SSO SAML LDAP: configuration options

The following configuration options are specific for setting up SSO as SAML with LDAP user provisioning. For the complete set of options, see DGC service configuration settings.

SSO configuration parameter	Value
Mode	SAML_LDAP
Header	<leave empty>
DN	If the SSO mode is SSO_HEADER_LDAP or SAML_LDAP, this field determines whether the distinguished name (DN) or attribute is used: True: the header has to contain the distinguished name (DN) of the user in the LDAP. False: the header has to contain the value of Attribute. If the SSO mode is DISABLED, SSO_HEADER or SAML_ATTRIBUTES, this field is ignored.
Attribute	Set to the unique identifier, usually uid of the LDAP directory when linking to LDAP through an LDAP attribute. The nameID contains the value of the attribute set here to look for in the LDAP service. For example, if the value equals sAMAccountName, the SAML response should contain the value for this attribute of the user being signed in.

SSO configuration parameter	Value
Metadata HTTP	Enter the URL to the SAML metadata file. For example: http://url.to.your/metadata.xml. Note This parameter is ignored if you uploaded the SAML metadata file.
Entity ID	The entity ID as defined in the metadata file. It defines which specific entity (IDP or SP) has to be used in a metadata file. The SAML metadata file enables you to define multiple entities in one metadata file. This can also prove useful in combination with Collibra, in cases where planned upgrades are going to occur. You can then upload a new metadata file that contains both entities. When the time comes to switch, you only need to change the configuration option for the Entity ID.
Groups DC managed	False: groups are managed by the SAML IDP True: groups are managed by DGC
Service Provider Entity ID	Leave empty, unless the Base URL in General settings does not match the Service Provider Entity ID to be used.
Sign authentication requests	Set to True to use the SAML keypair to sign authentication requests. Note A SAML keypair in x509 is generated and stored in the SAML metadata file when Collibra is started for the first time.
Force authn	True (default): Make the SAML request ask for authentication every single time, even when the user is already known. False: Do not make the SAML request ask for authentication.
Force passive	False (default): The IDP is allowed to take visible control of the user interface/authentication. True: The IDP is forced to not take visible control. Only for specific setups, see the SAML 2.0 specifications for more information.
Name ID	The nameID to be sent in the SAML Request. nameID has to have the following format: `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` For other options: See the SAML 2.0 specifications. IDP has to understand the nameID in the SAML Request. It is recommended to set this to what the IDP expects.
Name ID allow create	True (default): Allow the IDP to create a new nameID to satisfy the SP SAML Request. False: Do not allow the IDP to create a new nameID.
Disable	False (default): Send the authentication context as configured in this section. True: Disable the authentication context. Nothing in this section applies anymore. See also Configuring requested authentication context.
Comparison type	Defines the authentication strength that is to be used by the IDP compared to the SAML requested authentication context. This is advanced configuration, see the SAML 2.0 specifications for more information. Possible values: minimum (default) maximum better exact See also Configuring requested authentication context.
Reference list	Contains a list of allowed references. Default: `urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport` This is advanced configuration, see the SAML 2.0 specifications for more information.
Declaration list	Similar to the Reference list, but is empty by default. This is advanced configuration, see the SAML 2.0 specifications for more information.

When both Attribute and DN are defined, DN takes priority and the attribute-based configuration is ignored.