SSO Configuration
IdentityIQ supports two different options for single sign-on (SSO) configuration, rule-based and SAML. SSO streamlines the login process for users even further than pass-through authentication by enabling the user to bypass signing in to each system, once they have completed the initial sign-on to the authenticating application.
SSO Configuration has the following options:
-
Enable Rule-Based Single Sign-On (SSO) – uses rules for Single Sign-On and Validation
-
Enable SAML Based Single Sign-On (SSO) – uses Security Assertion Markup Language (SAML) as an authentication protocol
Note: To access the IdentityIQ Login page directly when Single Sign-On is configured, use a supported browser and enter http://<iiq server>/spt/login.jsf?prompt=true
.
IdentityIQ supports specifying both types of SSO in the same installation's login configuration. The order in which they are consulted during user authentication will be determined as follows:
-
If an ssoAuthenticators attribute is specified in the SystemConfiguration object, it will specify the configured SSO options in a CSV list, and the options will be checked in the order they are specified
-
If that attribute is not present, SAML SSO will be used first and then rule-based SSO
In rule-based Single Sign-On (SSO) configurations, when the user accesses the IdentityIQ web application, the authentication source recognizes it as a secure resource, requires the user to authenticate to it (if the user has not already done so), and passes a "token," containing contextual information, in the HTTP header to IdentityIQ. The SSOAuthenticationRule validates that information and maps the user to the appropriate IdentityIQ Identity.
Single Sign-On Rule
Specify the rule to use when authorizing users through and single sign-on system, such as SiteMinder.
Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.
Single Sign-On Validation Rule
Specify the rule to use to verify a single sign-on session to make sure a stale session is not actually a different user.
The rule type (SSOValidation) runs on every request. If the request is valid, it returns null. If it returns a string, that string is an indication of an error and is used in the error that is displayed in the logs. If the session is invalidated, the request is redirect to logoutUrl configured in web.xml.
This is designed to be used with the Single Sign-On Rule.
In SAML-based SSO, the authorization request can be initiated with the Service Provider (the application itself – IdentityIQ) or with the SSO authentication application (known as the Identity Provider). In either case, the Identity Provider handles authentication of the user and provides a signed XML <Response>, or Assertion. This response contains information that IdentityIQ can match to an identity to determine the user's proper authorization to IdentityIQ functionality.
Entity ID / Issuer
Unique identifier defining the organization (IdentityIQ) to the Identity Provider. This ID is usually the URL or domain name for the organization. For example, https://identityiq-server.your-domain.com:your-port/identityiq
If you use the standard https port for communication, the :your-port
is not necessary.
SSO Login URL
The URL of the Identity Provider SSO service provider (the SAML SSO service URL). You can obtain this address from your Identity Provider. If the Identity Provider Issuer is not set, the configuration defaults to Identity Provider Single Sign-On service URL.
Public X.509 Certificate
An encrypted string containing the public key of the X509 certificate of the Identity Provider.
This entry should include the header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----
Identity Provider Issuer URL
The Unique Identifier that defines the Identity Provider to IdentityIQ. This identifier is often in the form of a URL, but does not have to be.
The Identity Provider Issuer URL field is only necessary if the SAML response does not contain an Issuer value that does not match the leading characters of the Identities Provider SSO Server URL field. For example,
Identity Provider SSO Server URL = https://idp.your-domain.com/SSOApp/SSOLogin
SAML Response Issuer field = https://idp.your-domain.com/SSOApp
Entity ID / Issuer
Unique identifier that represents the Service Provider.
SAML URL (Assertion Consumer Service)
Specify the IdentityIQ URL where the SAML is to be accepted. For example:
https://identityiqserver.your-domain.com:your-port/identityiq/home.jsf
SAML Binding
Select HTTP POST or HTTP Redirect for the communications scheme.
SAML Name ID Format
Select the name format from the list. The Identity Provider provides the formats listed in dropdown box.
SAML Correlation Rule
Select a rule to use to match a SailPoint identity with a SAML assertion from the Identity Provider results. IdentityIQ includes a sample SAML correlation rule, called IdentityNowSAML, that you can use as a model for developing a correlation rule that meets your business needs.