Add SAML-Based IdP Connections

Before you begin

You must have the permissions necessary to edit your IdP's configuration settings.

Make sure you have a verified domain to use with this connection.

About this task

To add a SAML based IdP connection to SOTI Identity:

Procedure

  1. In the SOTI Identity Admin Console, open the main menu and select Directories/IDP.
    You can also add a SAML based connection from the Users view. Click New Group/Directory and select IdP Connection.
  2. Click New Directory > IdP Connection to open the Create Connection dialog box.
  3. Select SAML Based IdP.
  4. Click Downloads in the upper right corner of the Configure IdP dialog box and download both the Identity Metadata and Identity Certificate to your computer.
    SOTI Identity uses these files to authorize the IdP connection.
  5. Upload the Identity Metadata and Identity Certificate files into your IdP's configuration settings.
  6. Return to the SOTI Identity administrator console and the Configure IdP dialog box.
  7. Fill in the fields for the IdP Settings section.
    Tip: Click Import to upload your IdP's metadata file into SOTI Identity which populates the fields in the IdP Settings section.
    Name Enter the name of IdP connection. SOTI Identity checks the availability of the name within its system. Unavailable names are flagged and you cannot save the IdP connection until it is updated.
    IdP Metadata File Click Import to upload the IdP's metadata file into SOTI Identity system. This metadata file contains information necessary to create a link between the IdP and SOTI Identity. If you do not have an IdP metadata file then you must fill in the IdP connection information manually.
    IdP Entity ID Enter the globally unique identifier for the SAML IdP. The IdP Entity ID can be obtained from your IdP administrator. SOTI Identity checks the availability of the IdP Entity ID within its system. Unavailable IDs are flagged and you cannot save the IdP connection until it is updated.
    SSO URL Enter the IdP SSO login URL. SOTI Identity uses this URL to initiate the SSO login sequence. The IdP URL can be obtained from your IdP administrator.
    Note: SOTI Identity supports only HTTP-POST binding.
    Logout URL Enter the URL to which users are redirected, when they log out from the SOTI Identity console. If a Logout URL is not provided, users are redirected to a default log out page.

    When SOTI Identity logs out the user, it informs the third-party IdP on this URL so that it can log out the user itself (and perform any other expected actions). If a third-party IdP informs SOTI Identity that a user is logging out, SOTI Identity responds to the third-party IdP on this URL.

  8. Choose one or more domains from the Choose Groups dropdown list.
    Domains control who can (or can't) log into a SOTI Identity account and its associated applications. Each SAML based connection is mapped to at least one domain.

    Only verified domains appear in this list. If you haven't set up a verified domain yet, click Manage Domains. You will be redirected to the Domains view where you can add and verify domains. Your current draft connection will be lost.

  9. Upload a certificate that authenticates your IdP. Click to open a file explorer window. Navigate to the certificate and upload it to SOTI Identity.
    You can upload multiple certificates to SOTI Identity. The certificates are evaluate in the order they appear here, starting from the top, until a valid certificate successfully authenticates the IdP.

    Certificates must be in either DER-encoded binary X509 or Base64-encoded X.509 format.

  10. Fill in the fields for User Attributes.
    Email This refers to the keyword defining the search filter for fetching the user's email address.
    First Name This refers to the keyword defining the search filter for fetching the user's first name.
    Last Name This refers to the keyword defining the search filter for fetching the user's last name.
    Member of This refers to the keyword defining the search filter for fetching the user's group membership details.
    Delimiter for Multiple "Member of" This refers to the delimiter keyword defining the search filter for fetching multiple users' group membership details.
  11. In the Map Additional User Attributes section, click to add additional user attributes. Enter a name for the user attribute and then select an attribute from the Mapped Attribute dropdown list.
  12. Click Create to save your IdP connection.

Results

The new IdP connection appears in the Directories List where you can update it at any time.