Overriding the service provider settings for a SAML SSO authentication service

The service provider settings for a SAML SSO authentication service are automatically populated when you create the authentication service. You can override the default values.

Note: For the SAML ruleform, Global Resource Settings are supported. For more information, see Fields that support the Global Resource Settings syntax.
  1. Open the service from the navigation panel in Dev Studio by clicking Records > SysAdmin > Authentication Service and choosing a service from the instance list. On the SAML 2.0 tab, expand the Service Provider (SP) settings section.
  2. In the Entity identification field, enter an entity ID that is auto-populated in the new authentication services.
  3. In the Login (SSO) protocol binding list, the system provides a default protocol binding. You can change the binding protocol to one of the following.
    • HTTP Post – SAML protocol messages are transmitted in an HTML form with base64-encoded content.
    • HTTP Artifact – SAML protocol messages are transmitted using a unique identifier called an artifact. Select this protocol if you do not want to expose the content of the SAML message during connection.
    • HTTP Redirect – SAML protocol messages are transmitted within URL parameters.
  4. In the Assertion Consumer Service (ACS) location field, override the system-provided URL of the standard ACS REST service URL.
  5. In the Redirect logout location field, override the system-provided URL of the standard logout REST service.
  6. In the SOAP logout location field, override the system-provided URL of the standard logout SOAP service.
  7. In the Artifact Resolution Service (ARS) location field, override the system-provided URL of the standard ARS to send the artifact resolve request to the IdP.
  8. To disable the signing of authentication and logout requests from your application to the Identity Provider, select the Disable request signing check box.
  9. To reject all unsigned SAML assertions, select the Reject unsigned assertion check box.
  10. To select the SP Private Key to sign the SAML authentication and logout requests, in the Signing certificate section, click the Pencil icon.
    1. In the KEYSTORE NAME field, press the Down Arrow key and select the keystore that contains the private key, private key alias, and password to use.
    2. Click Submit.
  11. In the Decryption certificate section, click the Pencil icon to select the SP Private Key to decrypt the response from the IdP for authentication and logout requests.
    1. In the KEYSTORE NAME field, press the Down Arrow key and select the keystore that contains the private key, private key alias, and password to use.
    2. Click Submit.
  12. To download the service provider metadata, click Save, and then click Download SP metadata.
  13. Click Save.
What to do next:  Enforcing policies from the Security Policies landing page