Security Assertion Markup Language (SAML) is one of the
options that you can select when configuring authorization for an
enterprise or hybrid domain. SAML is primarily used to support SSO
across multiple domains. When SAML is configured as your authentication
provider, users log in and authenticate to LiveCycle via a specified
third-party identity provider (IDP).
For an explanation of SAML, see Security Assertion Markup Language (SAML) V2.0
Technical Overview.
In Administration Console, click Settings > User Management
> Configuration > SAML Service Provider Settings.
In the Service Provider Entity ID box, type a unique ID to
use as an identifier for the LiveCycle service provider implementation.
You also specify this unique ID when configuring your IDP (for example, um.lc.com.)
You can also use the URL that is used to access LiveCycle (for example, http://LiveCycleserver).
In the Service Provider Base URL box, type the base URL for
your LiveCycle server (for example, http://LiveCycleserver:8080).
(Optional) To enable LiveCycle to send signed authentication
requests to the IDP, perform the following tasks:
Use Trust Manager to import a credential in PKCS #12 format
with Document Signing Credential selected as the Trust Store Type.
(See Managing local credentials.)
In the Service Provider Credential Key Alias list, select
the alias you assigned to the credential in Trust Store.
Click Export to save the URL contents to a file and then
import that file into your IDP.
(Optional) In the Service Provider Name ID Policy list, select
the name format that the IDP uses to identify the user in a SAML
assertion. The options are Unspecified, Email, X509 Subject Name,
Kerberos Principal, Entity, Persistent, Transient, or Windows Domain
Qualified Name.
Note: Name formats are not case-sensitive.
(Optional) Select Enable Authentication Prompt For Local
Users. When this option is selected, users will see two links:
a link to the login page of the third-party SAML identity
provider, where users who belong to an Enterprise domain can authenticate.
a link to the LiveCycle login page, where users who belong
to a Local domain can authenticate.
When this option
is not selected, users will be taken directly to the login page of
the third-party SAML identity provider, where users who belong to
an Enterprise domain can authenticate.
(Optional) Select Enable Artifact Binding to enable artifact
binding support. By default, POST binding is used with SAML. But
if you have configured Artifact Binding, select this option. When
this option is selected, the actual user assertion is not passed
through the Browser request. Instead, a pointer to the assertion
is passed and the assertion is retrieved using a backend web service call.
(Optional) Select Enable Re-Direct Binding to support SAML
bindings that use redirects.
(Optional) In Custom Properties, specify additional properties.
The additional properties are name=value pairs separated by new
lines.
You can configure LiveCycle to issue a SAML
assertion for a validity period that matches the validity period
of a third-party assertion. To honor the third-party SAML assertion
timeout, add the following line in Custom Properties:
saml.sp.honour.idp.assertion.expiry=true
Add the following custom property for using RelayState to
determine the URL where the user will be redirected after successful
authentication.
saml.sp.use.relaystate=true
Add the following custom property to configure the URL for
the custom Java Server Pages (JSP), which will be used to render
the registered list of identity providers. If you have not deployed
a custom web application, it will use the default User Management
page to render the list. saml.sp.discovery.url=/custom/custom.jsp
Click Save.
|
|
|