Managing Service Providers

The issuer is the unique name given for the service provider, and is defined when creating a service provider. An issuer must be provided in order for a jaggery application to issue SAML SSO authentication requests. The issuer details are utilized by the SSO jaggery application to determine the assertionURL.

Adding service providers

A new service provider can be created using anyone of the following methods:

Adding a service provider via the management console

1. Log into the UES Management Console using the following URL and admin as the username and password.  
   https://localhost:9443/carbon/admin
2. On the Main tab, click SAML SSO.
    
3. Enter the details of the new issuer in the provided form and also select the mandatory options as described below: 
   The field descriptions are as follows:
   
   • Issuer - This is a unique name given for this Service Provider.
   • Assertion Consumer URL - The URL of the jag file that will handle SAML2 SSO responses from the identity provider (IdP) (e.g., https://localhost:9443/store/sso.jag).
   • Use fully qualified username in the SAML Response  -  This specifies whether the username sent back in the SAML response, should or should not be qualified with user's user store domain name and tenant domain name.
   • Enable Assertion Signing -  This specifies whether or not the SAML2 Assertions are signed when it returns after being authenticated. The SAML2 relying party components expect these assertions to be signed by the Identity Server. 
   • Enable Signature Validation in Authentication Requests and Logout Requests - This specifies whether or not the integrity is protected in all the authentication and logout requests that the Identity SSO Service receives.
   • Certificate Alias - If the signature validation is enabled, the public key of the service provider needs to be provided to carryout the signature validation of the SAML Tokens. The public key of the service provider should be imported to the keystore and should point to that certificate using its alias.
   • Enable Single Logout - This specifies whether or not all the sessions to be terminated once the user signs out from one server. When enabling single logout, enter the URL to be used for single logout. 
   • Enable Attribute Profile - This specifies whether or not the user claims are sent back in the SAML reponse to the Service Provider.
   • Claim - If the attribute profile is enabled, the admin can select the claims that should be sent. Claims correspond to user attributes. Only the selected claims will be sent back.
4. It is mandatory to select the following options:
   
   • Use fully qualified username in the SAML Response
   • Enable Assertion Signing
   • Enable Single Logout
5. Click Register.

Adding a service provider manually

A service provider can also be created programmatically by editing the following configurations in the  app.js file, which is found in the <PRODUCT_HOME>/repository/deployment/server/jaggeryapps/ceo-dash directory.

var sso = function (options) {
    var path = '/_system/config/repository/identity/SAMLSSO/' + options.issuer64,
        server = require('/modules/server.js'),
        registry = server.systemRegistry();
    registry.put(path, {
        properties: {'Issuer': options.issuer, 'SAMLSSOAssertionConsumerURL': options.consumerUrl, 'doSignAssertions': options.doSign, 'doSingleLogout': options.singleLogout, 'useFullyQualifiedUsername': options.useFQUsername}
    });
};

Deleting a service provider

Follow the instructions below to delete a service provider:

1. Login to the Carbon Management Console using the following URL and admin as the username and password.  
   https://localhost:9443/carbon/admin
2. On the Main tab, click SAML SSO.
3. Click on the corresponding Delete button in the action column, to delete the selected service provider.