Previous Topic: Specify the POST Binding Authentication at the SPNext Topic: Protect the Target Resource at the SP

Federation Security Services GuideDeploy Federation Using a Manual ConfigurationSet Up the Service ProviderConfigure the SAML 2.0 Authentication Scheme at the SP

Configure the SAML 2.0 Authentication Scheme at the SP

To authenticate users at the Service Provider, configure the SAML 2.0 authentication scheme. The assertion from the IdP provides the credentials for authentication.

To configure the SAML 2.0 authentication scheme

  1. Log in to the FSS Administrative UI.
  2. From the menu bar, select Edit, System Configuration, Create Authentication Scheme.

    The Authentication Scheme Properties dialog opens.

  3. Complete the following fields:

    Scheme Common Setup section:

    Name

    Partner IDP.demo Auth Scheme

    Authentication Scheme Type

    SAML 2.0 Template

    Protection Level

    5 (default)

    Scheme Setup tab fields:

    SP ID

    sp.demo

    IdP ID

    idp.demo

    SAML Version

    2.0 (default)

    Skew Time

    30 (default)

    Note: The SP ID and IdP ID values must match the values at the IdP.

  4. In the D-Sign Info box, select the Disable Signature Processing checkbox.

    Important! Disabling signing is intended only for debugging the initial single sign-on configuration. In a production environment, signature processing is a mandatory security requirement. So signature validation must be enabled and the key store must be set up to validate signatures.

  5. Click Additional Configuration.

    The SAML 2.0 Auth. Scheme Properties dialog opens.

  6. Leave the Authentication Scheme Properties dialog open and Configure User Disambiguation at the SP.

More information:

Set Up smkeydatabase at the SP for Signature Validation