Federations
Federations Overview
The Federations page displays a listing of the currently configured Federations. A summary is also displayed in the page sidebar which shows the total number of configured Federations, the number of enabled and disabled Federations and the status of any metadata retrieval that is in progress.
Who has access?
SAML Administrators
Detailed Description
View Federation Details
To view the details of an existing Federation configuration, click on the Entity ID of the desired Federation displayed in the list. The current settings of that Federation will be displayed, grouped into sections that correspond to the steps of the configuration wizard which are: Basic, Advanced and Attribute Mappings. To edit the settings in any of these sections, click on the ‘(edit)’ link for that section.
Delete Federation
To delete a Federation, click on the Delete Federation button displayed in the page sidebar. A prompt will be displayed to confirm that the Federation configuration is to be deleted.
Disable/Enable Federation
These buttons will immediately enable or disable the currently viewed Federation. This is the same as editing the Basic section of the configuration and changing the Enabled option and saving the configuration. When a Federation is disabled, the metadata associated with it is not available for download.
Add Federation
To configure a new Federation, click on the Add Federation button displayed in the page sidebar. The ‘Add Federation’ wizard will be displayed to step through the process of adding a new Federation.
Update All Metadata
Clicking on this button will start a background process that will retrieve the metadata for all of the currently enabled Federations. The current status of the metadata retrieval is displayed in the sidebar summary. Refresh the browser page to update this status. If the metadata retrieval is already in progress when then Update All Metadata button is clicked, a message indicating such will be displayed.
Clear All Metadata
Click on this button to remove the locally cached metadata for all federations. This is not allowed if a metadata retrieval is currently in progress.
‘Add Federation’ Wizard
The ‘Add Federation’ Wizard contains 4 steps to create a new Federation configuration. While going through the steps of the wizard, there will be navigation buttons displayed at the bottom-right of the page. The Cancel button will discard all entries made while going through the wizard steps and will return to the Federation list view page. The Next and Back buttons are used to move forward or backward through the pages of the wizard. Values previously entered in the wizard steps will be preserved while navigating backward and forward through the steps.
Basic Settings
-
Name
A character string used within the Elastic SSO application for display of this Federation configuration. This is a required field and limited to a maximum length of 128 characters. -
Description
This field allows for a longer description of the Federation. It is an optional field and is limited to a maximum length of 256 characters. -
Metadata URL
The URL that is used to retrieve the metadata file for this Federation. -
Signing Certificate
The signing certificate for the Federation. Paste the entire contents of the signing certificate here, including the ‘BEGIN CERTIFICATE’ and ‘END CERTIFICATE’ lines. -
Expiration
The length of time in seconds that the metadata for this Federation is valid. -
Refresh Period
The frequency in which the Elastic SSO application will update the metadata for this Federation. The Metadata URL will be used for this update. This is a required field. -
Enabled
Indicates whether the Federation is to be enabled within the Elastic SSO application. By initially disabling the configuration, a partial configuration can be done which can then be edited at a later time.
Advanced Settings
-
Force Authentication
Option to force re-authentication of users even if the user has a SSO session at the IdP. -
Base64 Attributes
When this option is checked, attributes will be base64 encoded. This setting takes precedence over the IdP setting. -
Encrypt NameID
This specifies whether NameIDs from Service Providers that are members of this Federation are encrypted. -
Sign SAML2 Response
This specifies whether SAML2 responses are signed. -
Sign SAML2 Assertion
This specifies whether SAML2 assertions are signed. -
Sign Logout
This specifies whether logout messages from Service Providers that are members of this Federation are signed. -
Validate Authentication Request
This specifies whether signatures are required on authentication requests from Service Providers that are members of this Federation. -
Validate Logout
This specifies whether signatures are required on logout messages from Service Providers that are members of this Federation. -
Encrypt Assertion
This specifies whether assertions sent to Service Providers that are members of this Federation should be encrypted. -
Sign Redirect
This specifies whether logout requests and logout responses sent to Service Providers that are members of this Federation should be signed. -
Validate Redirect
This specifies whether authentication requests, logout requests and logout responses received from Service Providers that are members of this Federation should be validated. -
NameID Format
The format in which NameID should be sent to Service Providers that are members of this Federation. -
Attribute Name Format
This is the value that will be set in the Format field of attribute statements. -
EntityID Whitelist
A list of EntityIDs that will be accepted by the IdP. Multiple EntityIDs must be separated by commas. Values in the whitelist take precedence over the blacklist. -
EntityID Blacklist
A list of EntityIDs that will not be accepted by the IdP. Multiple EntityIDs must be separated by commas.
Attribute Maps
Attribute maps are used to map user data values to SAML attributes. The system does not require that any attribute mappings exist. To add an attribute mapping, click on the Add Another Mapping button and an attribute mapping group will be added which can then have values assigned to the fields.
-
Map
This is the User Account field that will supply the value that is to be sent to the Federation member SP as an attribute. The drop-down list will display all of the available User Account fields. The same User Account field can be mapped to multiple SAML attributes. -
To SAML Attribute
This is the SAML attribute to which the User Account field is to be mapped. -
Enabled
If an attribute mapping is disabled, that mapping will not be used when releasing attributes. To remove a mapping, click on the Remove button inside of the mapping group that is to be removed. Since an attribute mapping is not required, all mappings can be removed. 4. Review
The Review page lists all of the settings from the previous wizard steps so that they may be reviewed before saving. Once all settings have been reviewed and are acceptable, clicking on the Finish button will save the Federation configuration and will return to the main Federation list view.