[IdP] Idp with OneIdentity

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

Hi,

I am trying to implement IDP connector with OneIdentiy service provider for single sign on. As per the instruction, i am unable to generate the metadata.xml from the link https://www.samltool.com/sp_metadata.php 

 It is giving the below error.

Enttity ID 


Hi Kunal,

The current version of the component allows you to export/import the metadata xml, no need for 3rd parties.

After you finish configuration on "SP connector settings and Claims" (and "SP connector internal settings"), you can export it.

Regards.

Telmo Martins wrote:

Hi Kunal,

The current version of the component allows you to export/import the metadata xml, no need for 3rd parties.

After you finish configuration on "SP connector settings and Claims" (and "SP connector internal settings"), you can export it.

Regards.

Thanks Telmo. I was able to export the xml but I am doubtful on the URLs I have filled in the text boxes. Will reach out to you again if it doesnt work. Thanks for your prompt reply..


Regards,

Kunal


Hi Telmo,

While configuring my IDP on outsystems, i am doubtful about the field values i am entering. Below are the doubts i have. Would be great if you can explain a bit.

IdP Server Issuer/Entity ID : Do we have to get it from OneIdentity ?
IdP Server Single Sign On URL : Do we have to get it from OneIdentity ?
IDP Server Single Logout URL :Do we have to get it from OneIdentity ?
Certificate : Initially i had used a self signed cert. There is a certifcate genereated on OneIdentity after configurng OneIdentity usng the IDPConnecor metadaa xml.. Do we have to replace this one with the one genarated on OneIdentity.

SP Issuer/Entity Id : I have given my application URL here : https://<mydomainname>/portal
Server Public URL and Server Internal URL were taken automatically to : https://<mydomainname>


Thanks and regards,

Kunal

Solution

Hi Kunal,

All from the first tab should be provided by you IdP server (as idp metadata xml file it's the best option). The Certificate in the first tab, should also be 'inside' of idp metadata file. You cannot set a certificate of your own, must be one provided by your IdP server.


All from the second tab, usually it's defined by the SP admin, which the SP must provide to the IdP (as SP metadata file it's the best option).


Public URL: is the URL for public access, ie, from browser and from IdP server (server to server calls for Single Logout) 

Internal URL: the connector (mostly for Single Logout features) needs to do http calls to itself. On the cloud usually it's the same as public URL, however for on premises installations sometimes it cannot be the same as the public due internal networks restrictions for instance. (you have a button to test the internal URL, so you can check if it's a valid one).

Regards 

Solution

Hi Telmo,

Thanks alot for your kind help. I am kind of done with the configuration and started getting the response back from my IDP provider. One of the validation IsValidIssuer is becoming false and the reason i found is the Issuer URL format in IDP connector and IDP server are different. I was not able to put the URL in IDPConnector IDP server Issuer the validation was failing.

I get urn:<domainname>/CloudAccessManager/RPSTS from IDP provider but this URL is failing validation in IDPConnector as it is expecting URL starting with http or https. I may have to modify the IDPConnector code little bit.

It would be great if you could find a right solution and update the IDPConnector. Or you can suggest me the solution too.

Highly appreciate your help.


Thanks,

Kunal


Hi Telmo,

After little modification in Issuer URL validation I am able to save the URN value and able to login to my applicaiton. But i am not able to read the claims from the response. I am able to login because of the nameId from the response. I have put claims mapping as below in IDP Connector config.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Since the response in encrypted I am not able to know the path for the claims. The metadata from Identiy provider shwos below mapping.



<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="username"/>

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="emailaddress"/>

How can i parse the claims.

Thanks

Kunal

Hey Telmo,

After some research, I am able to read the response.  I just had to give the name as configured in OneIdentity IDP Provider. 

Thanks a lot.

Kunal