Knowledge Base Article

About Aurora SAML settings

As an Aurora community admin, you can configure authentication for your community and integrate with your SAML IdP. To follow step-by-step instructions, see Configure SAML for the Aurora community. 

The following article describes each SAML setting. 

Basic SAML settings

Setting

Description

Enable SSL authentication

Turn on this option if the SAML setup requires an SSL connection and uses https for endpoint calls.

SSO ID regex

Click Edit to enter a regular expression to extract the SSO as a substring of an attribute. By default, the entire attribute value is used as the SSO ID.


If nothing is specified, the entire value is used and no additional logic is applied.

IdP settings

Your identity provider must provide you the IdP metadata XML. This should contain the IdP certificate, the entity ID, the sign-in bindings as well as sign-out binding if used.

To configure more than one identity provider, contact Khoros Support.

Assertion to profile mapping

Assertion mapping

Description

SSO ID

Enter the SAML Response assertion attribute name that should be mapped to the Community user SSO ID.

For example, if the attribute name for the SSO ID is NameID, enter NameID in this field.

This mapping is required.

Community login

Enter the attribute name for the user’s display name in the community. This mapping is required unless the value is gathered on the Aurora Community user registration page.

Email address

Enter the attribute name for the user’s email address. This mapping is required unless the value is gathered on the Community user registration page.

First name

Enter the attribute name for the user’s first name.

Last name

Enter the attribute name for the user’s surname.

Location

Enter the attribute name for the user's location. This maps to the location setting that you specify in the community member’s profile page.

Time zone

Enter the attribute name for the user's time zone. This maps to the time zone setting that you specify in the community member’s profile.

Language

Enter the attribute name for the user's language. This maps to the language setting that you specify in the community member’s profile.

Roles to add attribute

Enter the attribute name holding a  comma-separated list of existing community Role names (any roles that do not exist in the community are ignored). Role names are case sensitive. The user is added to the matched roles. 

Roles to remove attribute

Enter the attribute name holding a  comma-separated list of existing community role names. Role names are case sensitive. The user is removed from the matched roles. Any roles that do not exist in the community are ignored.

Dynamic assertion mapping

Enter any custom Aurora community user settings that are not listed in this tab. This is a newline separated, key-value pair: 

Community Setting name = SAML Response attribute name.

Example: profile.langcode=preferredLanguage

Do not set login value from IdP

Turn on this option to stop the SSO parameters from being populated with the login value.

Use this if you want to track the related attribute name via configuration but you have enabled the user SSO registration page for the user and are collecting the login name from the registration page instead of passing it from the SSO.

SP metadata

The SP Metadata URL is provided here.

Turn on Accept all audiences if you want to bypass the audience URL verification. This option is turned off by default.

Sign-in settings

Setting

Description

Enable login querystring override

Turn on this option when you want to append more login endpoint parameters that are not specified in the IdP metadata. When enabled, the key and value defined in the login querystring key and value are appended to the HTTP POST binding login flow.

Login querystring parameter

Click Edit to enter the login querystring value that is most often passed and appended to the IdP for an SP-initiated AuthN request.

Encode login value

Turn on this option to HTML-encode the login querystring value.

Enable register querystring override

Turn on this option to pass additional parameters other than the ones specified in the IdP metadata for the member registration flow.

Register querystring parameter

If you turn on the Enable register querystring override setting, click Edit to enter the URL query parameter that must be passed when initializing the SAML post binding (not the redirect binding) login request. 

Encode register value

Turn on this option to HTML-encode the register querystring value.

Sign-out settings

Setting

Description

Request signed

Turn on this option if you want all the SLO (single logout) requests signed.

Response signed

Turn on this option if you want all the SLO (single logout) responses signed.

Redirect URL

Click Edit to enter the URL of the page to which you want to redirect members after they sign out.

Advanced settings

Setting

Description

Skip signature check

Do not turn on this option in a community’s production environment. Turn it on only while testing and you want to skip the response and assertion signature check.

Timeouts

Click Edit to adjust the following timeouts:

Response expiration

In seconds, specify how long the SAML Response remains valid from the time it is deemed valid. The default is 60.

Assertion expiration

In seconds, specify the maximum time an assertion is usable after it is created. The default is 3000.

Authentication expiration

In seconds, specify the maximum time a member’s authentication is valid. The default is 7200.

Response valid before

In seconds, specify the maximum time the message is deemed valid before response creation. The default is 10.

Assertion valid before

In seconds, specify the maximum time the assertion is valid after generation. The default is 10.

Authentication valid before

In seconds, specify the maximum time allowed before the member’s authentication. The default is 10.

Don't verify subject element on or after (in ms)

In milliseconds, specify the maximum time that the subject element in assertion is valid.

Only verify response signature

Turn on this option to skip the assertion signature check in cases where the IdP is signing the response and not the assertion.

Skip assertion IP check

Turn on this option if you have specified an IP address in the SAML assertion and want to bypass the IP address check. If you do not turn on this option, the IP address of the request and the IP address in the assertion are compared.

Skip assertion consumer service check

Turn on this option if you want to bypass the check that determines whether the community is the intended recipient of the assertion.

Allowed audiences

Click Edit to enter the list of comma-separated hostnames if you have different hostnames for your community and different members sign in to your community through different hostnames.

URL encode return value parameter name

Turn on this option to encode the return value parameter name added in the requests to avoid misinterpretation of referrers that contain URL-sensitive characters.

Skip instance AuthN check

Turn on this option to skip the time check validation performed on the AuthnInstant attribute of the AuthnStatement within the assertion. This is a workaround for customers that use the AuthnInstant to indicate when the member authenticated to their system (per the SAML specifications), which could be days, weeks, or even months in the past. This does not impact other time validations performed for the SAML Response and the assertion. This will likely be required for any customer using ADFS as an IdP.

 

Related topics:


 

Updated 6 months ago
Version 5.0
No CommentsBe the first to comment