Create a service provider signing certificate if you plan to use any of the additional functions for SAML authentication described in this topic. For information about how to do this, see Creating and updating the SP signing certificate for SAML authentication.
When you import SAML metadata to the IdP, you can sign it up on the BMC Helix SSO server. This ensures additional security between the IdP and the service provider (SP).
If you have configured BMC Helix SSO to sign SAML metadata for IdP, you can additionally configure BMC Helix SSO to sign the SAML authentication requests between BMC Helix SSO and the IdP.
If encryption is enabled on the identity provider side, you must configure BMC Helix SSO server to decrypt the encrypted assertions in SAML responses. To encrypt SAML assertions, the identity provider uses one of the following methods: AES-128, AES-192, and AES-256.
If the identity provider uses AES-192 or AES-256 encryption method, you must enable Java on the BMC Helix SSO server to decrypt the SAML assertions.
As a BMC Helix SSO administrator, you can configure specific attributes in the SAML IdP to extract information about an authenticated user.
SAML IdP extracts the information during the user authentication stage. It is available to extract such types of attributes as String, Number and List (presumably of Strings).
At the SAML IdP side (e.g. ADFS) the correspondent Claim Rules should be provided for extraction the attributes, e.g., to extract all groups user belongs to. The Claim Rule is the following:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);
For other attributes, the Claim Rules is created with the help of Claim Rule Wizard by a Rule template "Send LDAP Attributes as Claims" and selecting attributes. For example, Display-Name → Surname, E-Mail-Address → EMail Address, etc.
To configure the attributes in SAML IdP:
//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='()='AttributeValue']
10. Save the changes.
The examples of attributes for XPath values:
Groups, XPath = //*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='()='AttributeValue']
Type = StringArray
Email, XPath = string(//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='
Name, XPath = string(//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='
Here, an example on how the extracted attributes are stored in the database:
{ "ctx": { "a1aeb5ee-8a83-11ec-a8a3-0242ac120002" : { "full_name": "Gary Stewart", "age" : 40, "enabled": "true", "groups": ["A1", "B2"] } } }
Importing configuration from an identity provider and configuring SAML
Add Comment