1. Pre-Requisites for Configuring Klera on SAML Identity Provider (Part #1)
Pre-requisites to be provided by Klera admin team to IT Support team in your organization
- Self-signed X.509 certificate
Self-signed X.509 certificate to be provided to your organization’s IT support team. Save the Public and Private key in the certificate for SAML Configuration. - Single sign-on URL:
The location of the SAML assertion is sent with an HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL. Consider this as the Klera URL E.g. http://localhost:18080/klera/ or http://klerainstance .klera.com:18080/klera/ - Audience URI (SP Entity ID):
The application-defined unique identifier of the SAML assertion is usually the SP Entity ID of your application. This is referred as the certificate issuer. - Enable Single Logout:
Enable SAML single logout on configuring on Klera. - Single Logout URL:
The location where the logout response will be sent. It isth Klera E.g. http://localhost:18080/klera/ or http://klerainstance .klera.com:18080/klera/ - SP Issuer:
The issuer for the service provider certificate.
i.e. Klera X.509 certificate issuer - Signature Certificate:
Determines the public key certificate used to verify the digital signatures of the service provider. The X.509 certificate public key generated.
i.e. Klera X.509 Certificate (Public key)
2. Pre-Requisites for Configuring SAML on Klera
Klera admin needs to gather below information from your IT Support team to Configure SAML on Klera, based on Modes -Manual and Auto.
- MANUAL ->To Configure SAML Manually using IDP (Identity Provider) Settings:
IDP Entity ID/Issuer:
The application-defined unique identifier of the SAML assertion is usually the SP Entity ID of Klera.
i.e. This is referred as the IDP certificate issuer.
IDP Single Sign On URL:
The location where the SAML assertion is received by the Identity Provider.
i.e. This is referred as the IDP single sign on URL.
IDP Single Logout URL:
The location where the SAML logout request is received by the Identity Provider.
i.e. This is referred as the IDP single logout URL.
X.509 Certificate:
The X.509 Certificate of the Identity Provider.
i.e. This is referred as the IDP X.509 certificate.
- AUTO-> To Configure SAML Automatically using IDP Metadata File:
IDP Metadata File:
This metadata file generated by IDP contains information like the entity ID, SSO URL, SLO URL, X.509 Certificate information etc.
3. Configuring SAML on Klera
After gathering all required information, Klera Admin needs to follow the steps given below to configure SAML on Klera.
- Configure SAML IDP/SP on Klera
Below are the steps that need to be followed to configure SAML on Klera:
- Right click and click on Administration > Configure > Authentication Mode > SAML.
- select Use SAML For Authentication in SAML IDP CONFIG tab from Configure SAML form and fill required information.
- IDP Configuration can be done in 2 ways à MANUAL and AUTO
- AUTO àFor Auto IDP Configuration, you need to upload the IDP metadata file.
- MANUAL à Fill all the below corresponding fields by information gathered from your IT Support team.
- After SAML IDP CONFIG, switch to SAML SP CONFIG tab to configure further.
- Fill the required details for SAML SP Configuration:
- SP Entity ID/Issuer ID:
The application-defined unique identifier of the SAML assertion is most often the Entity ID of the application. i.e., Klera X.509 certificate issuer - SP Single Sign-on Service Url:
The location of the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for Klera E.g. http://localhost:18080/klera/ or http://klerainstance .klera.com:18080/Klera - SP Single Logout Service URL:
The location where the SAML Logout response is sent.
i.e. Klera URL E.g. http://localhost:18080/klera/ or http://klerainstance .klera.com:18080/Klera - Name Id Format:
Identifies the SAML processing rules and constraints for the assertion's subject statement. Use the default value ‘Unspecified' unless the application explicitly requires a specific format. - Signature Algorithm to be used:
Determines the signing algorithm for digitally signing the SAML assertion and response. E.g. rsa_sha256 etc - SAML Signed Request/Response:
Determines whether the SAML authentication request/response message is digitally signed or not. A digital signature ensures that only Klera generated this message. If the option is checked, we need to upload service provider public X.509 certificate and Private Key. - Download SP Metadata:
For downloading service provider metadata file. - X509cert File:
Upload the service provider X509 certificate.
i.e. Klera X.509 Certificate (Public key). - Certificate Private Key:
Upload the service provider certificate private key.
i.e. Klera X.509 certificate (Private key).
