About Aurora SAML settings
As an Aurora community admin, you can configure authentication for your community and integrate with your SAML IdP. To follow step-by-step instructions, see Configure SAML for the Aurora community.
The following article describes each SAML setting.
Basic SAML settings
Setting |
Description |
Enable SSL authentication |
Turn on this option if the SAML setup requires an SSL connection and uses https for endpoint calls. |
SSO ID regex |
Click Edit to enter a regular expression to extract the SSO as a substring of an attribute. By default, the entire attribute value is used as the SSO ID. If nothing is specified, the entire value is used and no additional logic is applied. |
IdP settings
Your identity provider must provide you the IdP metadata XML. This should contain the IdP certificate, the entity ID, the sign-in bindings as well as sign-out binding if used.
To configure more than one identity provider, contact Khoros Support.
Assertion to profile mapping
Assertion mapping |
Description |
SSO ID |
Enter the SAML Response assertion attribute name that should be mapped to the Community user SSO ID. For example, if the attribute name for the SSO ID is NameID, enter NameID in this field. This mapping is required. |
Community login |
Enter the attribute name for the user’s display name in the community. This mapping is required unless the value is gathered on the Aurora Community user registration page. |
Email address |
Enter the attribute name for the user’s email address. This mapping is required unless the value is gathered on the Community user registration page. |
First name |
Enter the attribute name for the user’s first name. |
Last name |
Enter the attribute name for the user’s surname. |
Location |
Enter the attribute name for the user's location. This maps to the location setting that you specify in the community member’s profile page. |
Time zone |
Enter the attribute name for the user's time zone. This maps to the time zone setting that you specify in the community member’s profile. |
Language |
Enter the attribute name for the user's language. This maps to the language setting that you specify in the community member’s profile. |
Roles to add attribute |
Enter the attribute name holding a comma-separated list of existing community Role names (any roles that do not exist in the community are ignored). Role names are case sensitive. The user is added to the matched roles. |
Roles to remove attribute |
Enter the attribute name holding a comma-separated list of existing community role names. Role names are case sensitive. The user is removed from the matched roles. Any roles that do not exist in the community are ignored. |
Dynamic assertion mapping |
Enter any custom Aurora community user settings that are not listed in this tab. This is a newline separated, key-value pair: Community Setting name = SAML Response attribute name. Example: profile.langcode=preferredLanguage |
Do not set login value from IdP |
Turn on this option to stop the SSO parameters from being populated with the login value. Use this if you want to track the related attribute name via configuration but you have enabled the user SSO registration page for the user and are collecting the login name from the registration page instead of passing it from the SSO. |
SP metadata
The SP Metadata URL is provided here.
Turn on Accept all audiences if you want to bypass the audience URL verification. This option is turned off by default.
Sign-in settings
Setting |
Description |
Enable login querystring override |
Turn on this option when you want to append more login endpoint parameters that are not specified in the IdP metadata. When enabled, the key and value defined in the login querystring key and value are appended to the HTTP POST binding login flow. |
Login querystring parameter |
Click Edit to enter the login querystring value that is most often passed and appended to the IdP for an SP-initiated AuthN request. |
Encode login value |
Turn on this option to HTML-encode the login querystring value. |
Enable register querystring override |
Turn on this option to pass additional parameters other than the ones specified in the IdP metadata for the member registration flow. |
Register querystring parameter |
If you turn on the Enable register querystring override setting, click Edit to enter the URL query parameter that must be passed when initializing the SAML post binding (not the redirect binding) login request. |
Encode register value |
Turn on this option to HTML-encode the register querystring value. |
Sign-out settings
Setting |
Description |
Request signed |
Turn on this option if you want all the SLO (single logout) requests signed. |
Response signed |
Turn on this option if you want all the SLO (single logout) responses signed. |
Redirect URL |
Click Edit to enter the URL of the page to which you want to redirect members after they sign out. |
Advanced settings
Setting |
Description |
||||||||||||||
Skip signature check |
Do not turn on this option in a community’s production environment. Turn it on only while testing and you want to skip the response and assertion signature check. |
||||||||||||||
Timeouts |
Click Edit to adjust the following timeouts:
|
||||||||||||||
Only verify response signature |
Turn on this option to skip the assertion signature check in cases where the IdP is signing the response and not the assertion. |
||||||||||||||
Skip assertion IP check |
Turn on this option if you have specified an IP address in the SAML assertion and want to bypass the IP address check. If you do not turn on this option, the IP address of the request and the IP address in the assertion are compared. |
||||||||||||||
Skip assertion consumer service check |
Turn on this option if you want to bypass the check that determines whether the community is the intended recipient of the assertion. |
||||||||||||||
Allowed audiences |
Click Edit to enter the list of comma-separated hostnames if you have different hostnames for your community and different members sign in to your community through different hostnames. |
||||||||||||||
URL encode return value parameter name |
Turn on this option to encode the return value parameter name added in the requests to avoid misinterpretation of referrers that contain URL-sensitive characters. |
||||||||||||||
Skip instance AuthN check |
Turn on this option to skip the time check validation performed on the AuthnInstant attribute of the AuthnStatement within the assertion. This is a workaround for customers that use the AuthnInstant to indicate when the member authenticated to their system (per the SAML specifications), which could be days, weeks, or even months in the past. This does not impact other time validations performed for the SAML Response and the assertion. This will likely be required for any customer using ADFS as an IdP. |
Related topics:
- About Security Assertion Markup Language (SAML) Single Sign-On (SSO) in Aurora
- Configure SAML for the Aurora community