Announcement Announcement Module
No announcement yet.
configuring saml-sample (SP) to work with SafeNet (IdP) Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • configuring saml-sample (SP) to work with SafeNet (IdP)


    I'm a bit new to SAML, so maybe there is something basic that I miss here.

    I read the wiki page, and succeeded to operate the saml-example to work as SP in front of the SSOcircle (the IdP). Till here everything is fine.

    However, I try now to make the saml-sample work in front of a "real world" IdP, such as SafeNet.
    In the wiki, I saw how to configure the IdP metadata (3.2.2) - adding it in the XML. But how do I do so for SafeNet? how do I get their metadata XML file (if any)?
    Do all IdP that support SAML provide somehow their metadata?
    Maybe there is another way to configure the IdP?

    Once I add the IdP metadata - I will have to upload my (the SP) metadata to SafeNet - this is something I've read about; but as I said, currently I am stuck in configuring the IdP metadata.

    Hope someone can help me out here...


  • #2
    Hi Ohad,

    Each SAML 2.0 IDP should be able to provide a metadata document describing its endpoints and cryptographic keys, it's a common practice. SafeNet's technical support should be able to provide it on request.



    • #3
      Thanks Vlad!

      Indeed, I asked them and they pointed me to their metadata xml file.

      I succeeded to add their metadata to my SP (using FilesystemMetadataProvider).

      However - even though I see how the saml-sample SP works in front of SSOcircle, I would like to understand the flow in the "real world". Ususally, what does the user do using SAML? He goes to the SP, and then redirected to the IdP to authenticate, and then back to the SP (option 1), or like in "Okta" or "ping identity", where the user logs in to the IdP framework and then sees all SPs (option 2)?

      thanks a ton for the help!
      Last edited by OhadR; Apr 9th, 2013, 09:29 AM.


      • #4
        Hi Ohad,

        What user wants to achieve is a single sign-on to an SP application using authentication with a selected identity provider. SAML is just one of the means to achieve that and its usage is transparent to the user.

        As you describe, the SAML web single sign-on flow can be initialized in two ways - either at SP when SP sends an AuthentictionRequest to IDP, or at IDP when IDP sends an unsolicited request to SP. The first approach is generally preferred, as SP has full say in specifying requirements governing the authentication process (such as required nameID, authentication context, passive authentication, proxying, ...). You can find more details in the SAML profiles specification, chapter 4.

        - V.