This document assumes that the name of the application server is sp.example.com and the name of the web application is webapp. After installation, activation and integration, https://sp.example.com/webapp will be protected by the SAML IDP (Ubisecure SSO Server).

This service provider configuration is performed for each application to be protected on the server.

Create the SAML Service Provider identity

The SAML Service Provider identity consists of an Entity ID, an RSA private key and a HTTP endpoint address. The Entity ID and private key are used to identify and authenticate the Service Provider to the Ubisecure Identity Provider. The HTTP endpoint is used by the Ubisecure IDP to submit protocol messages to the Service Provider.

The HTTP endpoint is a fully qualified URL address where ServiceProviderHandler is bound. The path of ServiceProviderHandler is /spsso.ashx. E.g. https://sp.example.com/webapp/spsso.ashx.

The identity is generated in a file named identity.properties. This file is located in a subfolder of the Service Provider configuration directory.

Windows Server 2003:

cd /d "%ALLUSERSPROFILE%\Application Data\Ubisecure\Ubisecure.SAML2.ServiceProvider"
mkdir sp
"%ProgramFiles%\Ubisecure\Ubisecure.SAML2.ServiceProvider\bin\saml2.exe" Generate https://sp.example.com/webapp/spsso.ashx -o sp

Windows Server 2008:

cd /d "C:\ProgramData\Ubisecure\Ubisecure.SAML2.ServiceProvider"
mkdir sp
"C:\Program Files\Ubisecure\Ubisecure.SAML2.ServiceProvider\bin\saml2.exe" Generate https://sp.example.com/webapp/spsso.ashx -o sp

The sample command in Listing 1 assumes the application server is accessible using the DNS name sp.example.com and the name of the web application is webapp. All communication with the application is encrypted using HTTPS. The text shown in red must be changed to suit your application.

If the application is available to users at the server root address, e.g. https://sp.example.com/, remove the additional path component /webapp from the generate commands in Listing 1.

The address parameter used when generating the identity is case sensitive. Ensure that your application name in IIS matches the case used in this command. Failure to match case at this point may cause incorrect redirection after authentication has been completed.

Associate the SP identity with a Ubisecure Web Application

Now the Ubisecure Management application must be used to associate the Service Provider identity with a Ubisecure Web Application. The SAML metadata of the Service Provider is uploaded to the management application. SAML metadata is a XML formatted document. The metadata represents the public information about the Service Provider identity.

1. First, create the SP metadata file using the saml2.exe command in Listing 2.

   Listing 2. Write the SAML metadata of the Service Provider to the c:\temp\sp.xml file

   Windows Server 2003:
   
   cd /d "%ALLUSERSPROFILE%\Application Data\Ubisecure\Ubisecure.SAML2.ServiceProvider" 
   "%ProgramFiles%\Ubisecure\Ubisecure.SAML2.ServiceProvider\bin\saml2.exe" Metadata sp -f c:\temp\sp.xml
   
   Windows Server 2008:
   
   cd /d "C:\ProgramData\Ubisecure\Ubisecure.SAML2.ServiceProvider"
   "C:\Program Files\Ubisecure\Ubisecure.SAML2.ServiceProvider\bin\saml2.exe" Metadata sp -f c:\temp\sp.xml

2. Use Ubisecure Management to create the web application.
   1. Create a web application
   2. Select Type SAML Service Provider (Figure 1)
   3. Press Activate
   4. Select the file that was created in Listing 2 (c:\temp\sp.xml) to be uploaded or paste the sp.xml file contents in the text window provided (Figure 2)
   5. Click OK
   6. The SAML Service Provider ID is now shown. (Figure 3) Click Update
   7. Copy the SAML Service Provider ID (entity ID) text shown in Figure 3. It will be used later when configuring the web.config file.
   8. Ensure the application has appropriate methods enabled and access to the application is configured in the Allowed To tab. An appropriate Authorization Policy is required to define which additional attributes will be available to the ASP.NET application. For more information on Web Application and Authorization Policy configuration, please refer to the Management user interface - SSO.

Using the Ubisecure Management application

Get the metadata of the Identity Provider

Download the Ubisecure IDP metadata from the SAML 2.0 link on the Ubisecure Management home page. Save this file using the name idp.xml in the folder below according to the operating system used:

Windows 2003:

%ALLUSERSPROFILE%\Application Data\Ubisecure\Ubisecure.SAML2.ServiceProvider\sp\metadata

Windows 2008:

C:\ProgramData\Ubisecure\Ubisecure.SAML2.ServiceProvider\sp\metadata

During startup the Service Provider will locate and read all of the XML files in the sp/metadata folder in the Service Provider configuration directory. This folder must contain only one metadata file for a SAML Identity Provider. (It may however contain another metadata file for an Attribute Authority. See chapter Configure Attribute Authority below.) The Service Provider startup will fail if an IDP metadata file is not found, or if the folder contains more than one IDP metadata file.

Multiple IDPs are configured using the IDP Proxy functionality of Ubisecure SSO Server.

Configure Attribute Authority

The use of an Attribute Authority is optional and for most installations not usually required. Skip this section if Attribute Queries are not being used.

Attribute Queries allow an SP to query a Subject's attributes run-time from Attribute Authority service. For example, it is possible to get a user's attributes that were not sent in conjunction with initial authentication, or attributes that may have changed after initial authentication.

The following configuration is only required if Attribute Queries are used.

Copy the attribute authority (AA) metadata to the file listed below according to the operating system used:

Windows 2003:

%ALLUSERSPROFILE%\Application Data\Ubisecure\Ubisecure.SAML2.ServiceProvider\sp\metadata\aa.xml

Windows 2008:

C:\ProgramData\Ubisecure\Ubisecure.SAML2.ServiceProvider\sp\metadata\aa.xml