Configuring advanced functions for SAML authentication

Before you begin

Create a service provider signing certificate if you plan to use any of the additional functions for SAML authentication described in this topic. For information about how to do this, see Creating-and-updating-the-SP-signing-certificate-for-SAML-authentication.

 To sign SAML authentication requests

If you have configured BMC Helix SSO to sign SAML metadata for IdP, you can additionally configure BMC Helix SSO to sign the SAML authentication requests between BMC Helix SSO and the IdP.  

1. On the General > Advanced tab, complete the Keystore File and Keystore Password fields.
2. On the General > Advanced tab, specify the Signing Key Alias field
3. Click Save.
4. On the Realm > Authentication tab, ensure that the Sign Request check box is selected. 
5. Click Save.

To sign SAML metadata for IdP

When you import SAML metadata to the IdP, you can sign it up on the BMC Helix SSO server. This ensures additional security between the IdP and the service provider (SP).

1. On the General > Advanced tab, complete the Keystore File and Keystore Password fields.
2. On the General > Advanced tab, specify the Signing Key Alias field.
3. Click Save.
4. On the Realm > Authentication tab, ensure that the Sign Metadata check box is selected.
5. Click Save.

To decrypt the encrypted assertions in SAML responses 

If encryption is enabled on the identity provider side, you must configure BMC Helix SSO  server to decrypt the encrypted assertions in SAML responses. To encrypt SAML assertions, the identity provider uses one of the following methods: AES-128, AES-192, and AES-256. 

If the identity provider uses AES-192 or AES-256 encryption method, you must enable Java on the BMC Helix SSO server to decrypt the SAML assertions.

1. In BMC Helix SSO Admin Console, navigate to General > Advanced > SAML Service Provider. 
2. Enter the Encryption Key Alias parameter. 
3. Click Save.

To extract information from SAML IdP

As a BMC Helix SSO administrator, you can configure specific attributes in the SAML IdP to extract information about an authenticated user.

SAML IdP extracts information during the user authentication stage. It is available to extract attributes such as String, Number, and List (presumably of Strings).

At the SAML IdP  side (e.g. ADFS) the correspondent Claim Rules should be provided for extraction the attributes; for example to extract all groups user belongs to. The Claim Rule is the following:

For other attributes, the Claim Rules are created with the help of the Claim Rule Wizard by a Rule template Send LDAP Attributes as Claims and selecting attributes.

The user attributes should be enlisted in the “User attributes” table in the Authentication tab. For example, Display-Name > Surname, E-Mail-Address > EMail Address, etc.

To configure the attributes in SAML IdP:

1. In BMC Helix SSO Admin Console, navigate to the Realm tab, and click Authentication.
2. From the Authentication drop-down list, select SAML.
3. Navigate to the User attributes section and click Add. Here, you can specify attributes for extraction.
4. In the Name field, specify a name for the attribute.
5. From the Type drop-down list, select the appropriate type of attribute.

6. In the XPath field, specify the attributes in the following format:

   //*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='()='AttributeValue']
   

     10. Save the changes.

Examples of attributes for XPath values:

• Groups, XPath = //*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='()='AttributeValue']
  Type = StringArray
• Email, XPath = string(//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='
• Name, XPath = string(//*[local-name()='AttributeStatement']/*[local-name()='Attribute'][@Name='

Here, an example on how the extracted attributes are stored in the database:

Where to go from here

Importing-configuration-from-an-identity-provider-and-configuring-SAML