Service Providers Overview

The Service Providers page displays a listing of the currently configured Service Providers. A summary is also displayed in the page sidebar which shows the total number of configured Service Providers as well as how many of these configured Service Providers are enabled and how many are disabled.

Who has access?

SAML Administrators

View Service Provider Details

To view the details of an existing Service Provider configuration, click on the Entity ID of the desired Service Provider displayed in the list. The current settings of that Service Provider will be displayed, grouped into sections that correspond to the steps of the configuration wizard which are: Basic, Advanced, ACS Endpoints, SLO Endpoints and Attribute Mappings. To edit the settings in any of these sections, click on the ‘(edit)’ link for that section.

Delete Service Provider

To delete a Service Provider, click on the Delete Service Provider button displayed in the page sidebar. A prompt will be displayed to confirm that the Service Provider is to be deleted.

Disable/Enable Service Provider

These buttons will immediately enable or disable the currently viewed Service Provider. This is the same as editing the Basic section of the configuration and changing the Enabled option and saving the configuration.

Add Service Provider

To configure a new Service Provider, click on the Add Service Provider button displayed in the page sidebar. The ‘Add Service Provider’ wizard will be displayed to step through the process of adding a new Service Provider.

Add Service Provider Wizard

The Add Service Provider Wizard contains 6 steps to create a new Service Provider configuration. While going through the steps of the wizard, there will be navigation buttons displayed at the bottom-right of the page. The Cancel button will discard all entries made while going through the wizard steps and will return to the Service Provider list view page. The Next and Back buttons are used to move forward or backward through the pages of the wizard. Values previously entered in the wizard steps will be preserved while navigating backward and forward through the steps.

Basic Settings

  • Entity ID
    The SAML entityID of the Service Provider. This is a required field.

  • Name
    A character string used within the Elastic SSO application for display of this Service Provider configuration. This is a required field and limited to a maximum length of 128 characters.

  • Description
    This field allows for a longer description of the Service Provider. It is an optional field and is limited to a maximum length of 256 characters.

  • Public Certificate
    The public certificate for the Service Provider. Paste the entire contents of the public certificate here, including the ‘BEGIN CERTIFICATE’ and ‘END CERTIFICATE’ lines.

  • Enabled
    Indicates whether the Service Provider is to be enabled within the Elastic SSO application. By initially disabling the configuration, a partial configuration can be done which can then be edited at a later time.

Advanced Settings

  • Force Authentication
    Option to force re-authentication of users even if the user has a SSO session at the IdP.

  • Base64 Attributes
    When this option is checked, attributes will be base64 encoded. This setting takes precedence over the IdP setting.

  • Encrypt NameID
    This specifies whether NameIDs from this SP are encrypted.

  • Sign SAML2 Response
    This specifies whether SAML2 responses are signed.

  • Sign SAML2 Assertion
    This specifies whether SAML2 assertions are signed.

  • Sign Logout
    This specifies whether logout messages from this SP are signed.

  • Validate Authentication Request
    This specifies whether signatures are required on authentication requests from this SP.

  • Validate Logout
    This specifies whether signatures are required on logout messages from this SP.

  • Encrypt Assertion
    This specifies whether assertions sent to this SP should be encrypted.

  • Sign Redirect
    This specifies whether logout requests and logout responses sent to this SP should be signed.

  • Validate Redirect
    This specifies whether authentication requests, logout requests and logout responses received from this SP should be validated.

  • NameID Format
    The format in which NameID should be sent to this SP.

  • Include SP Name Qualifier in NameID
    If this option is checked, then the SP Entity ID will be used for the SPNameQualifier for a generated NameID. If not checked, then a SPNameQualifier will not be included.

  • Include IDP Name Qualifier in NameID
    If this option is checked, then the IdP Entity ID will be used for the NameQualifier for a generated NameID. If not checked, then a NameQualifier will not be included.

  • Audience
    This is the value which should be given in the-element in the-element in the response. The default value is the entity ID of the SP.

  • Attribute Name Format
    This is the value that will be set in the Format field of attribute statements.

Assertion Consumer Service Endpoints

At least one Assertion Consumer Service Endpoint must be defined for an SP. Without it the IdP will not be able to send responses back to the SP. An SP can have multiple ACS endpoints.

  • Location
    The URL for a AssertionConsumerService endpoint for this SP.

  • Binding
    The binding associated with this endpoint. If there are multiple endpoints, each endpoint can have a different binding. To add additional ACS endpoints, click on the Add Another Endpoint button and another Location/Binding pair will be added which can then have values assigned to them. To remove an endpoint, click on the Remove button inside of the endpoint Location/Binding group that is to be removed. If there is only one endpoint being displayed, clicking on the Remove button will reset the Location and Binding values but will not actually remove the endpoint from the page since at least one endpoint is required.

Single Logout Service Endpoints

A Single Logout Service Endpoint is not required. If no SLO endpoint is specified, this SP will not be logged out automatically when a single logout operation is initialized. To add an SLO endpoint, click on the Add Another Endpoint button and a Location/Binding pair will be added which can then have values assigned to them.

  • Location
    The URL of the SingleLogoutService endpoint for this SP.

  • Binding
    The binding associated with this endpoint. If there are multiple endpoints, each endpoint can have a different binding. To remove an endpoint, click on the Remove button inside of the endpoint Location/Binding group that is to be removed. Since an SLO endpoint is not required, all endpoints can be removed.

Attribute Maps

Attribute maps are used to map user data values to SAML attributes. The system does not require that any attribute mappings exist. To add an attribute mapping, click on the Add Another Mapping button and an attribute mapping group will be added which can then have values assigned to the fields.

  • Map
    This is the User Account field that will supply the value that is to be sent to the SP as an attribute. The drop-down list will display all of the available User Account fields. The same User Account field can be mapped to multiple SAML attributes.

  • To SAML Attribute
    This is the SAML attribute to which the User Account field is to be mapped.

  • Scope
    If the SP expects this attribute to be scoped, enter the scope value here.

  • Enabled
    If an attribute mapping is disabled, that mapping will not be used when releasing attributes. To remove a mapping, click on the Remove button inside of the mapping group that is to be removed. Since an attribute mapping is not required, all mappings can be removed.

Review

The Review page lists all of the settings from the previous wizard steps so that they may be reviewed before saving. Once all settings have been reviewed and are acceptable, clicking on the Finish button will save the Service Provider configuration and will return to the main Service Provider list view.