Versions Compared

Old Version 16

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version Current

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This screen is available if the authentication plugin "AuthenticatorWebSSO" is selected.

Image RemovedImage Added

Configuration is stored in the JSON Object websso within the authentication object.

...

Info


Warning

Requires minimum Ceptor v6.4.5 - with lower versions, the passive binding is the only supported one.

When using another site as Identity Provider, and Ceptor as Service Provider to that site, the following additional query/post parameters can be specified when calling the URL that triggers this plugin:

  • binding
    Specify binding, can be passive, redirect or POST - default is passive.
  • RelayState
    If this parameter is present in the request, it is added to the request towards the Identity Provider.
  • signrequest
    For redirect/POST binding, specify if SAML request should be signed or not - default is true.
  • encryptrequest
    For redirect/POST binding, specify if SAML request should be encrypted or not - default is false.

For passive binding (which is the default), the redirect to the Identity Providers federation URL will be done, adding these query parameters: 

  • wa=wsignin1.0
  • id=passive
  • wtrealm=<identifier name>
  • wreply=<return url>
  • wct=<current timestamp>
  • RelayState=<relayState input parameter if not empty>

For the passive binding, no SAML Request will be transmitted.

for redirect / GET binding, the redirect to the Identity Providers federation URL will be done, adding the following query parameters:

  • SAMLRequest=<deflated SAML request, base64 encoded>
  • RelayState=<relayState input parameter if not empty>

Note that the SAML request will be signed/encrypted according to the query/POST input parameters signrequest and encryptrequest.

for POST binding, a form is return that autosubmits sending a POST requst to the Identity Providers federation URL with the following parameters:

  • SAMLRequest=<base64 encoded SAML request>
  • RelayState=<relayState input parameter if not empty>

Note that the SAML request will be signed/encrypted according to the query/POST input parameters signrequest and encryptrequest.


Override binding

Override the binding - normally if sending the request to a service provider, the binding is POST - in that case, either POST or redirect is supported.
If using an identity provider (if Identity Provider name is set and service provider name is not) then the binding can be set to passive/GET/POST as specified above.
Note that if this property is read, the query/POST parameter "binding" is not used.

Default: none
JSON key: override.binding

Override IDP URL

The URL of the identity provider is normally specified in the Federations configuration for each Identity Provider - by default that URL is used, but you can override the URL by specifying another here.

Default: none (uses Identity Provider URL from Federations configuration)
JSON key: override.identityprovider.url

Redirect URL

URL that the identity provider should redirect the user back to after authenticating

...