Security Assertion Markup Language 2.0 Configuration - FAQ
Find the answers to Frequently Asked Questions (FAQs) about SAML 2.0 Configuration.
- How do I set up the SAML 2.0 Configuration in Reltio Platform?
You can configure SAML 2.0 in the Reltio Console application. After a successful login, click the SSO configuration image and enter details to set up SAML. For more information, see SSO Configuration at a glance.
- What do I need to set up SAML 2.0?
You need the IdP (Identity Provider) metadata file to configure SAML 2.0, which is extracted from IdP. This is basically a XML file as per SAML specifications, which contains data about IdP connection points, certificates, and so on. A sample is given below:
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor entityID="http://www.okta.com/exkzyvhwuteLHeTm4356" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAWwoD1TlMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU...... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dev-227046.okta.com/app/reltiodev227046_mysaml_1/exkzyvhwuteLHeTm4356/sso/saml"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dev-227046.okta.com/app/reltiodev227046_mysaml_1/exkzyvhwuteLHeTm4356/sso/saml"/> </md:IDPSSODescriptor> </md:EntityDescriptor>
- What are the actions to be performed in IdP?
The following actions must be performed in IdP:
- In ID, update the Assertion Consumer Service (ACS) URL and
EntityId
OR
Import the Service Provider metadata in IdP. - Configure a User identifier (for example, the email address) as a SAML attribute. Reltio will receive this parameter as the SAML attribute while processing the SAML response.
- In ID, update the Assertion Consumer Service (ACS) URL and
EntityId
- What would a typical SAML assertion response look like?
A sample SAML assertion response is given below:
<?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion ID="id1250954461717981539332624" IssueInstant="2019-07-25T10:58:14.160Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2019-07-25T11:03:14.345Z" Recipient="https://reltio-kishorshield.auth.us-east-1.amazoncognito.com/saml2/idpresponse"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2019-07-25T10:53:14.345Z" NotOnOrAfter="2019-07-25T11:03:14.345Z"> <saml2:AudienceRestriction> <saml2:Audience>urn:amazon:cognito:sp:us-east-1_xxxxx</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2019-07-25T10:58:14.160Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.email </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>
- Who can log in after configuring SAML 2.0? Can users outside IdP log in to SAML
2.0?
After configuring SAML 2.0, all IdP users can log in. No. Users outside IdP cannot log in, that is only authenticated IdP users can log in.
- Can I have different IdP configurations for different tenants?
Yes, you can have different IdP configurations for each tenant. However, note that you can have only one IdP configuration for a tenant.
- Does Reltio support IdP initiated SAML flow?
No, Reltio does not support IdP initiated SAML flow. Currently, it supports only Service Provider (SP) initiated SAML flow.
- What should I do if I face issues after IdP configuration?
If you face any issues after configuring IdP, capture the HAR file and then create a support ticket for further investigation.Note: At the time of log in, capture the HAR file in the Incognito mode (if you are using Chrome) or Private tab (if you are using Firefox).
- Can I import roles from IdP into Reltio?
Yes, you can import roles from IdP into Reltio by specifying an extra SAML attribute. Make sure these roles are valid in the Reltio platform. While importing, IdP will send an additional SAML attribute with the ROLE value. Multiple roles can be imported by separating them using a comma. A sample is given below:
<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.roles </saml2:AttributeValue> </saml2:Attribute>
- What do you mean by default roles in Single Sign On Configuration in
Console?
Default roles refer to the basic roles required to work in Reltio. A user who is logged into Reltio via IdP will be assigned these roles by default. The permissions specified for these roles are applicable to the logged in user.Note: By default, the ROLE_API and ROLE_USER will be pre-populated in Console. You can add or remove roles at the time of configuration.
- Can I configure SSO to enable RDM tenants also?
Yes, you can use the same configuration of the other tenants by adding the RDM tenant ID into the Tenants array in externalProviderConfig. A sample is given below:
"externalProviderConfig": [ ... "tenants": [ "MDM Tenant ID" "RDM Tenant ID" ], { ... "tenants": [ "MDM Tenant ID" <- this can be turned on through the Console by a customer "RDM Tenant ID" <- this can be added only manually through API ], ... }
- What bindings are supported by Reltio's SAML 2.0 based Federation Service?
Reltio supports the POST binding. Reltio uses AWS Cognito as a backbone to support SAML 2.0. So, all bindings supported by AWS Cognito are supported by Reltio. For more information, see Amazon Cognito.
- What is the preferred format for Name ID?
There is no specific format for Name ID. You can use any required format.
- Do requests need to be signed?
This depends on the IdP metadata configuration. In Reltio, both signed and non-signed requests are supported.
- While configuring SSO for Azure AD, I get the following error: “Required String
parameter RelayState is not present”? What should I do and how should I
proceed?
To configure SSO for Azure AD effectively, follow these steps:
- Log in to the tenant.
- Open your Console application.
- In Console, click SSO Configuration. For more information, see SSO Configuration at a glance.
- Click CONFIGURE SAML. The SAML Configuration page is displayed.
- Enter the Email ID SAML attribute.
- In the IdP Configuration section, upload your IdP SAML Metadata file.
- Click Configure.
- Click DOWNLOAD SP-METADATA XML.
- Upload this file into Azure AD. On successful upload, all attributes are
displayed. Note: Make sure that the Email Address attribute is the same as specified during SSO Configuration.
- Log in to your tenant again.
- Enter your login credentials. You will be logged in successfully.