Unqork as a SAML Identity Provider
Overview
SAML (Security Assertion Markup Language) is an SSO (single sign-on) method supported by Unqork. You'll most commonly use SAML to grant access to your Unqork environment. But you can also use SAML in reverse, using Unqork to authenticate a user for another service.
Say you need to redirect an end-user to an outside application. For the end-user to have a smooth transition, you don’t want them to see a login screen when they reach the other service. So, you’d use Unqork as a SAML Identity Provider (IdP) to automatically log the end-user in. This differs from using SAML as a service provider. You'll find information on using SAML as a service provider in our article of the same name. For now, let's take a closer look at how to use Unqork as a SAML IdP.
What You'll Learn
In this article, you'll learn:
What is a SAML IdP?
SAML is a secure exchange of information between an Identity Provider (IdP) and a Service Provider (SP). The Identity Provider in this case is Unqork. You'll find information on Unqork as an SP in our SAML Service Provider article.
As an IdP, Unqork supports 3 SAML request/response flows:
- IdP-initiated flow (POST binding)
- IdP-initiated flow (Redirect binding, with or without deflation)
- IdP-initiated flow (RedirectHash binding, with or without deflation)
Deflation refers to the size of the SAML response. Some services have limitations on how large a response can be, and deflation helps accommodate those restrictions.
IdP Limitations
Note that while Unqork has SAML IdP functionality, we don't support every feature of a true Identity Provider. Currently, Unqork doesn’t support:
- SP-initiated SAML.
- Encrypted attributes.
- Single logout.
How to Configure Unqork as a SAML IdP
To set up your Unqork environment as a SAML IdP, you’ll work with your Service Provider and the Unqork DevOps team.
Service Provider Information
First, you’ll need to get the following information from your Service Provider:
Setting | Description |
---|---|
Callback URL |
Where Unqork directs the SAML response. |
Friendly Name |
A simple name for the Service Provider. This can be unique to Unqork, but the Service Provider may have a standard their clients use. |
User Attributes |
Any information the Service Provider needs to know about the user. This can include the user’s name, email, or other identifying information. |
Other Attributes |
Some Service Providers require other attributes in the SAML response. These can be static attributes like “Unqork” or dynamic, including information entered by the end-user. |
Once you have this information, you’ll pass it on to Unqork's DevOps team. The DevOps team will use this to configure your environment as needed.
Metadata
Once configured, your Unqork environment can send SAML responses. To accept those responses, though, your Service Provider needs some information from you. You'll provide that information in an XML metadata file with the following URL:
https://<host>/identity/saml/metadata.xml?sp=<friendlyName>
In this URL, <host> would be the name of your environment. And <friendlyName> would be the name provided by your Service Provider.
Initiating a SAML Response
To initiate a SAML response after final configuration, you must direct your user to a specific URL. That URL will look something like this:
https://<host>/fbu/saml-idp?sp=<friendlyName>&<otherAttributeKey>=<otherAttributeValue>
In this URL, <host> would be the name of your environment. And <friendlyName> would be the name provided by your Service Provider. <otherAttributeValue> would be any other attributes put into the response during initial configuration. You can redirect your user to this URL as you would redirect them to any other URL. An example is configuring a button to redirect the user when clicked.
This redirect only works if the user is already logged into your Unqork environment. The redirect won't automatically ask them to log in.