Introduction

This manual shows you how to setup SSO to an arbitrary service provider (SP) using the SAML protocol. The configuration takes place in HelloID and in the SP admin center.

Requirements:

• HelloID environment
• SAML-enabled Service Provider

Create or Import a Certificate

If there is no certificate yet, a certificate must be imported or created. This can be done in the HelloID Administrator Portal under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.

Application Setup

Add the Application

Create a new application in HelloID by navigating to Applications > Applications. Open the Application Catalog and search for "Generic". Find the Generic SAML template, and click Add. Learn more about managing applications here.

General tab

On the General tab, fill the Display Name field with the application name and default login URL with the SAML-enabled environment SSO URL. Assist your users in identifying the application by assigning a relevant, square-shaped icon at least 64px in size.

Optionally, you may also add a description. Click Next.

Single Sign-on tab

On the Single Sign-On tab, perform the following steps:

1. Name ID format is the format of the unique identifier expected by the SP
   • Accepted values:
     • persistent
     • transient
     • emailaddress
     • unspecified
2. Issuer is the unique identifier for a SAML entity. Generally set to your HelloID base URL: http://{company}.helloid.com
3. The Endpoint/ACS URL is provided by the SP
4. Validate and use ACS request URL enable if an ACS validation list is provided by the SP
5. ACS validation list is provided by the SP, one line per URL
6. Binding may be set to POST or REDIRECT
7. The Sign Assertion and Sign Response toggles should be set according to instruction from the SP
8. Use DS Prefix enable if specified by the SP
9. In the X509 Certificate dropdown, select the certificate that you created or imported previously
10. Overwrite Audience enable if specified by the SP
    • Overwrite Audience allows enforcement of only the audiences specified the the Extra Audience field. Some SP's will only evaluate the first audience vs. the entire list
11. Extra Audience is a comma-separated list of audience values. Only used when Overwrite Audience is enabled
    • This can be found by reviewing the metadata provided by the SP. Specifically the "md:AssertionConsumerService" tag in the Metadata XML
12. Encrypt Assertion is required to be enabled, the SP will supply a certificate for use in the following dropdown
13. Use Custom digest and Signature method is specified by the SP (including the specified types in the next two settings
14. Send group membership attribute enable if specified by the SP
15. Group membership attribute name is set to the 'Name' of the attribute containing membership information (ex: 'memberOf')
16. Click Next

Self service tab

On the Self Service tab, choose whether to automatically create a Self Service product, which makes the application requestable.  This is optional. Click Next.

On the Finish tab, click Save to add the application to HelloID.

Application metadata

After saving the application, click its Edit link on the applications overview. This will bring you to the properties page.

Click Download metadata at the right top of the screen and save the file to your local computer. This information will need to be communicated to the SP in order to complete the configuration.

In order to complete the connection, the SP needs to configure their side. Contact the SP and provide them with the metadata of the HelloID application.