Configure SAML service provider settings

Security Assertion Markup Language (SAML) is one of the options that you can select when configuring authorization for an enterprise or hybrid domain. SAML is primarily used to support SSO across multiple domains. When SAML is configured as your authentication provider, users log in and authenticate to LiveCycle via a specified third-party identity provider (IDP).

For an explanation of SAML, see Security Assertion Markup Language (SAML) V2.0 Technical Overview.

  1. In Administration Console, click Settings > User Management > Configuration > SAML Service Provider Settings.

  2. In the Service Provider Entity ID box, type a unique ID to use as an identifier for the LiveCycle service provider implementation. You also specify this unique ID when configuring your IDP (for example, um.lc.com.) You can also use the URL that is used to access LiveCycle (for example, http://LiveCycleserver).

  3. In the Service Provider Base URL box, type the base URL for your LiveCycle server (for example, http://LiveCycleserver:8080).

  4. (Optional) To enable LiveCycle to send signed authentication requests to the IDP, perform the following tasks:

    • Use Trust Manager to import a credential in PKCS #12 format with Document Signing Credential selected as the Trust Store Type. (See Managing local credentials.)

    • In the Service Provider Credential Key Alias list, select the alias you assigned to the credential in Trust Store.

    • Click Export to save the URL contents to a file and then import that file into your IDP.

  5. (Optional) In the Service Provider Name ID Policy list, select the name format that the IDP uses to identify the user in a SAML assertion. The options are Unspecified, Email, X509 Subject Name, Kerberos Principal, Entity, Persistent, Transient, or Windows Domain Qualified Name.

    Note: Name formats are not case-sensitive.
  6. (Optional) Select Enable Authentication Prompt For Local Users. When this option is selected, users will see two links:

    • a link to the login page of the third-party SAML identity provider, where users who belong to an Enterprise domain can authenticate.

    • a link to the LiveCycle login page, where users who belong to a Local domain can authenticate.

    When this option is not selected, users will be taken directly to the login page of the third-party SAML identity provider, where users who belong to an Enterprise domain can authenticate.

  7. (Optional) Select Enable Artifact Binding to enable artifact binding support. By default, POST binding is used with SAML. But if you have configured Artifact Binding, select this option. When this option is selected, the actual user assertion is not passed through the Browser request. Instead, a pointer to the assertion is passed and the assertion is retrieved using a backend web service call.

  8. (Optional) Select Enable Re-Direct Binding to support SAML bindings that use redirects.

  9. (Optional) In Custom Properties, specify additional properties. The additional properties are name=value pairs separated by new lines.

    • You can configure LiveCycle to issue a SAML assertion for a validity period that matches the validity period of a third-party assertion. To honor the third-party SAML assertion timeout, add the following line in Custom Properties:

      saml.sp.honour.idp.assertion.expiry=true
    • Add the following custom property for using RelayState to determine the URL where the user will be redirected after successful authentication.

      saml.sp.use.relaystate=true
    • Add the following custom property to configure the URL for the custom Java Server Pages (JSP), which will be used to render the registered list of identity providers. If you have not deployed a custom web application, it will use the default User Management page to render the list.
      saml.sp.discovery.url=/custom/custom.jsp
  10. Click Save.

// Ethnio survey code removed