- This line was added.
- This line was removed.
- Formatting was changed.
This is solved by setting up a SAML 2.0 federation in Digital Access with Identity Manager as a Service Provider and an Identity Provider, such as Smart ID Digital Access component (Hybrid Access Gateway).
Identity Manager must be set up:
The identity provider must be set up. If Digital Access component is used, see here:
If you need instructions to create demo certificates or extract certificates to the required formats, see Create or extract certificates for SSL and SAML.
Set up Identity Manager as service provider
To integrate Identity Manager with SAML SSO, the SAML authentication profile must be used.
The defined keystore file must contain the certificates and the private key used for signing and decryption.
A keystore is mandatory to configure. Trying to save a configuration without a keystore, triggers an error message.
Each SAML federation can have multiple service providers, for example Identity Manager, Smart ID Self-Service and any other application to be included in the federation. Each service provider must have a metadata file.
For each service provider, do the following to create a metadata file:
This table describes some elements and attributes of the Service Provider metadata xml file:
After the metadata files have been created they must be uploaded to the authentication profile in Identity Manager Admin. Multiple service providers can be configured, for example for the different Identity Manager applications and any other applications to be included in the federation.
Enable or disable SAML in Smart ID Self-Service
Smart ID Self-Service has an additional configuration directly in the program, where SAML can be set to enabled or disabled. This means that multiple Self-Service instances with the same tenant, but different authentication methods, are allowed. While both of them use the same tenant, one instance can use SAML whereas the other one doesn't.
Set up communication between Smart ID Self-Service and Identity Manager
To set up the communication between Smart ID Self-Service and Identity Manager:
To have a secure communication between the identity provider and Identity Manager, server certificates must be provided by each server.
Example - Add server certificate in Digital Access component:
Set up identity provider, for example Digital Access component
Private keys are used to digitally sign SAML messages and encrypt their content. Both parties need their own key-pair that could be created in self-signed mode (for testing purpose) or received from a public key infrastructure (for productive systems).
Example - Enable Digital Access to use the SAML certificate for signing:
As identity provider, you can use any SAML2 compliant system. Follow the instructions of that software in order to configure it as SAML IdP. If you use Digital Access as identity provider, follow the steps here to create a DNS name.
Example - Create a DNS name for the Digital Access access point:
The identity provider must be configured to define the SAML federation with the service provider, using the metadata created in Identity Manager.
Example - Add service provider in Digital Access:
After the service provider was configured successfully in the identity provider, the SAML metadata must be downloaded and uploaded in Identity Manager.
Example - Download the metadata from Digital Access:
Upload identity provider metadata to Identity Manager
After the metadata files have been created they must be uploaded to the authentication profile in Identity Manager Admin. This section describes how to upload the identity provider metadata files.
This article is valid from PRIME 3.12