SSO-Provider - GRAVITY Documentation

# SAML SSO Configuration # Configuration of an Identity Provider (IdP) The following minimal set of configuration is needed for an identity provider to work with GRAVITY as a service provider: 1. Assertion Consumer Service (ACS) URL: https://your.domain/gravity/services/admin/saml/login/callback 2. Users who need access to the GRAVITY Admin site should be assigned a specific role (group). User’s roles (groups) should be part of the SAML response as a named attribute. # Configuration of GRAVITY as a Service Provider ![[saml-sso-provider-1.png]] ## JSON Configuration JSON-based configuration of the SAML SSO service to configure mapping of the SAML response claims to the system-known attributes. “claimMapping” - mapping of IdP claims to GRAVITY-specific - "userLogin" - namespace for a claim containing a unique value which will be used as GRAVITY user login. Optional if login is returned as NameID. - ”userName” - namespace for a claim containing a value which will be used as GRAVITY user name (optional) - “userRole” - namespace for a claim containing a list of roles (groups) assigned to the user “roleMapping” - mapping of IdP roles (groups) to GRAVITY-specific - “adminRole” - mapping of an external role (group) to GRAVITY admin role. Users with a such role assigned will be considered as GRAVITY administrators having access to the Admin site. "nameIdConfig" - configuration of the Name Identifier (NameID) which is the unique identifier of the user in SAML. * "format" - defines expected format to be used to represent the requested subject * "allowCreate" - Boolean value used to indicate whether the identity provider is allowed, in the course of fulfilling the request, to create a new identifier to represent the principal “issuer” - shared identifier to let IdP identify SP from which the request is coming. ## Metadata XML XML-based description of the IdP SAML endpoint. Signing certificate and login URL are required. ## Signing of SAML requests All the requests are signed by default. Please use 'Show certificate' button to get the public key certificate to configure validation of SAML requests on IdP side. # Troubleshooting ## Wrong scheme used in SAML requests. **Problem**: If the GRAVITY server is hosted behind the load balancer/proxy, the real http**s** scheme may be erroneously replaced with the http scheme. **Solution**: define external server base URL (domain & context) in the server settings: ![[saml-sso-provider-2.png]]