Search…
Single sign-on
Exivity can act as a SAML Service Provider (SP) which can be connected to a SAML Identity Provider (IdP). Some configuration is required to setup a secure connection.

SAML configuration

The SAML configuration can be accessed by navigating to Administration > Settings and then clicking on the SAML tab. On this page, you'll find two sub-tabs:
  • Configuration: Your IdP endpoints can be entered here, along with details about the certificate used by the IdP.
  • Endpoints: When registering Exivity with your IdP, you need to provide these Exivity endpoints.

Configuration

The configuration settings are listed below:
Option
Description
Entity ID
Sometimes called the Issuer or Metadata URL.
SSO URL
The URL of the Single Sign On service endpoint. Sometimes called the SAML 2.0 Endpoint.
SLO URL
The URL of the Single Logout service endpoint.
X-509 certificate
Base-64 encoded (DER) certificate: - on a single line - without -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Default user group
When a new user logs in using SSO, a user will be created in this user group.

Advanced settings

Using the advanced settings editor, even more options are exposed for configurating the integration. Please note that settings should be entered using a valid JSON format. Please consult with your implementation partner first before editing the advanced settings.
1
{
2
// Service Provider Data that we are deploying
3
"sp": {
4
// Identifier of the SP entity (must be a URI)
5
"entityId": "",
6
7
// Specifies info about where and how the <AuthnResponse> message MUST be
8
// returned to the requester, in this case our SP.
9
"assertionConsumerService": {
10
11
// URL Location where the <Response> from the IdP will be returned
12
"url": "",
13
14
// SAML protocol binding to be used when returning the <Response>
15
// message. Onelogin Toolkit supports for this endpoint the
16
// HTTP-Redirect binding only
17
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
18
},
19
20
// If you need to specify requested attributes, set a
21
// attributeConsumingService. nameFormat, attributeValue and
22
// friendlyName can be omitted. Otherwise remove this section.
23
"attributeConsumingService": {
24
"ServiceName": "SP test",
25
"serviceDescription": "Test Service",
26
"requestedAttributes": [
27
{
28
"name": "",
29
"isRequired": false,
30
"nameFormat": "",
31
"friendlyName": "",
32
"attributeValue": ""
33
}
34
]
35
},
36
37
// Specifies info about where and how the <Logout Response> message MUST be
38
// returned to the requester, in this case our SP.
39
"singleLogoutService": {
40
41
// URL Location where the <Response> from the IdP will be returned
42
"url": "",
43
44
// SAML protocol binding to be used when returning the <Response>
45
// message. Onelogin Toolkit supports for this endpoint the
46
// HTTP-Redirect binding only
47
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
48
},
49
50
// Specifies constraints on the name identifier to be used to
51
// represent the requested subject.
52
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
53
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
54
55
// Usually x509cert and privateKey of the SP are provided by files placed at
56
// the certs folder. But we can also provide them with the following parameters
57
"x509cert": "",
58
"privateKey": "",
59
60
// Key rollover
61
// If you plan to update the SP x509cert and privateKey
62
// you can define here the new x509cert and it will be
63
// published on the SP metadata so Identity Providers can
64
// read them and get ready for rollover.
65
"x509certNew": ""
66
},
67
68
// Compression settings
69
// Handle if the getRequest/getResponse methods will return the Request/Response deflated.
70
// But if we provide a $deflate boolean parameter to the getRequest or getResponse
71
// method it will have priority over the compression settings.
72
"compress": {
73
"requests": true,
74
"responses": true
75
},
76
77
// Security settings
78
"security": {
79
/** signatures and encryptions offered */
80
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
81
// will be encrypted.
82
"nameIdEncrypted": false,
83
84
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
85
// will be signed. [The Metadata of the SP will offer this info]
86
"authnRequestsSigned": false,
87
88
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
89
// will be signed.
90
"logoutRequestSigned": false,
91
92
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
