SAML¶
3forge supports SAML integration for enterprise-level authentication. Please reach out to us at support@3forge.com if you require and do not have the adapter.
Overview¶
The SAML adapter enables secure user logins to 3forge applications using the SAML protocol. To use, you will need to ensure that you have the adapter and an identity provider for the SAML response.
Setup¶
Note
If you have been assigned the SAML adapter separately to your AMI installation, please do the following first:
- Download the SAML plugin from your client portal.
- Extract the
.jarfiles and paste them into theamione/libdirectory of your AMI installation.
You will need to register your 3forge application with the identity provider. The response URL should be the URL of your 3forge application with an additional suffix to identify a SAML login attempt, e.g: your_host_address:3forge_port/suffix.
Warning
URL suffixes cannot be the same as a predefined 3forge URL endpoint, e.g: your_host_address:3forge_port/3forge.
Instead, use something like your_host_address:3forge_port/3forge_saml.
Minimal Configuration¶
These are the minimum required properties for SAML configured in local.properties:
For detailed information on each property as well as additional optional prperties, see the properties section below.
Properties¶
General¶
-
Default:
com.f1.ami.plugins.amisaml.AmiWebSamlPluginImpl- Fully qualified class name of the plugin implementing the
com.f1.ami.web.AmiWebSamlPlugininterface - Use
com.f1.ami.plugins.amisaml.AmiWebSamlPluginImplunless implementing a custom version
- Fully qualified class name of the plugin implementing the
-
Default: User-provided
- The URL of the identity provider
-
Default: User-provided
- The URL of the service provider (equivalent to the reply URL)
- Must provide a suffix, e.g:
saml.service.provider.url=address_to_service_provider/suffix
-
Default: User-provided
- The issuer ID as provided by the SAML request
-
Default: None (Optional)
- Adds the
RelayStateparameter to the request for optional user input
- Adds the
-
Default:
uid(Optional)- Name of the attribute field of the response to extract username from
- For example:
Name="username"
-
Default:
true(Optional)- Name of the attribute field of the response to extract if a user has admin permissions or not
- If not supplied, defaults to
true
-
Default:
true(Optional)- Value of attribute field of the response to extract if a user has admin permissions or not
- If not supplied, defaults to
true
-
Default:
true(Optional)- Name of the attribute field of the response to extract if a user has dev permissions or not
- If not supplied, defaults to
true
-
Default:
true(Optional)- Value of attribute field of the response to extract if a user has dev permissions or not
- If not supplied, defaults to
true
-
Default: User-provided (Optional)
- Name of the attribute field of the response to extract group names from
- For example:
user_group
-
Default: User-provided (Optional)
- Values of the different group names associated to the 3forge groups field
- For example:
group_1,group_2
-
Default:
true(Optional)- Set to true to show verbose logging on SAML related information
Security¶
-
Default: User-provided (Optional)
- The file containing the security certificate for the SAML authenticator
-
Default:
100(Optional)- The amount of time (in milliseconds) that the identity provider timestamp and service provider timestamp can drift
-
Default
60000000(Optional)- Expiry time of IdP request (in milliseconds)
-
Default:
2048(Optional)- The RSA key strength of the SAML certificate file
- We recommend a minimum of 2048
-
Default:
transient(Optional)- Format the NameID from the service provider is expected in
- 3forge supports the following:
- unspecified
- persistent
- transient (default)