Login
Home CMS Documentation Home CMS 10 Authentication & Authorization Authentication Configuring SAML Authentication Configuring saml.config

Configuring saml.config

SAML must be configured with the values provided from your identity provider (IdP) vendor. Sometimes, these are supplied in an XML format and other systems provide them online.

To configure saml.config:
  1. Navigate to the Ingeniux CMS installation's site folder (e.g., [Drive]:[path-to-site-root-folder]).
  2. Locate saml.config, and open the file in a text editor.
  3. Configure the root element, <ServiceProvider>:
    AttributeDescription
    @NameEnter the service provider name. SAML requires this name to match the service provider name value configured in the IdP endpoint.
    Note
    Your IdP manager can provide this name value.
    @DescriptionEnter the provider description.
    @AssertionConsumerServiceUrlEnter the URL in the following format: https://path-to-cms-site/SAML/AssertionConsumerService. The IdP requires this value for single sign-on (SSO) configuration.
    Note
    The @AssertionConsumerServiceUrl attribute may be referred to as the Single Sign-On URL in other IdP systems.
    Note
    If your IdP requires a signature certificate for SAML requests, you can configure the <ServiceProvider> element block with the @LocalCertificateFile and @LocalCertificatePassword attributes in this scenario. When providing signature certificates for your IdP, it's recommended that you consult with your system administrator to find out which certificates are available for distribution and configuration within the CMS.
  4. Uncomment and configure the appropriate <PartnerIdentityProvider> element(s).
    Additional Information

    Ingeniux CMS supports multiple IdP sources in one configuration. The saml.config file included in your CMS contains several examples of types of IdP authentication sources.

    IdPs that support Single Logout (SLO) require the value for the SLO URL of your CMS. This value consists of your CMS base URL with the /SAML/SLOService path appended. A typical example is https://path-to-cms-instance/SAML/SLOService. The following example demonstrates an Okta configuration with SingleLogOut configured:

    
                     <?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
	<ServiceProvider Name="IngeniuxCMS"
        Description="Ingeniux CMS Site"
        AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService"/>

	<PartnerIdentityProviders>

		...

		<!-- Okta -->
		<PartnerIdentityProvider Name="http://www.okta.com/exk5xsht7oII4vg2R0h7"
                             Description="Okta"
                             SignAuthnRequest="true"
							 SignLogoutRequest="true"
                             WantSAMLResponseSigned="true"
                             WantAssertionSigned="false"
                             WantAssertionEncrypted="false"
                             DigestMethod="http://www.w3.org/2001/04/xmlenc#sha256"
                             SignatureMethod="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
                             SingleSignOnServiceUrl="https://dev-144911.oktapreview.com/app/componentspacedev144911_exampleserviceprovider_1/exk5xsht7oII4vg2R0h7/sso/saml"
							 SingleLogoutServiceUrl="https://dev-144911.oktapreview.com/app/componentspacedev144911_exampleserviceprovider_1/exk5xsht7oII4vg2R0h7/slo/saml"
							 SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             PartnerCertificateFile="Certificates\okta.cer"/>

		...

	</PartnerIdentityProviders>
</SAMLConfiguration>
  5. Save changes to saml.config.
  6. Important: If you have not already done so, configure local-membership.config to implement SAML.
  7. Recycle the CMS application pool after deploying these changes.