SAML Properties¶
Users of Onegini Customer Service can authenticate via a SAML Identity Provider instead of basic authentication. The application must be started with the Spring
profile saml to replace basic authentication with SAML. This can be done via the environment variable SPRING_PROFILES_ACTIVE=saml.
SAML properties¶
The following properties must be configured:
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_ENABLED | false | true | Enables SAML capabilities |
| SAML_SP_SP_ENTITY_ID | com:onegini:idp:uma | Unique entity Id for this application as SAML SP | |
| SAML_SP_SP_ENTITY_BASE_URL | http://localhost:7522 | Public Base URL for this application as SAML SP | |
| SAML_SP_MAX_AUTHENTICATION_AGE_IN_SECONDS | 7200 | Maximum time between user's authentication and processing of the AuthNResponse message | |
| SAML_SP_CLOCK_SKEW_IN_SECONDS | 60 | Maximum allowed time difference between the server of the SAML SP and the SAML IdP |
Strictly one of these properties needs to be set:
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_IDP_METADATA_FILE | /tmp/metadata.txt | Location on the file system for the metadata of the SAML IdP | |
| SAML_SP_IDP_METADATA_BASE64 | Base64 encoded text with metadata for the SAML IdP |
Onegini Customer Service can auto generate a SAML certificate or use predefined one. The following environment variables are required to configure a certificate.
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_SIGNING_KEY_STORE_PASSWORD | password | Key store password | |
| SAML_SP_SIGNING_PRIVATE_KEY | MIIEpQIBAAKCAQEAuLmNPSanYb0wJl/f+yU... | Private key in Base64 | |
| SAML_SP_SIGNING_CERTIFICATE | MIIDmDCCAoACCQC1yJJAA/4CcDANBgkq... | Certificate in Base64 |
Authority mapping¶
Onegini Customer Service can restrict access to users based on the values of an attribute in the SAML authentication response. The name of this attribute and the mapping between the values and the functionality in Onegini Customer Service is configurable.
| Property | Default | Example | Description |
|---|---|---|---|
| SAML_SP_FULL_ACCESS_GRANTED | false | true or false | If true, all authenticated users have full access to Onegini Customer Service. The properties below will be ignored then. |
| SAML_SP_ATTRIBUTE_NAME | urn:oid:1.3.6.1.4.1.5923.1.5.1.1 | SAML attribute that contains roles for authorization. It matches on the Name attribute and ignores NameFormat and Friendly-Name. |
|
| SAML_SP_AUTHORITIES_USERS_ALL * | customer_service | Value of the role that gives access to managing users. | |
| SAML_SP_AUTHORITIES_AGENTS_READ * | employees_supervisor | Value of the role that gives access to supervise agents. | |
| SAML_SP_AUTHORITIES_STATISTICS_READ * | system_admin | Value of the role that gives access to see application statistics. | |
| SAML_SP_AUTHORITIES_anythingElse * | other_group | Value of roles that gives access using RBAC |
* this is a multivalue property. Separate values with a comma.
Example:
SAML_SP_FULL_ACCESS_GRANTED=false
SAML_SP_ATTRIBUTE_NAME=urn:oid:1.3.6.1.4.1.5923.1.5.1.1
SAML_SP_AUTHORITIES_USERS_ALL=CustomerSupport,Supervisor,SysAdmin
SAML_SP_AUTHORITIES_AGENTS_READ=Supervisor,SysAdmin
SAML_SP_AUTHORITIES_STATISTICS_READ=SysAdmin