You are here

You are here

Configuring an Identity Provider for SpringCM

The SpringCM Service Provider Information section is informational only to help you configure your Identity Provider for use with SpringCM.

As outlined in the samples below, the configuration URLs are different depending on what SpringCM environment you are configuring SSO for which can either be UAT or Production. If your Identity Provider supports auto configuration by importing Service Provider metadata, you can use the Download Metadata link to download the metadata xml and import it into your Identity Provider. Some Identity Provider's, such as ADFS, support auto configuration via URL and can be configured to monitor the URL periodically for changes and auto update your configuration. SpringCM supports this as well and provides a hosted version of the metadata:

Not all Identity Providers support direct consumption of metadata to configure the outgoing assertions to SpringCM and need to be configured manually. The following are the key items needed for Identity Provider configuration.

Entity Id

This is the unique identifier of the SpringCM Service Provider:
UAT - https://uat.springcm.com/atlas/sso/
Production - https://www.springcm.com/atlas/sso/Prod

Assertion Consumer Service URL

This is the URL where the Identity Provider POSTs the SSO Assertion to SpringCM:
UAT - https://uatna11.springcm.com/atlas/SSO/SSOEndpoint.ashx
Production - NA11- https://na11.springcm.com/atlas/SSO/SSOEndpoint.ashx

Production - NA21- https://na21.springcm.com/atlas/SSO/SSOEndpoint.ashx

Name Id Format

This indicates what name identifier format SpringCM supports. The only supported format currently is email address: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
The email address in the SAML Assertion response should be the same email address that exists in the SpringCM Address Book.

Signing

SpringCM expects that all SAML Assertions posted to the Assertion Consumer Service will be signed and will sign all authentication requests to the Identity Provider. The XML returned from accessing the federated metadata URL will contain the public key certificate used for verifying authentication requests from SpringCM, so if you are using the metadata you should not need to download the certificate. If you are manually configuring your Identity Provider, use the Download Certificate link to download the public key certificate used to verify SAML Requests from SpringCM.  Note that this certificate will expire every few years. If you have SAML enabled in your account, SpringCM will notify the Super Administrators in the account in advance of certificate expiration and any action that needs to be taken.