UC_SAML_SETTINGS - Single Sign-On

This Variable (VARA) object defines the parameters to use the Automation Engine as a SAML (Security Assertion Markup Language) identity provider and allows you to link departments to one or more SAML identity providers. It is supplied with system client 0000.

You must set up this variable to use SAML single sign-on with the Automation Engine. For more information, see Setting up Single Sign-On.

This variable includes the following keys:

*CONFIG

• Description: Allows you to define different settings

  This key contains an xml file with predefined elements that allow you to configure your settings.

  When the SAML key in the UC_SYSTEM_SETTINGS variable is set to Y, the system generates and populates the *CONFIG key automatically. For more information, see SAML and UC_SYSTEM_SETTINGS - Systemwide Settings.

  When the disableRequestedAuthnContext element is set to true, RequestedAuthnContext of the SAML AuthnRequest is not sent to your identity provider. By default, the disableRequestedAuthnContext element is set to false.

• Restart required: No

*SP

• Description: Service provider of the Automation Engine

  This key contains the medatada (xml) of the service provider of the Automation Engine.

  When the SAML key in the UC_SYSTEM_SETTINGS variable is set to Y, the system generates and populates the *SP key automatically. For more information, see SAML and UC_SYSTEM_SETTINGS - Systemwide Settings.

  You must edit the XML content and replace the three _INSERT_ values:

  1. entityID attribute at the beginning of the EntityDescriptor

     Replace the value of the entityID attribute with the URI that points to the Service Provider (usually, the domain name of the Service Provider is used).

     Example

     entityID="https://www.example.com/saml/metadata.xml"

  2. Location attribute for the HTTP-POST binding in the AssertionConsumerService element

  3. Location attribute for the HTTP-Artifact binding in the AssertionConsumerService element

     Replace the value of the Location attribute for both, the HTTP-POST and the HTTP-Artifact bindings with the URL that points to your AWI instance or load balancer.

     Example

     Location ="https://www.example.com/awi/"

• Restart required: No

Department

• Description: Department name to be linked to an Identity provider

  Use this key to add the metadata (xml) of the identity provider that is linked to the relevant department.

• Restart required: No

  Example

  Key: TEST

  Value: Metadata for Okta as IdP

  <md:EntityDescriptor entityID="http://www.okta.com/exk1gy2l05kAuaBRJ0h8" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
      <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <md:KeyDescriptor use="signing">
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:X509Data>
                      <ds:X509Certificate>MIIDnjCCAoagAwIBAgIGAV2hgZOLMA0GCSqGSIb3DQEBCwUAMIGPMQswCQYDVQQGEwJVUzETMBEG
  A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
  MBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2F1dG9taWMxHDAaBgkqhkiG9w0BCQEWDWlu
  Zm9Ab2t0YS5jb20wHhcNMTcwODAyMDU1MjI5WhcNMjcwODAyMDU1MzI5WjCBjzELMAkGA1UEBhMC
  VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM
  BE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdhdXRvbWljMRwwGgYJKoZIhvcN
  AQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgsqlEPXL
  XAJi0dgJOYknjZxmdissp3lnoUbB9a9gpek/VedXVXFamoZ1YflE8+up9BlZtsDPgkSqK+ucdx4r
  cqaxJlmGj5aJEEnBhrDl14jYfMxdCbMOpDNpYcvhUHKK3PZKUdtJ4d1cYg567ezW2mBeCeEaswdt
  UaAs4OzFFSyvmcVwcL85tQ2cpcPboct3HbzASYDXuRCTpbK1ePTVVl6L0oBLremOLbMyqVIVs/Wt
  a7bQe2myiJFxYcmViFZWss08GqdnOKaMM61rHVQb4on66svn3icebLSnzYUwu+Tp9EYFdogOG6lL
  UJ+2pjxhPlCo6YbtJdCE2/hO3wiVHwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAK/OxCCDdwgYwK
  OxejIMEWHr78jKNlzo7I/mRDNlcxnP+ipkCAfMgFFqg038FqIOWF6N3rwnp84vuQCoyAsuXCNK5h
  UjaB30unaRaPQYTtFQnH8l/zWN8lUABb8NPatFOGh2xOqGszt4yZQpH4AgKkTi9iyrY2jPDJ44ma
  B4ki30KBDxhD0DbRcXbuIOhQ0dN2zFSBYlSVxOacPBc1cVA5xDkxt29vSeR9xTXBC15/Ku0KiQtp
  ZzRXjF94m0Es0glJY26Jj9q1aFrb+vT2JYhcOJ9MAA1CnZngPlhs2Ktko3bnUIna/+uA6C1rQUyC
  TJ/Q5Abe0MtM3YOLBkbrw0V0</ds:X509Certificate>
                  </ds:X509Data>
              </ds:KeyInfo>
          </md:KeyDescriptor>
          <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
          <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
          <md:SingleSignOnService
              Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompany.okta.com/app/mycompanysoftwaregmbhprod_awasamltestuc2tsclient100depsbb01_1/exk1gy2l05kAuaBRJ0h8/sso/saml"/>
          <md:SingleSignOnService
              Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.okta.com/app/mycompanysoftwaregmbhprod_awasamltestuc2tsclient100depsbb01_1/exk1gy2l05kAuaBRJ0h8/sso/saml"/>
      </md:IDPSSODescriptor>
  </md:EntityDescriptor>

See also:

• List of VARA Objects for System and Client Values
• User-Defined VARA Objects