Configuring SAML 2.0 SSO
Learn about the properties that you need to set for configuring SAML 2.0 SSO.
Before configuring Edge Flow Manager to use SAML, you should first set up an SAML client application configuration in your SSO identity provider. For information about how to do this, see SSO identity provider setup.
Before configuring SAML, Edge Flow Manager should already be configured to use TLS. SAML authentication requires passing an access token to Edge Flow Manager that is vulnerable to compromise if TLS is not enabled, and therefore Edge Flow Manager does not allow using SAML authentication without TLS enabled. For more information on enabling TLS in Edge Flow Manager, see TLS configuration for Edge Flow Manager.
Edge Flow Manager supports Identity Provider (IdP) and Service Provider (SP) initiated flow.
efm.properties
file:efm.security.user.saml.enabled=true
efm.security.user.saml.metadataLocation=https://example.okta.com/app/example/sso/saml/metadata
efm.security.user.saml.groupAttribute=groupsefm.security.user.saml.enabledSet to
trueto enable SAML authentication.efm.security.user.saml.metadataLocationIdentity provider metadata location that is used for dynamic configuration.
efm.security.user.saml.groupAttributeThe name of a SAML assertion attribute containing group names the user belongs to.
Optional parameters for further configuration are as follows:
efm.security.user.saml.entityId=efmCustomEntityId
efm.security.user.saml.signingCredentials.privateKeyLocation=/path/to/private.key
efm.security.user.saml.signingCredentials.privateKeyPassword=password
efm.security.user.saml.signingCredentials.certificateLocation=/path/to/certificate.crt
efm.security.user.saml.displayNameAttribute=displayNameAttributeefm.security.user.saml.entityIdThe application-defined unique identifier that is the intended audience of the SAML assertion. It is advisable to use this property when the default {baseUrl} dependent Entity ID is undesirable.efm.security.user.saml.signingCredentials.privateKeyLocationPrivate key location for signing SAML request.
efm.security.user.saml.signingCredentials.privateKeyPasswordPrivate key password.
efm.security.user.saml.signingCredentials.certificateLocationCertificate location for signing SAML request.
efm.security.user.saml.displayNameAttributeName of the attribute field of the SAML response which can be used to populate the display name of the user.
Edge Flow Manager supports SAML metadata based configuration. SAML metadata is an XML document which contains information necessary for interacting with SAML-enabled identity providers. To obtain such a metadata file, you need to create a new application integration at your identity provider. For more information, see IdP documentation.
- Single sign-on URL
This property is also known as SAML Assertion Consumer Service (ACS) URL. In case of localhost, it is
https://localhost:10090/efm/login/saml2/sso/efmSaml. - Audience URI (SP Entity ID)By default, this is https://localhost:10090/efm/saml2/serviceProviderMetadata/efmSaml.
After the successful IdP configuration, you can obtain the
metadata.xml file. The location of that metadata file should be set in the
efm.security.user.saml.metadataLocation property. The value can either be a
local file system path or a location hosted by the identity provider.
If the identity provider supports SAML request signing and it is enabled, you can
set up the required key and certificate in the
efm.security.user.saml.signingCredentials.* properties. The values should
be file system locations, except the privateKeyPassword.
Without additional configuration, the user name is equal to the display name in Edge Flow Manager. If you want to provide a different display name, set up an
SAML attribute at the IdP and set the name of the SAML attribute in the
efm.security.user.saml.displayNameAttribute property.
