Federations

Federations Overview

The Federations page displays a listing of the currently configured Federations. A summary is also displayed in the page sidebar which shows the total number of configured Federations, the number of enabled and disabled Federations and the status of any metadata retrieval that is in progress.

Who has access?

SAML Administrators

Detailed Description

View Federation Details

To view the details of an existing Federation configuration, click on the Entity ID of the desired Federation displayed in the list. The current settings of that Federation will be displayed, grouped into sections that correspond to the steps of the configuration wizard which are: Basic, Advanced and Attribute Mappings. To edit the settings in any of these sections, click on the ‘(edit)‘ link for that section.

Delete Federation

To delete a Federation, click on the Delete Federation button displayed in the page sidebar. A prompt will be displayed to confirm that the Federation configuration is to be deleted.

Disable/Enable Federation

These buttons will immediately enable or disable the currently viewed Federation. This is the same as editing the Basic section of the configuration and changing the Enabled option and saving the configuration. When a Federation is disabled, the metadata associated with it is not available for download.

Add Federation

To configure a new Federation, click on the Add Federation button displayed in the page sidebar. The ‘Add Federation’ wizard will be displayed to step through the process of adding a new Federation.

Update All Metadata

Clicking on this button will start a background process that will retrieve the metadata for all of the currently enabled Federations. The current status of the metadata retrieval is displayed in the sidebar summary. Refresh the browser page to update this status. If the metadata retrieval is already in progress when then Update All Metadata button is clicked, a message indicating such will be displayed.

Clear All Metadata

Click on this button to remove the locally cached metadata for all federations. This is not allowed if a metadata retrieval is currently in progress.

‘Add Federation’ Wizard

The ‘Add Federation’ Wizard contains 4 steps to create a new Federation configuration. While going through the steps of the wizard, there will be navigation buttons displayed at the bottom-right of the page. The Cancel button will discard all entries made while going through the wizard steps and will return to the Federation list view page. The Next and Back buttons are used to move forward or backward through the pages of the wizard. Values previously entered in the wizard steps will be preserved while navigating backward and forward through the steps. The steps for the ‘Add Federation’ wizard are:

  1. Basic Settings
  2. Name

    A character string used within the Elastic SSO application for display of this Federation configuration. This is a required field and limited to a maximum length of 128 characters.

    Description

    This field allows for a longer description of the Federation. It is an optional field and is limited to a maximum length of 256 characters.

    Metadata URL

    The URL that is used to retrieve the metadata file for this Federation.

    Signing Certificate

    The signing certificate for the Federation. Paste the entire contents of the signing certificate here, including the ‘BEGIN CERTIFICATE’ and ‘END CERTIFICATE’ lines.

    Expiration

    The length of time in seconds that the metadata for this Federation is valid.

    Refresh Period

    The frequency in which the Elastic SSO application will update the metadata for this Federation. The Metadata URL will be used for this update. This is a required field.

    Enabled

    Indicates whether the Federation is to be enabled within the Elastic SSO application. By initially disabling the configuration, a partial configuration can be done which can then be edited at a later time.

  3. Advanced Settings
  4. Force Authentication

    Option to force re-authentication of users even if the user has a SSO session at the IdP.

    Base64 Attributes

    When this option is checked, attributes will be base64 encoded. This setting takes precedence over the IdP setting.

    Encrypt NameID

    This specifies whether NameIDs from Service Providers that are members of this Federation are encrypted.

    Sign SAML2 Response

    This specifies whether SAML2 responses are signed.

    Sign SAML2 Assertion

    This specifies whether SAML2 assertions are signed.

    Sign Logout

    This specifies whether logout messages from Service Providers that are members of this Federation are signed.

    Validate Authentication Request

    This specifies whether signatures are required on authentication requests from Service Providers that are members of this Federation.

    Validate Logout

    This specifies whether signatures are required on logout messages from Service Providers that are members of this Federation.

    Encrypt Assertion

    This specifies whether assertions sent to Service Providers that are members of this Federation should be encrypted.

    Sign Redirect

    This specifies whether logout requests and logout responses sent to Service Providers that are members of this Federation should be signed.

    Validate Redirect

    This specifies whether authentication requests, logout requests and logout responses received from Service Providers that are members of this Federation should be validated.

    NameID Format

    The format in which NameID should be sent to Service Providers that are members of this Federation.

    Attribute Name Format

    This is the value that will be set in the Format field of attribute statements.

    EntityID Whitelist

    A list of EntityIDs that will be accepted by the IdP. Multiple EntityIDs must be separated by commas. Values in the whitelist take precedence over the blacklist.

    EntityID Blacklist

    A list of EntityIDs that will not be accepted by the IdP. Multiple EntityIDs must be separated by commas.

  5. Attribute Maps
  6. Attribute maps are used to map user data values to SAML attributes. The system does not require that any attribute mappings exist.

    To add an attribute mapping, click on the Add Another Mapping button and an attribute mapping group will be added which can then have values assigned to the fields.

    Map

    This is the User Account field that will supply the value that is to be sent to the Federation member SP as an attribute. The drop-down list will display all of the available User Account fields. The same User Account field can be mapped to multiple SAML attributes.

    To SAML Attribute

    This is the SAML attribute to which the User Account field is to be mapped.

    Enabled

    If an attribute mapping is disabled, that mapping will not be used when releasing attributes.

    To remove a mapping, click on the Remove button inside of the mapping group that is to be removed. Since an attribute mapping is not required, all mappings can be removed.

  7. Review

The Review page lists all of the settings from the previous wizard steps so that they may be reviewed before saving. Once all settings have been reviewed and are acceptable, clicking on the Finish button will save the Federation configuration and will return to the main Federation list view.