Aurora: Configure SAML for the community
As an Aurora community admin, you can configure authentication for your community and integrate with your SAML IdP.
To configure your SAML settings, go to Admin > Settings > System > Account.
Table of Contents
Learn more about Khoros SAML here. For more details regarding individual SAML settings, see About SAML settings.
Set up basic SAML
- Configure your identity provider.
- Retrieve Community Service Provider Metadata XML: /t5/s/<communityID>/auth/saml/metadata
- If the SP metadata is inaccessible, contact Khoros Support and request that the SAML feature be enabled.
- Update the external Identity Provider configuration using values provided by Community SP metadata XML.
- Go to Admin > Settings > System > Account.
- Scroll down to the SAML section, and below SAML Basics, ensure that Enable SSL Authentication is turned on if the SAML setup requires Secure-Sockets Layer (SSL) connection.
- In the IdP Metadata section, in the Metadata XML area, click Edit to paste your IdP metadata XML, provided by your IdP.
- In the Assertion to Profile Mapping section, enter the name of the attribute corresponding to the field you want to map from your SAML assertion (see Assertion to profile mapping in About SAML settings). A SAML assertion is the XML document that contains the user authorization details and is case sensitive. The identity provider sends this XML to the service provider. With the exception of the SSOID value, user settings can be gathered either directly from assertion attributes from your identity provider or else can be captured on the SSO User Registration form.
Note: Adjustments to the SSO registration form currently require manual configuration by Khoros. - When you have finished your SAML configuration and are ready to test, in the Single Sign On (SSO) section, turn on Use Khoros single sign-on (SSO).
Set up SP-initiated SAML
To set up SP-initiated SAML flow, you must also set up the basic SAML flow.
Note: The Registration page, Sign-in page, and Sign-out page URLs (in the Single Sign On (SSO) section) must be preceded by your community ID. Contact Khoros Support and request the Community ID.
- Go to Admin > Settings > System > Account.
- In the Single Sign On (SSO) section, below SSO URLs, click Edit.
- In the Registration page field, enter the URL of the default page to which you want to redirect the users when they click the registration link to register to the community.
If you use the (default) SAML POST binding for AuthN requests, then enter
/t5/s/<communityID>/auth/saml/doauth/post
If you use the SAML REDIRECT binding for AuthN requests, then enter
/t5/s//<communityID>/auth/saml/doauth/redirect
- In the Sign-in page field, enter the URL of the default page to which you want to redirect members when they sign in to the community.
If you use the (default) SAML POST binding for AuthN requests, enter
/<communityID>/auth/saml/doauth/post
If you use the SAML REDIRECT binding for AuthN requests, enter
/<communityID>/auth/saml/doauth/redirect
- In the Sign-out page field, enter the URL of the default page to which you want to redirect members when they sign out of the community.
- Click Save.
- Turn on Use Khoros single sign-on (SSO).
Set up IdP-initiated SAML
To set up IdP-initiated SAML flow, you must also set up the basic SAML flow.
If the SAML Request for community sign-in should originate from your Identity Provider rather than from the community itself, a slightly different configuration will be required.
- Go to Admin > Settings > System > Account.
- In the Single Sign On (SSO) section, below SSO URLs, click Edit.
- In the Registration page and Sign-in page fields, enter the URLs for your Identity Provider’s SAML sign-in/registration services. This is in contrast to SP-initiated configuration, which would specify community-specific SAML authentication services.
- In the Sign-out page field, enter the URL of the default page to which you want to redirect the members when they sign out of the community.
- Click Save.
- When you have finished your SAML configuration and are ready to test, in the Single Sign On (SSO) section, turn on Use Khoros single sign-on (SSO).
Note: The query parameter that carries the community resource URL initially requested by the user when they sign in must be persisted with the SAML Response sent from your Identity Provider. This is to ensure the user lands on the community page where they signed in. This query parameter name is configurable using the Return Value Parameter Name setting. Ensure that the same parameter name used when the user is directed to your IdP is also sent with the SAML Response.