Versions Compared

Old Version 19

changes.mady.by.user Kavita Pillai

Saved on

compared with

New Version 20

changes.mady.by.user Dave Nygaard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Code Block
languagexml
themeConfluence
titleSample SAML Assertion
collapsetrue
<saml:Assertion ID="uuid-5D036492-5000-0DA1-02BF-68B5583580A1" IssueInstant="2013-03-16T00:02:54Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>${parterProvidedIssuerName}</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">bob.barker@thepriceisright.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://go.deem.com/sp/ACS.saml2" NotOnOrAfter="2013-03-16T00:12:54Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2013-03-16T00:02:54Z" NotOnOrAfter="2013-03-16T00:12:54Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://go.deem.com/sp/ACS.saml2</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2013-03-16T00:02:54Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
</saml:Assertion>

Customizing your SSO Configuration

Deem services for enterprises can be configured to support a wide variety of custom behaviors. You must provide the following data to your Deem Activations Manager to support a custom configuration.

...

Other values that can identify the user include userName username, which is the internal user name that has been assigned to a particular user in Deem, and email, which is the user's email address. However, although it is possible to use any one of these three attribute values — externalID, userNameusername, or email — we recommend that you use externalID, since this value is the least likely to change over time and avoids some common problems with email addresses, which can change over time.

...

You must choose one of these three attributes to represent your users — preferably externalID — and always send this as the subject of your SAML assertions. The same attribute must be used for all users, and this value must be available in your user profiles.

Select an identifier , and inform your Deem Activations Manager of the type you'll be sending.

...

Deem provides flexible behavior for user logouts, session timeouts, and various error conditions. In any of these cases users can either be redirected to a specified URL , or be shown a custom message. For each of the following conditions, you should provide either a URL that users will be redirected to, or a message to be displayed to the user:

...

  • Simple method: The simple method provides basic provisioning of a limited set of attributes using standard SAML attribute assertions. There is a separate SAML assertion corresponding to each of the various profile fields, and the fields are provisioned directly using the values provided with the various attribute element assertions. The Simple method has the advantage that it can usually be implemented with configuration options available in your SSO infrastructure.
  • Advanced method: The advanced method allows any of the profile fields to be provisioned by means of an XML document which itself becomes the value of a special provisioning attribute. The Advanced method is more extensive by virtue of its ability to provision all profile fields , but requires implementation of a custom plug-in for your SSO platform.

...

Not all possible field settings are supported with simple provisioning. Additional profile field attributes that can't be provisioned using the simple provisioning method include all travel preferences settings, including credit cards. There is, however, a complete XML web services provisioning schema defined for Deem that allows all of these fields to be specified. By including an XML document which conforms to this provisioning schema, and which contains all of the values to be provisioned as a single user attribute in the SAML document, any or all of the available profile fields may be provisioned as part of the SSO event.

...

Sometimes things go wrong. In such cases, there are a number of ways you can diagnose your issue , or configure your infrastructure to deal with the error.

...