: the address to access the metadata. Check your identity provider’s documentation to get the Metadata URL and inform it in this field.
Role: select the role to be applied to this access.

In case you have roles configured on your identity provider, they will override this one.

Those fields are explained in the video below:

Deactivating or editing a connection with SAML 2.0

Once active, the connection to the identity provider can be updated at any time. To do so, click on any field you wish to edit, make the appropriate changes and click UPDATE.

To disable an active connection, click the DISCONNECT button.

The DISCONNECT button will disable the access of all users from that federated login. To reconnect, follow the steps above (Configuring a connection with SAML2.0).

The DISCONNECT button does not change your settings in your Identity Provider.

Login and control users

Unlike the log in process with Sensedia Platform, now the login with username and password is still possible even after configuring SAML 2.0.

A user will be able to log into Sensedia products either via SAML or separately.

Setting up an API Manager application on your identity provider

To enable a SAML 2.0 connection, an API Manager application must be registered in your identity provider.

See below examples of configuration using:

Okta
Azure AD

Please check your provider’s official documentation to find help with the necessary settings.

Example of configuration with Okta

The connection via SAML 2.0 can be done with the ISP of your choice. There are several providers, one of them is Okta. To configure it, follow the steps listed below.

If you don’t already have one, create an Okta account.
Click https://developer.okta.com/signup/ to access the Okta Developer page.
Create a SAML 2.0 app.
For that, click Applications Applications and then click on Create App Integration button, as illustrated in the figure below.

Then, in the modal screen that will open, select the SAML 2.0 option and click Next.
Configure the app by providing the following information: a name for the federated login, icon or logo (optional), and visibility options. Then click Next.
On the next screen, fill in the fields:
- Single sign on URL: Callback URL, which is based on your API Manager address: <MANAGER-URL>/api-manager/api/v3/saml/callback;
- Audience URI (SP Entity ID): the value informed in this field will be used in the API Manager as "application ID";
- Default RelayState: this field is not mandatory;
- Name ID format: select EmailAddress.
  
  Further down on the same page, in Attribute Statements, fill in the following fields:
- Name: email Format: Basic Value: user.email
- Name: name Format: Basic Value: user.firstName
  
  Click NEXT to complete the registration.
On the screen that appears* when you click NEXT, export the metadata by clicking Identity Provider metadata is available if this application supports dynamic configuration, as shown in the image below.
(*If the screen does not appear, go back to Applications Applications and click on the name of the application you just created. On the next screen, click on the Sign On tab. You should see the screen below)

The screen that opens next will show the content, which can be saved as metadata.xml.
Take note of the URL. It will be used to configure your API Manager.
Link the Okta user to the created app.
Click the Assignments tab and then click Assign Assign to People, as shown in the image below.

On the screen that opens, click Assign, next to your name and email, as shown in the image below.

On the next screen, click the Save and Go Back button.

The user must be linked to the created app to be able to log in.

After configuring Okta, open your API Manager.

Return to the top of this page for more details on configuring an integration in the API Manager. In summary, under Access Control Integrations, fill in the fields:

Name: name you registered in step 3;
SP Entity ID: name entered as Audience URI (SP Entity ID) in step 4;
Metadata URL: inform the URL from step 5;

Click CONNECT.

Example of configuration using Azure AD

To configure Azure AD as an identity provider, follow these steps:

Create a Client,
Configure SAML and
Note the Metadata URL to configure your Sensedia platform.

1. Create a Client

Access your Microsoft Azure account and click Microsoft Entra ID.
Click Enterprise Applications.
If you already have an application created for the API Manager, go to step 2 - Configure SAML.
Otherwise, click + New application.
Click Create your own application.
Provide:
- The name you want to give your application and
- The purpose of your application: select "Integrate any other application you don’t find in the gallery".
Click Create.
You will see the properties of your application, including its ID and object ID.

2. Configure SAML

After creating the application, still on the Overview screen, click Set up single sign-on.
Click SAML.
If configuring for the first time, the Set up Single Sign-On with SAML screen will appear as shown below.
Click Edit in the "Basic SAML Configuration" section.

Fill in the fields:

Identifier (Entity ID): Provide the SP Entity ID.

Reply URL (Assertion Consumer Service URL): Provide the Callback URL.
azure saml identificator url

The Identifier and Reply URL can be obtained in:
- Access Control Settings > Federated Login
- Click on SAML2 and the [CONFIGURE FEDERATED LOGIN] button (the button will be enabled when you click on SAML2)

Click SAVE to save the settings.
Click Edit in the "Attributes & Claims" section.
Next to user.givenname and user.surname, click … and then Delete to remove them, and then click OK to confirm.
After removing user.givenname and user.surname, only the fields email, name, and Unique User Identifier should remain.
The Namespace of the fields that will remain will be pre-filled. Clear this field.
For example, the Namespace of the email field looks like this:

and should look like this:

Clear the content of the Namespace field for all three: email, name, and Unique User Identifier.

3. Write down the Metadata URL

In the "SAML Certificates" section, copy the contents of the URL field from application federation metadata.
Configure your Sensedia Platform by following the steps below. If necessary, go back to the beginning of this page for more details on configuring an integration in API Manager.
- Enter Access Control Settings > Federated Login
- Click on SAML2 and the [CONFIGURE FEDERATED LOGIN] button (the button will be enabled when you click on SAML2)
  - Name: enter the same name given to create a client;
  - Metadata URL: enter the URL we just copied from "SAML Certificates";
  - Role: default role that will be assigned to users when they log in via the integration.
    
    Click on CREATE

Thanks for your feedback!

EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]