Setting

Description

Enable SSL authentication

Turn on this option if the SAML setup requires an SSL connection and uses https for endpoint calls.

SSO ID regex

Click Edit to enter a regular expression to extract the SSO as a substring of an attribute. By default, the entire attribute value is used as the SSO ID.

If nothing is specified, the entire value is used and no additional logic is applied.

Assertion mapping

Description

SSO ID

Enter the SAML Response assertion attribute name that should be mapped to the Community user SSO ID.

For example, if the attribute name for the SSO ID is NameID, enter NameID in this field.

This mapping is required.

Community login

Enter the attribute name for the user’s display name in the community. This mapping is required unless the value is gathered on the Aurora Community user registration page.

Email address

Enter the attribute name for the user’s email address. This mapping is required unless the value is gathered on the Community user registration page.

First name

Enter the attribute name for the user’s first name.

Last name

Enter the attribute name for the user’s surname.

Location

Enter the attribute name for the user's location. This maps to the location setting that you specify in the community member’s profile page.

Time zone

Enter the attribute name for the user's time zone. This maps to the time zone setting that you specify in the community member’s profile.

Language

Enter the attribute name for the user's language. This maps to the language setting that you specify in the community member’s profile.

Roles to add attribute

Enter the attribute name holding a  comma-separated list of existing community Role names (any roles that do not exist in the community are ignored). Role names are case sensitive. The user is added to the matched roles. 

Roles to remove attribute

Enter the attribute name holding a  comma-separated list of existing community role names. Role names are case sensitive. The user is removed from the matched roles. Any roles that do not exist in the community are ignored.

Dynamic assertion mapping

Enter any custom Aurora community user settings that are not listed in this tab. This is a newline separated, key-value pair: 

Community Setting name = SAML Response attribute name.

Example: profile.langcode=preferredLanguage

Do not set login value from IdP

Turn on this option to stop the SSO parameters from being populated with the login value.

Use this if you want to track the related attribute name via configuration but you have enabled the user SSO registration page for the user and are collecting the login name from the registration page instead of passing it from the SSO.

Setting

Description

Enable login querystring override

Turn on this option when you want to append more login endpoint parameters that are not specified in the IdP metadata. When enabled, the key and value defined in the login querystring key and value are appended to the HTTP POST binding login flow.

Login querystring parameter

Click Edit to enter the login querystring value that is most often passed and appended to the IdP for an SP-initiated AuthN request.

Encode login value

Turn on this option to HTML-encode the login querystring value.

Enable register querystring override

Turn on this option to pass additional parameters other than the ones specified in the IdP metadata for the member registration flow.

Register querystring parameter

If you turn on the Enable register querystring override setting, click Edit to enter the URL query parameter that must be passed when initializing the SAML post binding (not the redirect binding) login request. 

Encode register value

Turn on this option to HTML-encode the register querystring value.

Setting

Description

Request signed

Turn on this option if you want all the SLO (single logout) requests signed.

Response signed

Turn on this option if you want all the SLO (single logout) responses signed.

Redirect URL

Click Edit to enter the URL of the page to which you want to redirect members after they sign out.

Setting

Description

Skip signature check

Do not turn on this option in a community’s production environment. Turn it on only while testing and you want to skip the response and assertion signature check.

Timeouts

Click Edit to adjust the following timeouts:

Only verify response signature

Turn on this option to skip the assertion signature check in cases where the IdP is signing the response and not the assertion.

Skip assertion IP check

Turn on this option if you have specified an IP address in the SAML assertion and want to bypass the IP address check. If you do not turn on this option, the IP address of the request and the IP address in the assertion are compared.

Skip assertion consumer service check

Turn on this option if you want to bypass the check that determines whether the community is the intended recipient of the assertion.

Allowed audiences

Click Edit to enter the list of comma-separated hostnames if you have different hostnames for your community and different members sign in to your community through different hostnames.

URL encode return value parameter name

Turn on this option to encode the return value parameter name added in the requests to avoid misinterpretation of referrers that contain URL-sensitive characters.

Skip instance AuthN check

Turn on this option to skip the time check validation performed on the AuthnInstant attribute of the AuthnStatement within the assertion. This is a workaround for customers that use the AuthnInstant to indicate when the member authenticated to their system (per the SAML specifications), which could be days, weeks, or even months in the past. This does not impact other time validations performed for the SAML Response and the assertion. This will likely be required for any customer using ADFS as an IdP.