Configuration of SAML 2.0 SSO

Learn about the properties that you need to set for configuring SAML 2.0 SSO.

Before configuring Edge Flow Manager (EFM) to use SAML, you should first set up an SAML client application configuration in your SSO identity provider. For information about how to do this, see SSO identity provider setup.

Before configuring SAML, EFM should already be configured to use TLS. SAML authentication requires passing an access token to EFM that is vulnerable to compromise if TLS is not enabled, and therefore EFM does not allow using SAML authentication without TLS enabled. For more information on enabling TLS in EFM, see TLS configuration for EFM.

EFM supports Identity Provider (IdP) and Service Provider (SP) initiated flow.

To enable SAML in EFM, the following properties must be set in the efm.properties file:
efm.security.user.saml.enabled=true
efm.security.user.saml.metadataLocation=https://example.okta.com/app/example/sso/saml/metadata
Where,
  • efm.security.user.saml.enabled

    Set to true to enable SAML authentication.

  • efm.security.user.saml.metadataLocation

    Identity provider metadata location which is used for dynamic configuration.

    Optional parameters for further configuration are as follows:

    efm.security.user.saml.entityId=efmCustomEntityId
    efm.security.user.saml.signingCredentials.privateKeyLocation=/path/to/private.key
    efm.security.user.saml.signingCredentials.privateKeyPassword=password
    efm.security.user.saml.signingCredentials.certificateLocation=/path/to/certificate.crt
    efm.security.user.saml.displayNameAttribute=displayNameAttribute
    Where,
    • efm.security.user.saml.entityId
      The application-defined unique identifier that is the intended audience of the SAML assertion. It is advisable to use this property when the default {baseUrl} dependent Entity ID is undesirable.
    • efm.security.user.saml.signingCredentials.privateKeyLocation

      Private key location for signing SAML request.

    • efm.security.user.saml.signingCredentials.privateKeyPassword

      Private key password.

    • efm.security.user.saml.signingCredentials.certificateLocation

      Certificate location for signing SAML request.

    • efm.security.user.saml.displayNameAttribute

      Name of the attribute field of the SAML response which can be used to populate the display name of the user.

    EFM supports SAML metadata based configuration. SAML metadata is an XML document which contains information necessary for interacting with SAML-enabled identity providers. To obtain such a metadata file, you need to create a new application integration at your identity provider. For more information, see IdP documentation. To configure the application at the IdP, the following EFM specific properties are needed:
    • Single sign on URL

      This property is also known as SAML Assertion Consumer Service (ACS) URL. In case of localhost, it is https://localhost:10090/efm/login/saml2/sso/efmSaml.

    • Audience URI (SP Entity ID)

      By default, this is https://localhost:10090/efm/saml2/serviceProviderMetadata/efmSaml. Please note that the address, port, and contextPath can be different based on configuration. This value can be overridden by the efm.security.user.saml.entityId parameter.

    After the successful IdP configuration, you can obtain the metadata.xml file. The location of that metadata file should be set in the efm.security.user.saml.metadataLocation property. The value can either be a local file system path or a location hosted by the identity provider.

    If the identity provider supports SAML request signing and it is enabled, you can set up the required key and certificate in the efm.security.user.saml.signingCredentials.* properties. The values should be file system locations, except the privateKeyPassword.

    Without additional configuration, the user name is equal to the display name in EFM. If you want to provide a different display name, you should set up an SAML attribute at the IdP and you should set the name of the SAML attribute in the efm.security.user.saml.displayNameAttribute property.