Importing configuration from an identity provider and configuring SAML
After you have configured the advanced options for SAML authentication, you can import SAML IdP metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.
Before you begin
- Import from SAML IdP metadata URL or metadata file imported from the IdP
To import SAML metadata of the identity provider
- Click Import, and select one of the following options to import SAML metadata:
- Select Import from URL, and type the URL where the IdP SAML configuration is stored.
- Select Import from file, and upload the SAML configuration file from a local folder on your computer.
Once you import SAML metadata, most of the fields on the Authentication page get populated with imported values:
Field Description IdP Entity ID
Identity provider entity ID obtained from an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.
Login URL of the identity provider obtained from an external identity provider such as AD FS or Okta.
URL provided by the identity provider to which the user is redirected and automatically logged out by the service provider.
If you do not provide any value in this parameter, then the value in the Login URL field is used for both login and logout endpoints.
Logout Response URL URL provided by the identity provider to which the user is redirected for identity provider initiated logout. IdP Signing Certificate
Signing certificate that Remedy SSO uses to sign requests that are sent to the identity provider.
Name identifier formats that the service provider supports. Name identifiers are a way for providers to communicate with each other regarding a user.
The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote identity provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary, and no data will be written to the user's persistent data store.
Note: For linking user accounts from the service provider and the remote Identity provider together, after logging in, the persistent nameID format must be at the top of the list.
Auth Context Compare Options for the auth context compare. The options are: exact, minimum, maximum, better. Auth Context Authentication context that maps the SAMLv2-defined authentication context classes to the authentication level that is set for the user session for the service provider.
After you have imported the IdP settings, configure the rest of the authentication fields as required.
Review the imported configuration fields, and configure the rest of the SAML fields as required:
|Federation metadata URL|
URL of the identity provider federation metadata.
Use this field to enable automatic rollover. Such rollovers are more frequent if you use Azure Active Directory as an identity provider.
Remedy SSO uses this URL to re-import the identity provider metadata automatically, including IdP Signing Certificate that can be updated.
|HTTP Binding Type|
HTTP binding for service provider initiated logout URL.
|User ID Attribute||User ID attribute that is used to retrieve the user ID from the specified attribute in the SAML response. If the User ID attribute is not specified, the NameID will be used as the user ID.|
Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.
If the value is not specified, by default, the service provider entity ID of the current realm will be used as Issuer in SAML authentication request.
|Assertion Time Skew|
Time offset between Remedy SSO and the identity provider.
|Assertion Time Format||Time format used by assertions.|
Option to indicate whether the identity provider requires the authentication request to be signed.
To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, specify Signing Key Alias.
|Force Authentication||Option to enforce authentication.|
|Enable Single Logout||Option to delete the SAML IdP session on application logout. If an end user logs out from the application, the user will be logged out from SAML IdP as well.|
Option to indicate whether the identity provider requires SAML metadata to be signed.
You might need to sign the SAML metadata to ensure that the security policies of your organization are followed. When you configure a realm for SAML signing metadata, the Remedy SSO server gets the certificate and private key from the keystore's alias, and signs the metadata with it.
You can select the signing algorithm only if you select the Sign Request checkbox, the Sign Metadata checkbox or both.
Select one of the following signing algorithms containing a hash type function and key type:
Select an algorithm supported by your IdP.
Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.
|Authentication Request Template||Template used for SAML authentication request. You can select Default, or you can select Custom and edit the template if required.|
|SP Metadata Template|
Service provider metadata template. You can select Default, or you can select Custom and edit the template if required.
|Bypass for reauth requests||Setting to indicate that SAML must not be used for reauthentication requests in an authentication chain.|
|Use SessionNotOnOrAfter parameter for session time|
Option to define where the maximum time of an end user authentication session is configured.
By default, the maximum session time is specified by the value set in the Max Session Time field, configured in the General > Basic tab in the Remedy SSO Admin Console.
|Xpath 1.0 for group retrieval|
A field for entering an XPath query for extracting user groups from the SAML assertion.
The information about the user groups is stored in the authentication session attributes, and is retrieved from the response of the /token/groups REST API endpoint.
3. Click Save.
After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.
- In the left navigation panel of the Edit Realm page, click Authentication.
- Click View Metadata.
The metadata file opens in the browser.
- Copy the URL displayed in the browser window, and save it to a text editor.
The URL might look as follows:
You will need this URL when you configure the IdP for SAML authentication.
Watch this video (3:53) on how to configure SAML in Remedy SSO. This video covers the SAML configurations that are performed from the Remedy SSO Admin Console.
The following video shows an older version of Remedy SSO. Although there might be minor changes in the user interface, the overall functionality remains the same.