Importing configuration from an identity provider and configuring the SAML authentication
After you have configured the advanced options for SAML authentication, you can import the identity provider (IdP) metadata and configure the SAML authentication for a realm on your Remedy Single Sign-On server.
Before you begin
- The Import from URL or
- The SAML metadata file imported from the IdP.
To import SAML metadata of the identity provider
- Click Import, and select one of the following options to import the SAML metadata:
- Select Import from URL, and type the URL where the IdP SAML configuration is stored.
- Select Import from file, and upload the SAML configuration file from a local folder on your computer.
- Click Import.
After you import SAML metadata, most of the fields on the Authentication page get populated with imported values.
Review the imported configuration fields, and configure the rest of the SAML fields as required:
Field Description Identity Provider Federation metadata URL
URL of the IdP's federation metadata. The URL must go to the valid (not expired) signing certificate of the IdP.
Remedy SSO verifies whether a signing key exists at this URL. If a signing key exists, Remedy SSO uses this information for authentication.
Note: There is a rollover of signing keys at the IdP end. Such rollovers are more frequent if Azure Active Directory is used as an IdP. For Remedy SSO to automatically track the rollovers, you must import SAML metadata of the IdP, and in the Import from URL specify the value used as the federation metadata URL.
IdP Entity ID
Entity ID obtained from an external IdP such as Active Directory Federation Services (AD FS) or Okta.
Login URL obtained from an external IdP such as AD FS or Okta.
URL provided by the IdP to which the user is redirected for SP initiated logout.
If you do not provide any value for this parameter, the value specified in the Login URL field is used both for login and logout.
Logout Response URL URL provided by the IdP to which the user is redirected for IdP initiated logout. HTTP Binding Type
HTTP binding for the SP initiated logout URL.
IdP Signing Certificate
Used by Remedy SSO to decrypt requests.
User ID Attribute Used to retrieve the user ID from the specified attribute in the SAML response. If it is not specified, the NameID will be used as the user ID. NameID Format
Name identifier formats supported by a service provider. Service providers use name identifiers to pass information about users.
In this field, enter the NameID Format values. The first value in the list has the highest priority in determining the Name ID format to use.
If a user does not specify a Name ID when initiating single sign-on, the first value specified in the NameID Format list is chosen and supported by the remote IdP.
A persistent identifier is saved to a particular user's data store entry as a two-attributes value.
A transient identifier is temporary and no data will be written to the user's persistent data store.
Note: For linking user accounts from the service provider and the remote IdP together, after logging in, the persistent NameID format must be at the top of the list.
Auth Context Compare Options (exact, minimum, maximum, better) available for the auth context compare. Auth Context Authentication context that maps the SAML 2.0-defined authentication context classes to the authentication level that is set for the user session for the service provider. Auth Issuer
Issuer details that are used by the SAML authentication request XML to inform the IdP about the entity ID of the service provider for this request.
If the value is not specified, by default, the entity ID of the current realm is used as an Issuer in SAML authentication request.
Assertion Time Skew
Time offset between Remedy SSO and the IdP.
Assertion Time Format Time format used by assertions.
Option to indicate whether the IdP requires authentication request to be signed.
To sign the SAML metadata, select this check box. Additionally, on the General > Advanced tab, and specify the Signing Key Alias.
Force Authentication Option to enforce authentication. Enable Single Logout Option to delete SAML IdP session on application logout. If an end user logs out from the application, the user is logged out from SAML IdP as well. Sign Metadata
Option to indicate whether the IdP requires SAML metadata to be signed.
You might need to sign the SAML metadata to follow security policies in your organization. When you configure a realm to sign SAML metadata, the Remedy SSO server gets the certificate and private key from keystore's alias and signs the metadata with this key.
Service Provider View Metadata
Remedy SSO metadata that is configured in the SP Metadata Template field. If any required parameter is missing, the system shows an error message for that parameter.
Template Authentication Request Template Template used for SAML authentication request. You can select Default or Custom and edit the template, if required. SP Metadata Template
Service provider metadata template. You can select Default or Custom and edit the template, if required. After upgrade, the SP metadata template is not updated. To be able to use new functionality after upgrade, you must manually update the metadata template. For more information about updating the metadata template after upgrading, see Upgrading.
Bypass for reauth requests Indicates that SAML must not be used for reauthentication requests in an authentication chain.
- Click Save.
After you have configured a realm for SAML authentication, you must obtain the link of the SAML metadata file.
- In the left navigation panel of the Edit Realm page, click Authentication.
- Click View Metadata.
The metadata file opens in the browser.
- Copy the URL displayed in the browser window, and save it to a notepad.
The URL might look as follows:
You will need this URL when you configure the IdP for SAML authentication.
Watch this video (3:53) on how to configure SAML in Remedy SSO. This video covers the SAML configurations that are performed from the Remedy Single Sign-On console.
Where to go from here