Federation members

Entity Group

Description

An entity group is just like a folder that allows you to manage different kinds of federation members. One of the most common ways to group federation members is by trust level.

When you create an entity group, the Identity Providers and the Service Providers records will be displayed. Then you could add identities and services selecting the proper record.

Screen overview

image-1652360950792.png

Standard attributes


Identity Provider

Description

An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

An Identity Provider is responsible for identifying users. Also, it is responsible for giving service providers information regarding the identified user.

Soffid allows you to configure different identity providers, you can choose the best option for you by selecting the IdP type:

To create an identity provider, it is advisable to install a dedicated sync server. It can be configured as a proxy sync server as it does not need direct access to the Soffid database. Instead, it will connect to the main sync server to get users and federation information.

For more information about how to configure a dedicated sync server, you can visit the Install Sync server page.

Standard attributes

The fields for each IdP type are detailed below:

Soffid IdP

Identification
Service Configuration

The Metadata is the information that any application needs to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Leave it blank as Soffid IdP will fulfill it for you.

The metadata will be created when the network data and SAML Security data. Restarting the sync server will be necessary to fill in the Metadata.

Network
💻 Image

image-1709029065265.png

Server certificate management: there are two options for certificate management. You can visit the Server certificate management page for more information.

SAML Security
Session management
Authentication
Advanced Authentication
Profiles

A profile is a protocol or subset of protocols implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile.

You can visit the Profiles chapter for more information about each one.

Look and feel

Soffid allows you to personalize your login page by adding some style elements, as well as header and footer elements.


External SAML IdP

Identification
Service Configuration

The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Leave it blank as Soffid IdP will fulfill it for you.

Login Rules

OpenID-Connect

Service Configuration

{
    "authorization_endpoint": "https://server/oauth2/auth",
    "token_endpoint": "https://server/oauth2/token",
    "userinfo_endpoint": "https://server/oauth2/userinfo",
    "scopes_supported": [ "openid","email","profile"]
}

The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Login rules

sn = attributes{"screen_name"};
i = sn.indexOf(" ");
if (i> 0) {
	user.firstName = sn.substring(0, i);
	user.lastName = sn.substring(i+1);
} else {
	user.firstName = "?";
  	user.lastName = sn;
}
return attributes{"name"};

Facebook

Identification
Service Configuration
Login rules

Google

Identification
Service Configuration
Login rules

Linkedin

Identification
Service Configuration
Login rules

(*) What is CAPTCHA --> https://support.google.com/a/answer/1217728?hl=en

(*) https://www.google.com/recaptcha/about/

Service Provider

Definition

The Service Providers are standard applications that rely on Identity Providers to let the users log in.

Join federation

To join the federation, the service provider management team must deliver its "Metadata". The service provider Metadata describes how the service providers behave:

Standard attributes

The standard attributes depend on the Service provider type.

SAML

To enable External SAML protocol you can visit the Authentication page. Also, on that page you could download the metadata XML file.

Identification
Service configuration

To publish the federation members' metadata, the main sync server exports the member's metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from:

https://soffid1.your.domain:760/SAML/metadata.xml


After some seconds, up to five minutes, every federation member will notice any change.

Login rules
💻 Image

image-1718031321737.png

You can visit the Openid-connect to SAML interoperability page for more detailed information.


SAML API client

Identification
Service configuration

Leave it blank as Soffid IdP will fulfill it for you.

The metadata will be created when the network data and SAML Security data.

Login rules

You can visit the Openid-connect to SAML interoperability page for more detailed information.

Network
SAML Security
💻 Image

image-1718031233232.png


OpenID Connect

Identification
Login rules

You can visit the Openid-connect to SAML interoperability page for more detailed information.

OpenID authorization flow
💻 Image

image-1718031290130.png


OpenID Connect Dynamic Registration

Identification
Login rules
OpenID authorization flow
Registration token
💻 Image

image-1718031155504.png


Cas client

Identification
Login rules
CAS configuration
💻 Image

image-1718031131014.png


Radius client

Identification
Login rules
Radius configuration
💻 Image

image-1718031107168.png


TACACS+

Identification
Login rules
Tacacs+ configuration
💻 Image

image-1718031084991.png

https://www.rfc-editor.org/rfc/rfc8907.html


WS-Federation

Identification
Login rules
WS-Federation
💻 Image

 image-1718031500088.png


Virtual Identity Provider

Definition

A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations.

Standard attributes

Identification

Service configuration

Leave it blank as Soffid IdP will fulfill it for you.

SAML Security

Authentication

Advances authentication

Profiles

A profile is a protocol implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile

You can visit the Profiles chapter for more information about each one.

Service Providers

It will be necessary to bind any service provider to the virtual identity provider. When no such bind exists for a service provider, the actual identity provider profile configuration applies.