Settings idP (outside of Sitevision)
Identity Provider, also called IdP, stores all user account and password information. The IdP's task is to authenticate users and issue a so-called "SAML ticket" that indicates that the user is logged in. Examples of IdP services are ADFS, Portwise, and Mobilityguard.
IdP metadata
Before you begin setting up SAML in SiteVision (SP), you need to have working IdP metadata. Below you will find an example of a working IdP metadata.
SAML ticket
The SAML ticket contains information about the user and is needed for authentication. It is with the help of the SAML ticket that the user is verified and can be assigned membership in Virtual Groups for permissions, in case the groups attribute is used.
The following must be included in the SAML ticket when the user arrives at Sitevision:
- A Subject with name "NameID". The value should be set to the user's unique identity*.
It is also important that you specify the format of the information.
See example of SAML ticket further below where we set the format “persistent”.
The GDPR legislation
With the new stricter approach to the storage of personal data, we discourage you from using an identifier that contains information that can be linked to the individual user. This especially applies if you use SiteVision Cloud.
* Remember to choose a unique identifier for the user that does not change. If it changes, a new user will be created on the Website. In cases where you use Social Collaboration, a new empty social user identity will also be created.
To be able to present data about the user, it is our recommendation that you also send the following attributes/claims. Note that the name of the attribute needs to be written exactly as below for Sitevision to map the information correctly.
- givenName = First name
- sn = Last name
- mail = Email address
- title = Title
- mobile = Mobile number
- telephoneNumber = Telephone number
- description = Description
Which attributes are submitted is entirely up to you as a customer to decide. In the example below, we have listed the attributes that are available by default in Sitevision, but there is no limit to which attributes can be included.
For example
Here you can see an example of a working SAML ticket with information from the local directory service. A ticket usually contains more information, but to make it easier to read, we have replaced some parts with dots.
<samlp:Response ID="_8df09hh876-5klh-7ef0-cc88907dss09" .......... > ........... <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> ........... <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent">850101-charlie</NameID> .......... </Subject> <AudienceRestriction> <Audience>https://www.sitevision.se</Audience> </AudienceRestriction> .......... <AttributeStatement> <Attribute Name="givenName"> <AttributeValue>Charlie</AttributeValue> </Attribute> <Attribute Name="sn"> <AttributeValue>Ask</AttributeValue> </Attribute> <Attribute Name="mail"> <AttributeValue>charlie.ask@company.se</AttributeValue> </Attribute> <Attribute Name="title"> <AttributeValue>Webmaster</AttributeValue> </Attribute>
<Attribute Name="mobile"> <AttributeValue>07xxxxxxxx</AttributeValue> </Attribute> <Attribute Name="telephoneNumber"> <AttributeValue>019xxxxxx</AttributeValue> </Attribute> <Attribute Name="description"> <AttributeValue>Temporary account for SAML login</AttributeValue> </Attribute> <Attribute Name="groups"> <AttributeValue>Administrator-Sitevision</AttributeValue> <AttributeValue>Editor-Sitevision</AttributeValue> <AttributeValue>Sitevision-HQ</AttributeValue> <AttributeValue>SV-CustomerSuccess</AttributeValue> </Attribute> </AttributeStatement> ..........</samlp:Response>
Zoom imageThe image shows the same information as above but in color for easier reading. Click on the image to make it bigger.
The Groups attribute in the SAML ticket
The groups attribute is not mandatory. However, if you want to permission control the website for different groups in the directory service, this is a must.
In the groups attribute, you include the groups the user belongs to in the directory service. You then create Virtual Groups in Sitevision against which they are matched. You can then link the virtual groups to permission roles on the website pages. Read more about Virtual groups here.
Other settings in IdP
- The hashing algorithm, SHA256/SHA1 must match the setting in the SAML2-filter on the website.
- Sitevision’s encryption certificate is not public and may therefore have to be imported into trusted root.
- The encryption certificate is in the provider metadata inside the tag <ds:X509Certificate> found inside <md:KeyDescriptor use="encryption">
Using Firefox’s add-on "SAML Tracer" you can easily review a SAML ticket after the user has logged into their IdP. Great for troubleshooting! The equivalent is also available for Chrome in the form of SAML Message Decoder.
The SAML configuration on the idP side is handled by you as a customer, or if you have a partner / operating partner who handles these parts. Sitevision Product Support can provide support if needed but does not perform the configuration.
The page published:
Print page
help.sitevision.se always refers to the latest version of Sitevision