Skip to main content

SAML FAQ

Here are some FAQ’s about SAML Authentication:

Q: Is the product SAML 2.0 compliant?

A: Yes.

Q: Which SAML 2.0 profile is supported by target application - SP initiated SSO / IDP initiated SSO? ST preference is SP initiated SSO.

A: The product supports SP initiated SSO.

Q: Are SAML bindings based upon HTTP POST [ for IDP initiated SSO ] and HTTP Redirect/POST [ for SP initiated SSO ]?

A: Yes.

Q: Digital Signature from ST IDP: are X.509 Certificates issued by private CA is supported for digital signature of SAML messages/responses from ST IdP server (FIM)?

A: Yes. 

Digital Signature from ST IDP: is it true that X.509 Certificate will be of type SHA2 (sha1 type of certificate is not accepted due to security policies)?

A: Yes. the product rejects signatures with deprecated algorithms (sha1).

Q: Digital Signature from ST IDP: is the Digital Signing Algorithm RSA SHA256?

A: The product supports several signing algorithms: 

  • 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
  • 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
  • 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
  • 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
  • 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'

The default is rsa-sha256.

Q: Can the target system (Service Provider: SP) provide metadata xml file to provide SP configuration information?

A: A: Yes. There is an Export SP Metadata feature which allows the user to download the SP’s metadata.xml which includes entity id, ACS URL, and X.509 certificate etc.

Q: Attribute contract: Which user attribute will be used for user identification in SAML assertion? e.g. email or Login name etc.

A: The product supports Attribute Mappings from the SAML attributes in the SAML assertion to user attributes. The login attribute can be mapped from any SAML  attribute, e.g. email or login, as long as the attribute value is unique.

Q: Attribute contract: How the user identity should be passed in the SAML Token - as SAML Subject or SAML Attribute.

A: The user identity should be passed in the SAML response message as a SAML attribute.

Q: Attribute contract: What additional user attributes are required in SAML token and why? For e.g. Firstname, Lastname, Organization etc.

A: The only mandatory user attribute is the login (which can be mapped from a unique SAML attribute). The login is used as the user name. Other attributes, such as Full Name, Email, Distinguished Name, Groups or Description, are optional.

Q: Use of Digital Signature from SP (on SaaS side)?

A: Yes. The product’s SP uses a X.509 certificate to sign the SAML authentication requests if the user has specified the private key and X509 certificate of the SP. If that is the case, the user needs to configure their Identify Provider server with the SP’s X.509 certificate to verify the signature.

Q: Do you ensure SAML Authentication requests from SP are digitally signed by RSA SHA256 or RSA SHA384 or RSA SHA512 (SP will use its own X.509 certificate to sign)?

A: Yes. SAML Authentication requests from SP are digitally signed by RSA SHA256 using its private key and X.509 certificate.

https://www.metaintegration.com/MITI/Help/UserGuide/#!Documents/saml2authenticationworkflow1.html

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here