Setting up TeamForge in a SAML-compliant third-party IdP environment

For TeamForge to support SAML based SSO from a SAML-compliant third-party IdP, it is required to set up TeamForge in the IdP environment. This means that it is necessary to configure the SAML IdP with the details of TeamForge, who in this case is the SAML Service Provider.

Configuring a SAML IdP is beyond the scope of TeamForge Administrators, as you can use any third-party IdP based on the business requirements.

Once a SAML IdP has been set up, the SAML IdP administrator can set up TeamForge as a Service Provider with the SAML IdP and keep both the IdP and SP metadata handy for creating the TeamForge-SAML IdP integration in TeamForge.

For setting up SAML IdP integration in TeamForge, enable Federated Login in TeamForge.

  1. Log on to TeamForge as a Site Administrator.
  2. Select My Workspace > Admin.
  3. Select Projects > Identity.
  4. Select the Federation tab.
  5. Select the Use Federated Login check box and select SAML as the IdP from the drop-down list.
  6. Click Save.
  7. Select the SAML tab. This page is used to capture the security configurations of TeamForge and the SAML IdP. The IdP details that you provide in this page is obtained from the metadata XML of the third-party IdP.
    Important: The Service Provider ACS (Assertion Consumer Service) Logout related properties are generated by the system, hence they should not be changed unless required.

    This table provides the parameters and their description used in the SAML configuration page.

    Important: Configuration details are mandatory for fields 1 through 8 for a basic SAML integration.
    Parameter Name Description
    IDP Entity ID Defines the unique identifier of the Identity Provider. It must be an URI.
    IDP Single Sign on URL Defines the URL that defines the SSO endpoint of the IdP. It is the target URL of the IdP where the SP sends its authentication request message.
    IDP X509 Certificate Defines the digital certificate that verifies the public key of the IdP.
    IDP Single Sign on Logout URL Identity Provider’s Single Sign on Logout URL. If the IdP does not support logout, leave this blank.
    IDP Single Sign on Logout Response URL

    Defines the Single Sign-on Logout (SLO) endpoint of the IdP that specifies the URL location of the Idp where the SP will send the SLO response.

    If this is left blank, the same URL as logout service URL will be used.

    This property can be used, if the IdP uses a separate URL for sending a logout request and response.

    Service Provider Entity ID Defines the unique identifier of Service Provider. It must be an URI.
    Assertion Consumer Service URL Defines the URL of the Service Providers Assertion Consumer Service, where the assertion from the IdP will be sent.
    Service Provider Logout URL Defines the URL of the Service Provider where the Logout Response message will be returned.
    Assertion Consumer Service Binding Defines which SAML protocol binding to be used when returning the Response message. TeamForge supports “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST“ binding only.
    Service Provider Logout Binding Defines which SAML protocol binding to be used when returning the logout response or sending the logout request message. TeamForge supports “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” binding only.
    Name ID Format

    Defines the constraints on the name identifier to be used to represent the requested subject. It is a mandatory attribute sent by the IdP in its SAML response to make the federation.

    TeamForge supports the following three Name ID formats:

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [default]
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    Service Provider X509 Certificate Defines the digital certificate that verifies the public key of the SP.
    Service Provider Private Key Defines the private key of the Service Provider.

    Required Format: PKCS#8 BEGIN PRIVATE KEY.

    If you have PKCS#1 BEGIN RSA PRIVATE KEY, convert it by using “openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem”.

    IDP Single Sign on Service Binding Defines the SAML protocol binding to be used when returning the response message. TeamForge supports "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” binding only.
    IDP Single Sign on Logout Service Binding Defines the SAML protocol binding to be used when returning the response message. TeamForge supports "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” binding only.
    IDP Certificate Finger Print You can use the fingerprint instead of using the entire X509 certificate.
    IDP Certificate Finger Print Algorithm

    If an IdP fingerprint is provided, then the fingerprint algorithm is required to let the toolkit know which algorithm is used.

    Possible values: sha1 (default value), sha256, sha384.

    Use Strict Mode Values are True and False. TeamForge rejects the unsigned or unencrypted messages, if the strict mode is set to True.
    Debug This is used to set the log level to debug. Values are True and False.
    Logout Name ID Encrypted This indicates that the Name ID of the logout response sent by the Service Provider will be encrypted. Values are True and False.
    Sign Authentication Request This indicates whether the AuthnRequest message sent by the Service Provider is signed. The Metadata of the SP provides this information. Values are True and False.
    Sign Logout Request This indicates whether the logout request messages sent by the Service Provider is signed. Values are True and False.
    Sign Logout Response This indicates whether the logout response sent by this Service Provider is signed. Values are True or False.
    Sign Messages This indicates whether the messages are to be signed or not. Values are True and False.
    Sign Assertions This indicates whether the response, logout request, and logout response elements received by the SP need to be signed or not. Values are True and False.
    Encrypt Assertions This indicates whether the assertions received by the Service Provider need to be encrypted or not. Values are True and False.
    Need Name ID This indicates whether the Name ID is required or not in the SAML response. Values are True and False.
    Name ID Encrypted This indicates whether the Name ID received by the Service Provider need to be encrypted or not. Values are True or False.
    Sign Metadata This indicates whether the SP Metadata need to be signed or not. Values are True (sign using SP private key) and False (or null to not to sign).
    Authentication Context

    Defines the authentication context of the Service Provider. If no value is provided, then no authentication context will be sent in the AuthnRequest. Set the value as

    “urn:oasis:names:tc:SAML:2.0:ac:classes: urn:oasis: names:tc:SAML:2.0:ac:classes:Password”

    Authentication Context Comparison This allows the authentication context comparison parameter to be set. Default value is exact.
    Validate XML

    This indicates whether the Service Provider will validate all received XMLs.

    Important:

    To validate the XML, the Use Strict Mode to set to ‘strict’ and wantXMLValidation to be set to ‘True’.

    Signature Algorithm
    Reject Unsolicited Response To This indicates where to send the rejected unsolicited response.
    Compress Request This indicates whether the request need to be compressed or not. Values are True or False.
    Compress Response This indicates whether the response need to be compressed or not. Values are True or False.
    Technical Contact Name This indicates the contact name of the Technical person at Service Provider’s end.
    Technical Contact Email This indicates the email id of the Technical person at Service Provider’s end.
    Organization Name This indicates the organization name at Service Provider’s end.
    Organization Display Name This indicates the organization’s display name at Service Provider’s end.
    Organization URL This indicates the URL of the organization at Service Provider’s end.
    Username Attribute This indicates the username attribute of the IdP.
    Email Attribute This indicates the email attribute of the IdP.
    User Display Name Attribute This indicates the display name attribute of the user.
    Map Email to Username This indicates whether the username need to be mapped to user’s email id or not. Values are True and False.
  8. Click Test Connection to verify whether the integration works properly with the IdP configured in this page.
  9. Click Get SP Metadata to obtain the Service Provider's metadata.
  10. Click Save to save the configuration. Click Cancel to discard the changes.