Provisioning Single Sign On in ACSF - NCIOCPL/cgov-digital-platform GitHub Wiki
- Create metadata
- Submit a Login Service Request to the NIH Login Team
- Instructions
- Submit the ticket via https://myitsm.nih.gov/
-
IMPORTANT ITEMS TO INCLUDE:
- Request the "Recommended SP Session Duration” be set to omit the "use assertion validity" flag.
- Request the "Name ID Format" be set to "Transient".
- Specify that we require these SAML attributes:
- Attach the metadata file.
- Login team does their configuration.
- FUTURE Is there a way for us to verify configuration before the site is provisioned?
- Provision new site.
- By default, NIH Login sends a
SessionNotOnOrAftervalue as part of the SAML response. - The SimpleSAMLphp library uses that value to override the maximum session duration.
- This results in the session duration being set to the difference between the instant the authentication occurred (which appears in the
AuthnInstantvalue). This works out to be 30 seconds.
The metadata file is an ordinary XML file.
Using the template below.
- Replace
<<CERT>>(two instances) with the contents of the signing certifcate'ssaml.crtfile. - Replace
<<HOST>>(seven instances) with the new systems's hostname (e.g.www-test-ac). - Replace
<<EMAIL>>(one instance) with the SMTP address ([email protected]) for the OCPL Application Alerts distribution.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/metadata.php/cancergov-sp">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate><<CERT>></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate><<CERT>></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/saml2-logout.php/cancergov-sp"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/saml2-logout.php/cancergov-sp"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/saml2-acs.php/cancergov-sp" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/saml1-acs.php/cancergov-sp" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/saml2-acs.php/cancergov-sp" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://<<HOST>>.cancer.gov/simplesaml/module.php/saml/sp/saml1-acs.php/cancergov-sp/artifact" index="3"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>OCPL App Alerts</md:GivenName>
<md:EmailAddress><<EMAIL>></md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>