Saml 2.0: SAML 2.0 connection settings now support more standard elements found in metadata

SAML 2.0 Authentication Connection


We have added supports for a bunch of new values from metadata:

  • Other signing certificates: It contains all the signing certificates from the metadata. These are used by Safewhere*Identify to verify signatures of messages, which the Identity Provider sends to Identify.
    • Find value: Specifies the value of the attribute that is used by Safewhere*Identify to search for the certificate, e.g., its subject or thumbprint.
    • Get certificates button: Allows users to select a new certificate.
    • Find type: Specifies which certificate attribute is used to match against the find value. A common way to locate a certificate is to search for its subject distinguished name or its thumbprint. The Authentication Connection will use the first certificate that matches the specified search criteria. Possible values are FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, and FindBySubjectKeyIdentifier.
    • Store location: Specifies the location of the certificate store to use. Possible values are CurrentUser and LocalMachine.
    • Store location name: Specifies which certificate store the certificate is placed in. Possible values are My and TrustedPeople.
    • In store?: This is a computed field, which indicates if the certificate can be found based on what the user specified for the other signing certificate elements. The value is updated upon refresh of the page, so if you want to check if your values were correct, you should save the connection and see if the check mark is ticked.
    • Keyname: Specifies the keyname of the certificate.
  • Single logoff service:
    •  Binding: The binding that Safewhere*Identify should use to receive logoff requests: “urn:oasis:names:tc:SAML:2.0:bindings:SOAP”,  “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”, “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”, “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact”.
    • Location: The endpoint to which Safewhere*Identify should send logoff requests via the above input binding.
    • Response location: The endpoint to which Safewhere*Identify should send responses for logoff requests via the above input binding.

Single log off service

  • Artifact resolution services: Contains the list of the Artifact resolution services to send request:
    • Location: The URL or web address for the endpoint.
    • Binding: Input the binding for the endpoint.
    • Index: The priority ordering for the endpoint. It can also be used to identify the endpoint in requests.
    • IsDefault: It indicates whether the endpoint is the default endpoint for this Identify Provider.

SAML 2.0 Protocol Connection


We have new settings to support more values from the metadata:

  • Other signing certificates: It contains the signing certificates from the metadata. These are used by Safewhere*Identify to verify signatures of messages that the service provider sends to Identify.
    • Find value: Specifies the value of the attribute that is used by Safewhere*Identify to search for the certificate, e.g., its subject or thumbprint.
    • Get certificates button: Allows users to select a new certificate.
    • Find type: Specifies which certificate attribute is used to match against the find value. A common way to locate a certificate is to search for its subject distinguished name or its thumbprint. The Protocol Connection will use the first certificate that matches the specified search criteria. Possible values are FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, and FindBySubjectKeyIdentifier.
    • Store location: Specifies the location of the certificate store to use. Possible values are CurrentUser and LocalMachine.
    • Store location name: Specifies which certificate store the certificate is placed in. Possible values are My and TrustedPeople.
    • In store?: This is a computed field that indicates if the certificate can be found based on what the user specified for the other signing certificate elements. The value is updated upon refresh of the page, so if you want to check if your values were correct, you should save the connection and see if the check mark is ticked.
    • Keyname: Specifies the keyname of the certificate.
  • Other encryption certificates: It contains all the encryption certificates from the metadata. These are used by Safewhere*Identify to encrypt the messages that Identify sends to the service provider.
    • Find value: Specifies the value of the attribute that is used by Safewhere*Identify to search for the certificate, e.g., its subject or thumbprint.
    • Get certificates button: Allows users to select a new certificate.
    • Find type: Specifies which certificate attribute is used to match against the find value. A common way to locate a certificate is to search for its subject distinguished name or its thumbprint. The Protocol Connection will use the first certificate that matches the specified search criteria. Possible values are FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, and FindBySubjectKeyIdentifier.
    • Store location: Specifies the location of the certificate store to use. Possible values are CurrentUser and LocalMachine.
    • Store location name: Specifies which certificate store the certificate is placed in. Possible values are My and TrustedPeople.
    • In store?: This is a computed field that indicates if the certificate can be found based on what the user specified for the other signing certificate elements. The value is updated upon refresh of the page, so if you want to check if your values were correct, you should save the connection and see if the check mark is ticked.
    • Keyname: Specifies the keyname of the certificate.
  • Single logoff service:
    • Binding: The binding that Safewhere*Identify should use to receive logoff requests: “urn:oasis:names:tc:SAML:2.0:bindings:SOAP”,  “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”, “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”, “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact”.
    • Location: The endpoint to which Safewhere*Identify should send logoff requests via the above input binding.
    • Response location: The endpoint to which Safewhere*Identify should send responses for logoff requests via the above input binding.

Single log off service

  • Artifact resolution services: Contains the list of the Artifact resolution services that Identify uses to resolve messages from artifacts:
    • Location: The URL or web address for the endpoint.
    • Binding: Input the binding for the endpoint.
    • Index: The priority ordering for the endpoint. It can also be used to identify the endpoint in requests.
    • IsDefault: It indicates whether the endpoint is the default endpoint for this Identify Provider.
  • Assertion consumer service: Contains the list of the Assertion consumer services:
    • Location: The URL or web address for the endpoint to which Safewhere*Identify should send signon responses.
    • Binding: Input the binding for the endpoint that uses to send signon responses to the involved Service Provider.
    • Index: The priority ordering for the endpoint.
    • IsDefault: It indicates whether the endpoint is the default endpoint.
  • Attribute consuming services: Contains the list of the Attribute consuming services:
    • Name: The Attribute consuming service name.
    • Index: The priority ordering for the Attribute consuming service.
    • IsDefault: It indicates whether the Attribute consuming service is the default one or not.

Note: Each Attribute consuming service MUST contain exactly one attribute with the same name as ServiceID

Attribute consuming services