Identity Provider
Identity Provider Overview
The Identity Provider page shows the current settings for the IdP.
Who has access?
SAML Administrators
Identity Provider Details
If the Identity Provider has been configured, the current settings of the IdP are listed in the Identity Provider Details area. To update the existing configuration, click on the Update Identity Provider button in the Operations sidebar.
Configure Identity Provider
If the Identity Provider has not been configured, the page will be automatically redirected to the Configure Identity Provider page. The settings for configuring the IdP are:
-
Hostname
The host name of the Identity Provider. Common practice is to use:idp.example.com
-
EntityID
In SAML, the EntityID is a globally unique name given to a SAML entity. In this case, the entityID is for the Identity Provider (IdP) defined by this instance of Elastic SSO. Common practice is to incorporate the FQDN of the IdP in the entityID such as:https://idp.example.com/saml
-
Name
Text value used internally to represent the IdP. -
Generate Self-signed Key Pair
Check this box if you want the system to create a self-signed certificate to be used for SAML transactions. If you do not choose to generate, you will need to provide your own certificate and private key. -
Public Certificate, Private Key, Private Key Password You can provide you own certificate and private key if desired. Otherwise, you should generate a self-signed certificate.
-
Scopes
A scope is a string that can be used by a Service Provider (SP) as an additional check of ‘scoped’ attributes being sent from the IdP. Typically, this is set to the domain name of the IdP (e.g., idp.example.com). An IdP can have multiple scopes which can be entered into this field separated by commas. -
Debug Mode
If this option is enabled, all sent and received messages will be written to the log file. This also enables logging of the messages that are encrypted and decrypted. -
Secret Salt
This should be set to a random character string. It is used when the system needs to generate a secure hash of a value. A backup of the value used here should be saved in a secure location. -
Enabled
Check this to enable the Identity Provider.
Edit Identity Provider
Once the Identity Provider has been configured, updating the existing IdP is very similar to initial configuration. However, there are some additional settings that are available.
-
Regenerate Self-signed Key Pair
Selecting this option will cause a new self-signed key pair and certificate to be generated. This will overwrite the previously generated values. -
Generate Self-signed Key Pair for Rollover
This will cause a self-signed key pair and certificate to be generated for certificate rollover. -
Rollover Public Certificate, Private Key, Private Key Password
When transitioning to a new public certificate, if you have a certificate from a certificate authority, it should be entered here. If a rollover self-signed certificate is being generated (see above), this will be automatically generated. For the remaining fields in the Update Identity Provider form, see the descriptions above in the section Configure Identity Provider.
Disable / Enable Identity Provider
These buttons will immediately enable or disable the currently configured Identity Provider. This is the same as choosing Update Identity Provider and changing the Enabled option and saving the configuration. When an Identity Provider is disabled, the metadata associated with it is not available for download.
SAML 2.0 Metadata / SAML 1.1 Metadata
These buttons are only available when the Identity Provider is enabled. Clicking on either of these buttons will download a copy of the corresponding metadata into a browser window. To save the metadata as a file, right click on the button for the desired metadata type and select ‘Save link as…’.