Implementing a Custom SAML and User Provisioning Solution

Disclaimer

We reserve the right to update our (Service Provider) use of the relevant elements in accordance with the SAML 2.0 specifications as part of our release process and as such the client will assume the responsibility for ensuring their (Identity Provider) implementation follows the said standard.

The information provided in this article was provided prior to Absorb implementing Just-In-Time (JIT) User Provisioning for SAML 2.0. Today, we recommend using the SSO User Provisioning feature with SAML 2.0 if that is what you want to achieve. Learn more here.

Clients using a standard Identity Provider do not usually need to write any code in order to implement SAML 2.0. You can read more about SAML 2.0, including Identity Providers our clients have used here.

This article details Absorb specific elements that are required if you are building a custom SAML solution for SSO. For the purposes of this article, we'll assume a basic understanding of the SSO process along with some background in software development.

Once a User is authenticated in your system (the Identity Provider), the User will look to navigate to your Absorb Portal, the Service Provider. Most likely this will be done through a link that passes them to Absorb.

To do this, your system should first confirm the User exists in your Absorb portal. If the User does not exist, it should be created then logged in. It’s possible to automate this process using REST API.

The following documentation may be useful:

 

Code Troubleshooting

Absorb does not provide support for writing, debugging, or troubleshooting client code.

 

Custom SAML Identity Provider

In the context of implementing your own Identity Provider, there are important SAML data elements that should be included in your SAML assertions for the SSO flow to work. It is expected for your IdP to follow the official SAML 2.0 specification, and the Web Browser SSO profile:

Below are the important elements that are required for the following scenarios supported by Absorb.

 

Important Fields for SAML Assertion

These fields are essential when interacting with a SAML assertion:

Field Description
Assertion The package element of information with one or more statements.
ID Identifier for this assertion.
IssueInstant Time that the instant is issued in UTC..
Version The SAML version for this assertion, should be “2.0”.
Issuer The authority making the claim in this assertion, should be the URI for your IdP.
<ds: Signature> Contains the XML Signature that protects the integrity of this assertion.
Subject The package element for the subject’s (User) identity.
NameId The ID Property identifier as configured in Absorb SSO settings.
Conditions Contains information that denotes the validity of the assertion.
NotBefore A time instant in UTC.
NotOnOrAfter A time instant in UTC.
AuthnStatement Contains information of the assertion subject.
AuthnContext The context of the authentication event.

 

Important Fields for Incoming Single Sign-On (SSO)

These fields are essential when interacting observing Incoming Single Sign-On:

Field Description
SAML Assertion All the elements as denoted above.

 

Important Fields for Outgoing SSO

For a SAML Authentication Request (AuthNRequest) sent to the LMS, the following elements are required:

Field Description
ID Identifier for this request.
IssueInstant Time that the instant is issued in UTC.
Version The SAML version for this assertion, should be “2.0”.
Issuer The authority making the claim in this assertion, should be the URI for your IdP.
ProtocolBinding The protocol for sending the authentication response, should be HTTP-POST.
<ds: Signature> Contains the XML Signature that protects the integrity of this assertion.

 

Important Fields for Single Logout (SLO)

For a SAML Authentication Response (SAML Response) sent to the LMS, the following elements are required:

Field Description
SAML Assertion All the elements as denoted above.
SessionIndex Part of the AuthStatement, contains a session identifier.

 

For a SAML Logout Response (LogoutResponse) sent to the LMS, the following elements are required:

Field Description
Issuer The authority making the claim in this assertion, should be the URI for your IdP.
<ds: Signature> Contains the XML Signature that protects the integrity of this assertion.
Status Contains the StatusCode.

 

Important Fields for Account Provisioning

For a SAML Authentication Response sent to the LMS, the following elements are required:

Field Description
SAML Assertion All the elements as denoted above.
AttributeStatement  All elements as denoted below.

 

The SAML Authentication Response must contain the following attributes:

Field Description
Username The Username. Must be unique, and between 1 and 255 characters
FirstName The User's First Name. Must be between 1 and 255 characters
LastName The User's Last Name. Must be between 1 and 255 characters
DepartmentId* A GUID that matches a Department's GUID within Absorb.
ExternalDepartmentId* Matches a Department's External ID within Absorb.

 

Provisioning Advisory

User Account Provisioning only requires DepartmentId or ExternalDepartmentId; not both. Additional custom fields can be discovered in this article: here.

 

 

Was this article helpful?
0 out of 0 found this helpful