93
// will be signed.
94
"logoutResponseSigned": false,
95
96
// Sign the Metadata: False || True (use sp certs)
97
"signMetadata": false,
98
99
/** signatures and encryptions required **/
100
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
101
// <samlp:LogoutResponse> elements received by this SP to be signed.
102
"wantMessagesSigned": false,
103
104
// Indicates a requirement for the <saml:Assertion> elements received by
105
// this SP to be encrypted.
106
"wantAssertionsEncrypted": false,
107
108
// Indicates a requirement for the <saml:Assertion> elements received by
109
// this SP to be signed. [The Metadata of the SP will offer this info]
110
"wantAssertionsSigned": false,
111
112
// Indicates a requirement for the NameID element on the SAMLResponse received
113
// by this SP to be present.
114
"wantNameId": true,
115
116
// Indicates a requirement for the NameID received by
117
// this SP to be encrypted.
118
"wantNameIdEncrypted": false,
119
120
// Authentication context.
121
// Set to false and no AuthContext will be sent in the AuthNRequest,
122
// Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
123
// Set an array with the possible auth context values: {'urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
124
"requestedAuthnContext": false,
125
126
// Allows the authn comparison parameter to be set, defaults to 'exact' if
127
// the setting is not present.
128
"requestedAuthnContextComparison": "exact",
129
130
// Indicates if the SP will validate all received xmls.
131
// (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
132
"wantXMLValidation": true,
133
134
// If true, SAMLResponses with an empty value at its Destination
135
// attribute will not be rejected for this fact.
136
"relaxDestinationValidation": false,
137
138
// Algorithm that the toolkit will use on signing process. Options:
139
// 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
140
// 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
141
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
142
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
143
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
144
// Notice that sha1 is a deprecated algorithm and should not be used
145
"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
146
147
// Algorithm that the toolkit will use on digest process. Options:
148
// 'http://www.w3.org/2000/09/xmldsig#sha1'
149
// 'http://www.w3.org/2001/04/xmlenc#sha256'
150
// 'http://www.w3.org/2001/04/xmldsig-more#sha384'
151
// 'http://www.w3.org/2001/04/xmlenc#sha512'
152
// Notice that sha1 is a deprecated algorithm and should not be used
153
"digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
154
155
// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
156
// uppercase. Turn it True for ADFS compatibility on signature verification
157
"lowercaseUrlencoding": false
158
},
159
160
// Contact information template, it is recommended to suply a technical and support contacts
161
"contactPerson": {
162
"technical": {
163
"givenName": "",
164
"emailAddress": ""
165
},
166
"support": {
167
"givenName": "",
168
"emailAddress": ""
169
}
170
},
171
172
// Organization information template, the info in en_US lang is recomended, add more if required
173
"organization": {
174
"en-US": {
175
"name": "",
176
"displayname": "",
177
"url": ""
178
}
179
}
180
}
Copied!

Endpoints

To view the full SAML endpoints for your Exivity instance, navigate to Administration > System and then click on the SAML tab and then the Endpoints sub-tab.
Name
Endpoint
Description
Login URL
/v1/auth/saml/login
Initiate SAML login request. Redirects to SAML Identity Provider SSO URL set in the SAML configuration. After a successful authentication (possibly interactive), it will redirect back to this APIs ACS endpoint.
Logout URL
/v1/auth/saml/logout
Initiate SAML login request. Redirects to SAML Identity Provider SLO URL set in the SAML configuration. After the user has been logged out, it will redirect back to this APIs SLS endpoint.
Entity ID / Metadata URL
/v1/auth/saml/metadata
Metadata about the SAML Service Provider instance will be published at this URL.
Assertion Consumer Service
/v1/auth/saml/acs
If the received response from the SAML Identity Provider is valid, redirects to the Exivity dashboard.
Single Logout Service
/v1/auth/saml/sls
If the received response from the SAML Identity Provider is valid, redirects back to the login screen of Exivity.

Integration tutorials

External resources