SAML

enabled

Whether SAML authentication should be used or not

true

false

same-site

Restricts the usage of the cookie for the browser. The restriction is based on the originating event, which instructed the browser to send the cookie

none

strict

secure

Ensures that the cookie is only sent over HTTPS connections. If same-site is set to none, secure must be set to true

false

true

entity-id

The Identity Provider (IdP) entity ID

⚠ must match your metadata XML entity

https://idp.company.com

n/a

signing → credentials →

• private-key-location

certificate-location

Location of the private key used to sign SAML authentication requests and the location of the relying PartX509Certificate shared with the identity provider for SAML authentication requests.

Both take the form of a file path or class path. Note if class path is used the root folder is the resources folder in the rest-service.

Note this can be a list of paired keys and certificates. The “-” character is required before each “private-key-location” value

private-key-location

File path: file:./conf/saml/signing_key.key

Class path: classpath:credentials/signing_key.key

certificate-location

File path: file:./conf/saml/signing_cert.crt

Class path: classpath:credentials/signing_cert.crt

n/a

decryption → credentials →

• private-key-location

certificate-location

Location of the private key used for decrypting the SAML authentication request and the location of the relying PartX509Certificate shared with the identity provider for SAML authentication requests.

Both take the form of a file path or class path. Note if class path is used the root folder is the resources folder in the rest-service.

Note this can be a list of paired keys and certificates. The “-” character is required before each “private-key-location” value

private-key-location

File path: file:./conf/saml/signing_key.key

Class path: classpath:credentials/signing_key.key

certificate-location

File path: file:./conf/saml/signing_cert.crt

Class path: classpath:credentials/signing_cert.crt

n/a

assertingparty → metatdata-uri

URL to the Identity Provider (IdP) metadata

Can take the form of a URL, file path or class path. Note if class path is used the root folder is the resources folder in the rest-service.

URL: http://idp.com/idp-metatdata.xml

File path: file:./conf/saml/idp-metatdata.xml

Class path: classpath:metadata/idp-metatdata.xml

n/a

valsightSamlProperties → name-id-format

Removed in 6.1.0

The application will now default to the one specified in the IdP’s metadata.

The name id format to use when communicating with the idp

Must be one of the following:

1. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

2. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

3. urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

4. urn:oasis:names:tc:SAML:2.0:nameid-format:transient
   _*Optional

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

n/a

valsightSamlProperties → loginSuccessfulUrl

The absolute URL (starting with http(s)) of the application's main page. The user will be redirected there after a successful login.

_*Optional

https://valsight.company.com/

n/a

valsightSamlProperties → userProfileMapping → username

The SAML response attribute used to uniquely identify an user. It must always be present in the response and unique per user.

_*Optional

preferred_username

SAML user ID

valsightSamlProperties → userProfileMapping → email

This SAML response attribute that contains the user's e-mail address.

_*Optional

email

n/a

valsightSamlProperties → userProfileMapping → fullName

The  SAML response attribute that contains the user's full name.

_*Optional

name

n/a

valsightSamlProperties → mandatoryAttributes → attribute: attributeValue

This is used to customize the requested presence and values of SAML response attributes.

Each attribute configured here must be present in the provider's response and also have the specified value. If attribute has multiple values in the response (e. g. a list of groups the users belongs to) then one of the values in the response must be an exact match to the configured value.

_*Optional

Example Configuration

mandatoryAttributes:
    group: groupName
    role: roleName

Note that these are both example attributes and values. It is possible to input any attribute name and value presuming they are included in the SAML token attributes.

n/a

valsightSamlProperties → groupsAttribute

This configuration option enables SAML to determine which groups users belong to. If this field is not present or if it is empty, the groups must be managed internally in the application. If we set a value of 'groupsAttribute' we turn this functionality on. The value of 'groupsAttribute' should be an attribute name of the SAML response (https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html#_Toc536097223 ) that contains the SAML provided groups.

The group matching happens as follows:

1. read groups from the SAML response

2. create groups that are missing in the application

3. add user to all groups from the response

4. remove user from all groups not in the response

Important: this functionality never automatically deletes groups in the application

_*Optional

groupsInSAMLResponse

n/a

valsightSamlProperties → signingAlgorithms → RSA

Removed in 6.1.0

The application will now default to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Which signing algorithm should be used to sign XML requests created by the Valsight application. List of possible values: https://www.w3.org/TR/xmldsig-core1/#sec-SignatureAlg

You can replace the 'RSA' key with any of the listed signature methods. The 'signingAlgorithms' key also allows multiple signature method configurations at the same time.

_*Optional

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

http://www.w3.org/2001/04/xmldsig-more#rsa-sha1