Once the Configuration is complete, click on “Save”.
4. Pre-Requisites for Klera Configuration on SAML Identity provider (Part #2)
- Provide the Klera metadata file either by uploading it or by entering the corresponding field values.
- IDP user profile field values to map with SAML attributes. Klera will use the SAML attribute (UserID)àMandatory value for logging user into the application.
Note: UserID mapping attribute is mandatory for Klera |
5. SAML Configuration on Identity Provider (Post-Configuration) Re-Evaluating Configuration
After gathering all the above information, your IT Support team needs to perform the steps given below to configure Klera on SAML:
For Auto Configuration (IDP Supported)
- Upload the service provider metadata file.
- ATTRIBUTE STATEMENTS: (UserID) à Mandatory
IDP user profile field values to Map with SAML attributes. The service provider will use the SAML attribute values accordingly.
Note: Map the Field (userID) with Klera user ID. It should store the same value as the Klera user ID
For Manual Configuration:
Configure the fields on SAML IDP, as given below:
Single sign on URL:
The location of the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for the application.
In our case it will be the KLera URL. E.g. http://localhost:18080/klera/ or http://klerainstance .klera.com:18080/klera
Audience URI (SP Entity ID):
The application-defined unique identifier of the SAML assertion. This is most often the SP Entity ID of your application.
Default RelayState:
Identifies a specific application resource in an IDP initiated single sign-on scenario. Usually, this is blank. In our case, we will not provide any inputs for RelayState.
Name ID format:
Identifies the SAML processing rules and constraints for the assertion's subject statement. Use the default value 'Unspecified' unless the application explicitly requires a specific format.
Note: Should be the same as configured in Klera |
- Application username:
Determines the default value for a user's application username. The application username will be used for the assertion's subject statement. - Response: (Signed /Unsigned)
Determines whether the SAML authentication response message is digitally signed by the IDP or not. - Assertion Signature: (Signed/Unsigned)
Determines whether the SAML assertion is digitally signed or not. A digital signature ensures that only your IDP generated the assertion. - Signature Algorithm: (RSA-SHA256 /RSA-SHA1)
Determines the signing algorithm for digitally signing the SAML assertion and response. - Digest Algorithm: (SHA256/SHA1)
Determines the digest algorithm for digitally signing the SAML assertion and response. - Assertion Encryption: (Encrypted/Unencrypted)
Determines whether the SAML assertion is encrypted or not. Encryption ensures that only the sender and receiver understand the assertion. - Encryption Algorithm: (AES128-CBC/AES256-CBC)
Determines the encryption algorithm for SAML assertion.
Key Transport Algorithm: (RSA-1.5/RSA-OAEP)
Determines the key transport algorithm for encrypting the SAML assertion.- Encryption Certificate:
Determines the public key certificate for digitally encrypting the SAML assertion. Upload service provider (Klera) public certificate. i.e. Klera X.509 certificate (Public key) - Enable Single Logout:
Enable SAML Single Logout. - Single Logout URL:
The location where the logout response will be sent. i.e. Klera URL E.g. http://localhost:18080/klera/ or http://klerainstance .klera.com:18080/Klera - SP Issuer:
The issuer for the service provider i.e. Klera X.509 certificate issuer. - Signature Certificate:
Determines the public key certificate used to verify the digital signatures of the service provider. i.e. Klera X.509 certificate (Public key). - Authentication context class:
Identifies the SAML authentication context class for the assertion's authentication statement. - Honor Force Authentication:
Prompt user to re-authenticate, if required by Klera. - SAML Issuer ID:
SAML IDP Issuer ID.
ATTRIBUTE STATEMENTS: (UserID) a Mandatory
IDP user profile field values to map with SAML attributes.
Note: Map the Field (UserID) with the Klera user ID. It should store the same value as the Klera user ID |