Articles in this section

[SES8] Authentication - SAML settings

  • Updated

Authentication settings

Expand the 'Authentication settings' menu to define user connection on SES8.

Authentication mode

Settings

Description

Local

User information is stored on SES8

LDAP

Administrators do not have to create a SES8 account for each user. Users can login via their corporate credentials, using LDAP protocol

SAML

Administrators do not have to create a SES8 account for each user. Users can login via their corporate credentials, using SAML 2.0 protocol


SAML settings

If SAML is activated, Administrators can set up the following configuration for connecting SES to the SAML identity provider:

  1. Identity Provider entrypoint: e.g. https://yourIdpServer.com/adfs/ls/ (will appear as entryPoint: https://yourIdpServer.com/adfs/ls/ in the config file)
  2. Issuer (string to supply to identity provider): e.g. https://yourSesServer.com:3443 (will appear as issuer:https://yourSesServer.com:3443 in the config file)
  3. Certificates: Provide in this section the path to the requested certificates
    1. Identity provider signature public key: path to the IDP key e.g. certificates/idp.cer (cert: certificates/idp.cer in the config file)
    2. Service signature private key: path to SES signature private key, e.g. certificates/sig.key (privateCert: certificates/sig.key)
    3. SES Decryption/Encryption private key: e.g. certificates/enc.key (decryptionPvk: certificates/enc.key in the config file)

 

  1. SAML Mapping: Provide in this section the information used for the mapping between the SAML identity provider and SES
    1. Mapping of identifier: e.g. userPrincipalName (id: userPrincipalName in the config file)
    2. Mapping of Given name: e.g. givenName (givenName: givenName in the config file)
    3. Mapping of family name: e.g. familyName (familyName: familyName in the config file)

 

  1. Additionals
    1. Accepted Clock Skew: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps (acceptedClockSkewMs: 2000 in the config file)
    2. Identifier format: Name identifier format to request from identity provider, ex: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (identifierFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress in the config file)
    3. Authentication context
      1. Name Identifier Format: e.g. urn:federation:authentication:windows (authnContext in the config file)
      2. Do not request a specific authentication context (disableRequestedAuthnContext:false in the config file)
      3. Force re-authentication: Set to true if Identity provider should force re-authentication of the user (forceAuthn: false in the config file)
      4. Use form authentication after sign out: Set to true if after a signout, force another Authentication context to avoid automatic re-signin (formAuthAfterSignout: true in the config file)
      5. Name identifier format for form authentication: Authentication context to use after a signout (authnContextAfterSignout: urn:oasis:names:tc:SAML:2.0:ac:classes:Password in the confif file)