help.sitevision.se always refers to the latest version of Sitevision
Identity Provider, also called IdP, stores all user account and password information. The IdP's task is to authenticate users and issue a so-called "SAML ticket" that indicates that the user is logged in. Examples of IdP services are ADFS, Portwise, and Mobilityguard.
Before you begin setting up SAML in SiteVision (SP), you need to have working IdP metadata. Below you will find an example of a working IdP metadata.
The SAML ticket contains information about the user and is needed for authentication. It is by using the SAML ticket that the user is authenticated and assigned to a Virtual group for permissions.
The following must be included in the SAML ticket when the user arrives at Sitevision:
- A Subject with name "NameID". The value should be set to the user's unique identity*. It is also important that you specify the format of the information.
See sample of SAML ticket below.
The GDPR legislation
With the new stricter approach to the storage of personal data, we discourage you from using an identifier that contains information that can be linked to the individual user. This especially applies if you use SiteVision Cloud.
* Remember to choose a unique identifier for the user that does not change. If it changes, a new user will be created on the Website. In cases where you use Social Collaboration, a new empty social user identity will also be created.
To be able to present data about the user, it is our recommendation that you also send the following attributes/claims. Note that the name of the attribute needs to be written exactly as below for Sitevision to map the information correctly.
- givenName = First name
- sn = Last name
- mail = mail address
Here you can see an example of a working SAML ticket with information from the local directory service. A ticket usually contains more information, but to make it easier to read, we have replaced some parts with points.
The Groups attribute in the SAML ticket
The groups attribute is not mandatory. However, if you want to permission control the website for different groups in the directory service, this is a must.
In the groups attribute, you include the groups the user belongs to in the directory service. You then create Virtual Groups in Sitevision against which they are matched. The virtual groups are in turn linked to permission roles on the site's pages. Read more about Virtual groups here.
Other settings in IdP
- The hashing algorithm, SHA256/SHA1 must match the setting in the SAML2-filter on the website.
- Sitevision’s encryption certificate is not public and may therefore have to be imported into trusted root.
- The encryption certificate is in the provider metadata inside the tag <ds:X509Certificate> found inside <md:KeyDescriptor use="encryption">
Using Firefox’s add-on "SAML Tracer" you can easily review a SAML ticket after the user has logged into their IdP. Great for troubleshooting! The equivalent is also available for Chrome in the form of SAML Message Decoder.
Help with the configuration of IdP is not included in Sitevision Support.
The page published: