SSO Configuration

In rule-based Single Sign-On (SSO) configurations, when the user accesses the IdentityIQ web application, the authentication source recognizes it as a secure resource, requires the user to authenticate to it (if the user has not already done so), and passes a “token”, containing contextual information, in the HTTP header to IdentityIQ. The SSOAuthenticationRule validates that information and maps the user to the appropriate IdentityIQ Identity.

Single Sign-On Rule

Specify the rule to use when authorizing users through and single sign-on system, such as SiteMinder.

Click the “...” icon to launch the Rule Editor to make changes to your rules if needed.

See Using the Rule Editor.

Single Sign-On Validation Rule

Specify the rule to use to verify a single sign-on session to make sure a stale session is not actually a different user.

The rule type (SSOValidation) runs on every request. If the request is valid, it returns null. If it returns a string, that string is an indication of an error and is used in the error that is displayed in the logs. If the session is invalidated, the request is redirect to logoutUrl configured in web.xml.

This is designed to be used with the Single Sign-On Rule.

In SAML-based SSO, the authorization request can be initiated with the Service Provider (the application itself - IdentityIQ) or with the SSO authentication application (known as the Identity Provider). In either case, the Identity Provider handles authentication of the user and provides a signed XML <Response>, or Assertion. This response contains information that IdentityIQ can match to an identity to determine the user's proper authorization to IdentityIQ functionality.

Entity ID / Issuer

Unique identifier defining the organization (IdentityIQ) to the Identity Provider. This ID is usually the URL or domain name for the organization. For example, https://identityiq-server.your-domain.com:your-port/identityiq

If you use the standard https port for communication, the :your-port is not necessary.

SSO Login URL

The URL of the Identity Provider SSO service provider (the SAML SSO service URL). You can obtain this address from your Identity Provider. If the Identity Provider Issuer is not set, the configuration defaults to Identity Provider Single Sign-On service URL.

Public X.509 Certificate

An encrypted string containing the public key of the X509 certificate of the Identity Provider.

This entry should include the header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----

Identity Provider Issuer URL

The Unique Identifier that defines the Identity Provider to IdentityIQ. This identifier is often in the form of a URL, but does not have to be.

The Identity Provider Issuer URL field is only necessary if the SAML response does not contain an Issuer value that does not match the leading characters of the Identities Provider SSO Server URL field. For example,

Identity Provider SSO Server URL = https://idp.your-domain.com/SSOApp/SSOLogin

SAML Response Issuer field = https://idp.your-domain.com/SSOApp

Entity ID / Issuer

Unique identifier that represents the Service Provider.

SAML URL (Assertion Consumer Service)

Specify the IdentityIQ URL where the SAML is to be accepted. For example:

https://identityiqserver.your-domain.com:your-port/identityiq/home.jsf

SAML Binding

Select HTTP POST or HTTP Redirect for the communications scheme.

SAML Name ID Format

Select the name format from the list. The Identity Provider provides the formats listed in drop-down box.

SAML Correlation Rule

Select a rule to use to match a SailPoint identity with a SAML assertion from the Identity Provider results. IdentityIQ includes a sample SAML correlation rule, called IdentityNowSAML, that you can use as a model for developing a correlation rule that meets your business needs.