Skip to main content
Skip table of contents

SAML Domains

After selecting an alias and the SAML2 domain type, the Domain configuration wizard will present the options for configuring the SAML Domain as seen below.

SAML Configuration Options

image-20240603-111418.png

General Configuration Options

Description

EntityId

This value will be “https://the-url-of-your-signum-deployment.com/the-alias-of-your-domain. For example, if the Alias of your SAML Domain was companyname.com this would be “https://signumdemo.com/companyname.com”.

Import IDP Metadata

This option allows for importing an .xml configuration file from your IDP and will help auto-populate some of the IDP provided configuration fields in Signum.

Automatic Provisioning of Users

If enabled, this setting will import a user's email, name, and group membership in Signum the first time the user authenticates against the IDP. If this setting is not enabled, you will need to manually populate these data fields for users.

Troubleshooting Tip

You may see an error, “User found, but does not belong to any roles” when attempting to login to Signum after authenticating with the IDP. This is because every user accessing the Admin Web Console must be assigned a Role in Signum and the authenticating user has not yet been assigned one by the Signum Administrator. This can be solved by either having the System Admin login to Signum and assign this new Signum user to a role or by using SAML Groups to assign an entire group of users to a particular role which will allow those group members to automatically log in.

Login URL

This will be provided by your IDP.

Logout URL

This will be provided by your IDP.

IDP X.509 Certificate

This will be provided by your IDP.

IDP Configuration

Description

URL for Assertions

Configured at your IDP. This value will be “https://the-url-of-your-signum-deployment.com/Auth/SamlConsumer”. For example, if the URL of your Signum deployment is signumdemo, this value would be “https://signumdemo.com/Auth/SamlConsumer” .

SAML Attribute Mapping

image-20240603-111521.png

Attribute Mapping Options

Description

Email

The value you have configured for the “email” attribute in the SAML assertion.

Name

The value you have configured for the “name” attribute in the SAML assertion.

Surname

The value you have configured for the “surname” attribute in the SAML assertion.

Groups

The value you have configured for the “groups” attribute in the SAML assertion.

Case Sensitive NameID

Enabled by default. When enabled this setting treats the NameID field as case sensitive.

Use email as User Identifier

Enable this option if your organization uses the email attribute as the identifier for users instead of name or surnames. Note, this option needs to be configured at the time of domain creation. It is not possible to edit this property once a domain has been created. Most use cases will want to enable this setting.

ACS by index

Disabled by default. This property specifies how to indicate to the IDP (through the SAML authentication request) the URL that will consume the SAML assertion generated by the IDP.

If it is disabled, AssertionConsumerServiceURL will be added to the authentication request. If it is enabled, AssertionConsumerServiceIndex will be added in the request. If it is enabled, you must configure the IDP so that the index "0" corresponds to the URL "https://the-url-of-your-signum-deployment/Auth/SamlConsumer".

SSO Login Button

You can enable a UI button on the Admin Web Console login page both during and after the creation of a SAML domain. This button allows users to go directly to the Identity Provider (IDP). This feature applies to both SAML and OAuth2 domains. If needed, multiple domains can be configured this way, enabling authentication with multiple IDPs directly from the login page.

To enable, select SAML or Oauth domain that has been created from the list of domains (Access>Domains) and toggle the SSO Login Button.

image-20240603-111923.png

On the Admin Web Console login page you should now see a button with the alias of your domain.

image-20240603-112424.png

IDP URL Configuration

Users can also be directed directly to the IDP login page, skipping the Signum login page by navigating directly to a URL with the below configuration. After authenticating, the user will be sent back to the Signum Admin Web Console.

URL

https://Your-Signum-URL/login?domain=The-Domain-Alias

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.