SSO Technical Requirements

Before configuring Core SSO, the following requirements must be met:

  1. A valid Identity Provider (IdP) must be configured with the SAML 2.0 Web Browser profile in accordance with the SAML 2.0 OASIS standard and must provide a valid IdP metadata file containing:

    1. X509 RSA 2048 bits Public Certificate (RFC 5280) (<ds:X509Certificate>).

    2. EntityId (<md:EntityDescriptor entityId=" " >).

    3. SingleSignOnService URL with HTTP Redirect Binding (<SingleSignOnService Binding==" " Location==" " >).

    4. NameIDFormat in urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  2. IdP must communicate using HTTP over TLS [RFC 2818].

  3. A SHA-256 signature in the metadata, response, and/or assertion.

    <?xml version="1.0"?>
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp/saml/metadata/622342">
    <IDPSSODescriptor xmlns:ds="" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
    <ds:KeyInfo xmlns:ds="">
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp/trust/saml2/http-redirect/slo/622342"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp/trust/saml2/http-redirect/sso/622342"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:// idp /trust/saml2/http-post/sso/622342"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp/trust/saml2/soap/sso/622342"/>
  4. Certificates must have at least a three-year expiry and should be valid a minimum of 8 months before expiring.

  5. The RCS profile requires at least the message or the assertion to be signed.

  6. The username used for the assertion subject statement should be the user's primary email address.

    The username should be identical to the email address used to register the user in Core.