2.7.2 Setting up SAML connection
This section describes the connection setup procedure when using SAML as the protocol for authentication for external IdP linkage.
When using SAML, the SAML assertion must be able to obtain the user ID (username), first name, last name, and e-mail address.
The following is the procedure for setting up an external IdP using SAML.
(Figure) Setting up SAML connection
① Providing information set in the external IdP to Ops I
The external IdP administrator provides the Ops I security administrator with information such as the external IdP's identity provider entity ID and single sign-on service URL (AuthnRequest URL). When using the IdP metadata (XML file) in Step ②, provide the IdP metadata.
The external IdP administrator provides the Ops I security administrator with information such as the external IdP's identity provider entity ID and single sign-on service URL (AuthnRequest URL). When using the IdP metadata (XML file) in Step ②, provide the IdP metadata.
② Adding an SAML connection setting and registering external IdP information with Ops I
The Ops I security administrator adds an SAML connection setting and registers the external IdP information including the service provider entity ID in it. When using the IdP metadata, information on the external IdP can be automatically entered.
The IdP metadata can only be specified when adding a new SAML connection setting.
For information on adding SAML connection settings and using the IdP metadata, see "Adding SAML". For information on the contents of the IdP metadata, see "IdP metadata example".
SAML certificates can be configured for SAML connection settings. This allows the legitimacy of the communication destination to be verified. However, certificates must be renewed periodically. For information on renewing certificates, see "Updating SAML certification".
The Ops I security administrator adds an SAML connection setting and registers the external IdP information including the service provider entity ID in it. When using the IdP metadata, information on the external IdP can be automatically entered.
The IdP metadata can only be specified when adding a new SAML connection setting.
For information on adding SAML connection settings and using the IdP metadata, see "Adding SAML". For information on the contents of the IdP metadata, see "IdP metadata example".
SAML certificates can be configured for SAML connection settings. This allows the legitimacy of the communication destination to be verified. However, certificates must be renewed periodically. For information on renewing certificates, see "Updating SAML certification".
③ Registering attribute/group/role mappings
Register external IdP user attribute information and Ops I user attribute information, and group and role mappings. For details, see "Mapping attributes/groups/roles".
Register external IdP user attribute information and Ops I user attribute information, and group and role mappings. For details, see "Mapping attributes/groups/roles".
④ Providing external IdP linkage information set in Ops I
The Ops I security administrator provides the information of the connection setting of the [Service Provider Identity ID] added in Step ② to the external IdP administrator.
When using the SP metadata (XML file) in Step ⑤, output the SP metadata from the connection setting and provide it to the external IdP administrator. The SP metadata can only be output on the SAML [Connection setting details] window.
For information on outputting the SP metadata, see "Connection setting detail window".
The Ops I security administrator provides the information of the connection setting of the [Service Provider Identity ID] added in Step ② to the external IdP administrator.
When using the SP metadata (XML file) in Step ⑤, output the SP metadata from the connection setting and provide it to the external IdP administrator. The SP metadata can only be output on the SAML [Connection setting details] window.
For information on outputting the SP metadata, see "Connection setting detail window".
⑤ Registering the connection setting information set in Ops I with the external IdP
The external IdP administrator registers the connection setting information set in Ops I with the external IdP so that Ops I can be connected to the IdP as a service provider. When using the SP metadata, the connection setting information set in Ops I can be automatically registered.
The external IdP administrator registers the connection setting information set in Ops I with the external IdP so that Ops I can be connected to the IdP as a service provider. When using the SP metadata, the connection setting information set in Ops I can be automatically registered.
Subsection structure
2.7.2.1 Updating SAML certification