Managing Service Providers
Services providers can be found within the Identity Provider navigation link.
Existing Service Providers
The first page loads a list of existing Service Providers. Search facilities can be found in the top right of the screen.
Adding a new Service Provider
Click Add a Service Provider in the top right of the screen.
There are two ways to add a Service Provider, either paste the metadata into the XML box and parse, or enter the metadata URL and click Retreive and Parse Metadata.
Once the XML has been parsed, some or all of the options on the right hand side will be pre-selected with the values provided by the Service Provider. However, in some cases the metadata lacks certain information and therefore the options will be pre-selected with the most commonly supported values.
Once the metadata has been parsed, further details need to be completed:
|Title||This title is used within AuthStack for informational purposes, such as App Listing|
|URL||The URL is used within AuthStack to provide a link to the SSO or administrator user(s) from the App Directory|
|Custom CSS class(es)||CSS classes are used to visually distinguish Apps within the App listing and App Directory. By default, Font Awesome icons are supported in both the frontend and the administration panel.Example:
|Visibility||Controls the visibility of the Service Provider when loading the Service Provider list from the AuthStack Apps page. See Setting Service Provider permissions further down.|
|Connection For User Authentication||Select the connection where the user credentials will be matched against, when signing in from the Service Provider. If there are no connections, setup a new connection.|
|Attribute Mapping Set, For Attribute Transformation||Select the attribute mapping set, which is used to describe and transform the data provided by the authentication source, via the connection.|
|Digest Algorithm||Hashing algorithm used to produce an XML signature for Assertions and/or SAML Messages.|
|Block Encryption Algorithm||Encryption algorithm that will be used to encrypt Assertions. Encryption key is generated at random and encrypted using the IdP's
|Key Transport Encryption Algorithm||Algorithm used for encrypting the key that's used for Assertion Encryption.|
There may be certain situations where you need to try different Block Encryption Algorithms and Key Transport Encryption Algorithms until all errors pass. Errors will appear once an SSO test is run. The Service Provider may throw an exception or show an error detailing what failed. In our experience, some Service Providers do not adequately document this part of the process, so trial and error is often required. However, with only a limited set of options this process is fairly quick.
Setting Service Provider Permissions
When setting up a Service Provider there may be situations where you only want logged in or authorised users to have visibility. Even if the user cannot login, it's best practice not to display apps which the user is not permitted to access. This could include sensitive and/or test apps.
Privacy options include:
- Public (available to all users)
- Private (Only available to logged in users)
- Private (Only available to authorised users)
Private / authorised allows the setting of an attribute and value(s) to check against.
In the below example, this is
memberOf. If the user is a memberOf
developer group, they can see the Service Provider in the listing.
Service Provider Certificates
Once the metadata is parsed the certificate information will be shown under the Certificates tab, within the Service Provider view.
Typically there are two certificates, one for signing and the other for encryption.
Service Provider Advanced Details
The Assertion Consumer Service Endpoints tab shows the binding values and endpoints for the Service Provider, along with the contacts whom can be reached for assistance with integration.