SSO Technical Requirements

Last Modified on 10/03/2019 12:47 pm EDT

Before configuring Core SSO, the following requirements must be met:

  1. A valid Identity Provider (IdP) must be configured with the SAML 2.0 Web Browser profile in accordance with the SAML 2.0 OASIS standard and must provide a valid IdP metadata file containing:

    1. X509 RSA 2048 bits Public Certificate (RFC 5280) (<ds:X509Certificate>).

    2. EntityId (<md:EntityDescriptor entityId=" " >).

    3. SingleSignOnService URL with HTTP Redirect Binding (<SingleSignOnService Binding==" " Location==" " >).

    4. NameIDFormat in urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  2. IdP must communicate using HTTP over TLS [RFC 2818].

  3. A SHA-256 signature in the metadata, response, and/or assertion.

    EXAMPLE
    <?xml version="1.0"?>
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp/saml/metadata/622342">
    <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
     <ds:X509Certificate>MIIEFzCCAv…</ds:X509Certificate>
    </ds:X509Data>
    </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp/trust/saml2/http-redirect/slo/622342"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp/trust/saml2/http-redirect/sso/622342"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// idp /trust/saml2/http-post/sso/622342"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp/trust/saml2/soap/sso/622342"/>
    </IDPSSODescriptor>
    </EntityDescriptor>

  4. Certificates must have at least a three-year expiry and should be valid a minimum of 8 months before expiring.

  5. The RCS profile requires at least the message or the assertion to be signed.

  6. The username used for the assertion subject statement should be the user's primary email address.

    The username should be identical to the email address used to register the user in Core.
Was this article helpful?
Thank you for your feedback!
Copyright © 2022 – 2023 Your Company, LLC. All rights reserved.