Skip to main content

Service Provider

Definition

The Service Providers are standard application servers that relays on Identity Providers to let the users log in.

Join federation

To join the federation, the service provider management team must deliver its "Metadata". The service provider Metadata describes how the service providers behaves:

  • Which security algorithms does it support.
  • The public portion of its signing and encrypting keys.
  • The SAML protocols does it support.
  • The URL of each SAML protocol endpoint.
  • Contact information.

Standard attributes

The standard attributes depends on the Service provider type. Currently there are three types:

SAML

To enable External SAML protocol you can visit the Authentication page. Also, at that page you could download the metadata XML file.

Identification
  • publicID: public name of the service provider.
  • Name: friendly user name or brief description.
Service configuration
  • Metadata: you must provide the identity provider metadata. You can either copy it from the Soffid Identity Provider page, or instruct the service provider to download the federation metadata by itself.

To publish the federation members metadata, the main sync server exports the members metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from https://soffid1.your.domain:760/SAML/metadata.xml.
After some seconds, up to five minutes, every federation member will notice any change.

Login rules
  • Allow impersonations: Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL URL. 
  • UID Script: script to compute the user name to pass to the target application

You can visit the Openid-connect to SAML interoperability page for more detailed information.

SAML API client

Identification
  • publicID: public name of the service provider.
  • Name: friendly user name or brief description.
  • Organization: company name of the external IdP.
  • Contact: email address of the external IdP.
Service configuration
  • Metadata: you must provide the identity provider metadata. You can either copy it from Soffid federation page, or instruct the service provider to download the federation metadata by itself.

To publish the federation members metadata, the main sync server exports the members metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from https://soffid1.your.domain:760/SAML/metadata.xml.
After some seconds, up to five minutes, every federation member will notice any change.

Login rules
  • Allow impersonations: Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL URL. 
  • UID Script: script to compute the user name to pass to the target application.

You can visit the Openid-connect to SAML interoperability page for more detailed information.

Network
  • Host name: public application host name that want to be a service providers. A full qualified name should be used.
  • Standard port: public application port number. 
  • Disable SSL: check it, selected value Yes, if you want to use plain TCP connections. In other case, it will be needed to comply additional fields:
  • Assertion path: URL to receive the respone.
SAML Security
  • PublicKey:   
    • Leave in blank  2&&TODO&&
    • Clicking on the Generates public / private key button, a new private key pair will be generated. Once the private key pair is generated, you could generate a certificate request file, also known as PKC#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request. Once you have created the public/private key, you could run other new functions:
      • Change public/private key: allows you to change the public/private key generated previously.
      • Delete public/private key: allows you to delete the public/private key generated previously.
      • Generate PKCS10: generates a PKCS10 file (Certification request standard).
    • Clicking on the Upload PKCS12 file button it will be able to upload a PKCS#12 file. That file must to contain the private an public keys and the server certificate as well. Mind that PKCS#12 file use to be protected by a PIN.
  • Certificate chain: text certificate chain created with one of the previous options.

OpenID Connect

Identification
  • publicID: public name of the service provider.
  • Name: friendly user name or brief description.
Service configuration
  • oAuth key: is the identificator token generated by the oAuth server.
  • oAuth secret: is the secret generated by the oAuth server.
Login rules
  • Allow impersonations: TargetSoffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL URL. 
  • UID Script: script to compute the user name toass to the target application.

You can visit the Openid-connect to SAML interoperability page for more detailed information.

    OpenID authorization flow

    • Implicit: application server redirects the end user to the IdP, that in turn, returns the oAuth token along the OpenID token.

    • Authorization code: application server redirects the user to the IdP, which in turn, returns an authorization code that can be used to retrieve the token and the OpenID token from the token endpoint.
    • User's password: the server access directly to the token endpoint, sending the username and password, to retrieve the oAuth and OpenID token. This mechanism is highly insecure, as allows unauthenticated clients to impersonate end users
    • User's password + Client credential: it is a secure version of the previous one, requiring the client to use its client secret.
    • Client id: the identifier used by the application server.
    • Client secret: password used by the application server. It is used in Authorization code flow as well as “User’s password + Client credentials” flow.
    • Response URL: set the password to return the control after authenticating a user.​
    • oAuth Session timeout (secs):  time in seconds that will take the oAuth session. The oAuth has its own life cycle, regardless the session timeout.
      Back to top