Configure Authentic 2 as a SAML2 service provider or a SAML2 proxy

The configuration to make Authentic 2 a SAML2 service provider or a SAML2 proxy is the same. The difference comes from that Authentic 2 is may be configured or not as a SAML2 identity provider.

How do I authenticate against a third SAML2 identity provider?

1. Declare Authentic 2 as a SAML2 service provider on your SAML2 identity provider using the SAML2 service provider metadata of Authentic 2.

Go to http[s]://your.domain.com/authsaml2/metadata

2. Add and configure a SAML2 identity provider entry in Authentic 2 using the metadata of the identity provider.

How do I add and configure a SAML2 identity provider in Authentic 2?

You first need to create a SAML2 identity provider entry with the SAML2 metadata of the identity provider. Then, you configure it.

If your identity provider is Authentic 2, the metadata are available at:

http[s]://your.domain.com/idp/saml2/metadata

See Where do I find the Authentic 2 SAML2 metadata? for more information.

Create a SAML2 identity provider entry

You first need to create a new SAML2 identity provider entry. This requires the SAML2 metadata of the identity provider.

1. Go to

   http[s]://your.domain.com/admin/saml/libertyprovider/add/

2. Fill the form fields

The identity provider must be enabled.

See below about configuring the identity provider with policies:

• options of the identity provider

3. Save

Apply a SAML2 identity provider options policy

The SAML2 options of the identity provider are configured using idp options policies. For the explanation of the options see the following section.

See the administration with policy principle page How global policies are used in Authentic 2 administration.

You may create a regular policy and configure your service provider to use it.

Go to:

http[s]://your.domain.com/admin/saml/idpoptionssppolicy/add/

Configure your policy and save:

Apply the policy to the identity provider:

Example with a policy ‘Default’:

Example with a policy ‘All’:

If no policy is found for the configuration of the SAML2 options of an identity provider, the following error is displayed to the users when a SSO request is initiated.

SAML2 identity provider options explained

Behavior with persistent nameID

This option applies when an assertion with a persistent nameID is received and the nameID is not recognized as an existing federation.

Two values are possible: “Create new account” and “Account linking by authentication”.

The value “Create new account” makes Authentic 2 create a user account associated to the nameID received.

The value “Account linking by authentication” makes Authentic 2 ask the user to authenticate with an existing account to associate the nameID to this account.

Behavior with transient nameID

This option applies when an assertion with a transient nameID is received and there isn’t a session opened for the user yet.

Two values are possible: “Open a session” and “Ask authentication”.

The value “Open a session” makes Authentic 2 open a session.

The value “Ask authentication” makes Authentic 2 ask for a user authentication, even when a valid assertion is received. That may have sense for instance if the SSO login is used only to receive signed attributes for users with existing accounts.

How to refresh the metadata of an identity provider hosted at a Well-Known Location?

The Well-Known Location (WKL) means that the entity Id of the provider is a URL at which the provider metadata are hosted.

To refresh them, select the provider on the list of provider, then select in the menu ‘Update metadata’, then click on ‘Go’.

How to create in bulk identity providers with the sync-metadata script?

See the page explaining the use of the script sync-metadata How to create/import and delete in bulk SAML2 identity and service providers with the sync-metadata script?.