Remote Service Provider (SP) Editor

Name

Name for the SP or accept the provided SP name. The Name field is pre-populated with a value that reflects the expected SP name.

MetaAlias

The internally generated identifier for the entity. This value is used in the SAMLv2 login URL specified in the agents configuration.

Binding

This option determines the way in which SAML messages will be sent and received between the IdP and the SP. HTTP-Redirect and Post are used when a direction connection between the IdP and SP is not possible. The two bindings differ in the method used to exchange the SAMLv2 messages: HTTP Redirect or XHTML Form with Post.

SOAP Basic Authentication

Name
Password
Confirm Password

SOAP Basic authentication can be enabled to protect the SOAP SP endpoints. Any provider accessing these endpoints must provide these user name and password values.

Sign Messages

Signing Certificate Alias

The alias specifies the certificate that will be used to sign the specified SAML messages. Signing is used to verify the messages have not been altered in transit and that it originated with the SP.

Authentication Request, Logout Request, Logout Response, Assertions, Manager Name ID Request, Manager Name ID Response, Artifact Response, and Post Response

These parameters are the SAMLv2 messages that are to be signed by the SP or are expected to have been signed by the SP.

Encrypt Elements

Encryption Certificate Alias

The alias specifies the private key that will be used to encrypt the secret key used to encrypt the SAMLv2 messages.

Encryption Algorithm

The encryption algorithm used to encrypt SAMLv2 messages. Select an option, None, 3DES, AES-128, or AES-256, from the drop-down menu.

Assertion, Attribute, Name ID

Select the check boxes if you want to encrypt the Assertion, Attribute, or Name ID parameters instead of using plain text.

Note: When you are using BMC Atrium Single Sign-On as an IdP for SAMLv2 authentication using encryption, you must select the relevant check box: Assertion, Attribute or Name ID. You must use the same encryption for the Local SP as well.

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user.

The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store.

Note:

For linking user accounts from SP and IdP (Remote Identity Provider) together, after logging in, the persistent nameID format must be on the top of the list.

Artifact Encoding

The encoding technique used for Assertion Artifacts. The encoding method is determined by the IdP and is usually related to binding method. From the drop down menu, select URI or FORM.

Attribute Mapping

SAML Attribute

Atrium SSO Attribute

Attribute Mapping is used to take user attributes (such as email, phone number, etc.) from the external user store and map them to the attributes used within the BMC Atrium Single Sign-On system. A mapping is defined by entering the name of the SAML Attribute and selecting the Atrium SSO Attribute from the drop down that the external attribute is going to map to, and click Add to put the new mapping into the table.