Skip to main content

Add SAML 2.0 Application

This section provides step-by-step instructions for creating a SAML 2.0 application in Monokee. By following these instructions, you can configure the federation between a Service Provider (SP) and one of the Identity Provider (IDP) defined in your Monokee domain using SAML 2.0. This will allow you to delegate user authentication and authorization to Monokee, simplifying access management for your application.

The following steps will guide you through the process of setting up a SAML application:

  1. Navigate to your Monokee custom fully qualified domain name (FQDN) or if you haven't set up a custom FQDN, go to Monokee's default page and enter your domain ID. Then, enter your login credentials to access your account.

  2. Open the left sidebar and select Applications from the menu.

  3. This will display a list of applications. To create a new application, click the Add button located in the top right corner of the table. Then, select SAML Application and click Add.

  4. Monokee will open the General Configuration step. Refer to the generic section of the application documentation for instructions on how to configure this section.

  5. Click Next to proceed to the Service Provider Configuration step.

  6. Load Service Provider metadata. Our advice is to download your metadata and upload it clicking on Load from file at the top of the configuration page. This approach allows for all required server configuration information to be automatically set, without any manual input needed. The metadata could also be imported form an URl or the fields could be filled manually.

  7. Verify if the import of the Metadata set the desired flag in the Signing options section depending on your needs.

  8. Signature contains the certificates provided by metadata loaded in section 6. If you want to change the imported certificate you can add the new certificate using the Add button and then you can delete the previous one opening the accordion and clicking on the Delete button. When manually inserting the certificate ensure to insert also header and footer: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

  9. Assertion consumer services contains endpoints and binding supported by the SP metadata loaded by metadata import in step 6. If you need to insert custom endpoints or change the ones provided, click Add button and complete with necessary data. You could also change the preferred bindings using the Index button to change the binding preference order.

  10. Single logout services contains endpoints and binding supported by the SP metadata loaded by metadata import in step 6. If you need to insert custom endpoints or change the ones provided, click Add button and complete with necessary data.

  11. Click Next to proceed to the Additional Configuration step.

info

Please note that at least one IDP must be defined in Monokee before configuring a SAML 2.0 application. Here you can find the procedure to add an IDP.

  1. Select the Identity provider from the dropdown menu, for example Default IDP SAML 2.0.

  2. Select the Signature algorithm and Digest method to sign the IDP's assertions, requests and responses. SHA-256 based algorithm and method are the default values. You can also choose what the IDP must sign from a series of options in the Identity provider signing options section. If the SP has no specific limitations, flagging all options is best practice.

  3. Click Next to proceed to the last step Response Statement Configuration.

  4. In the Authentication statement options select the desired Subject format. For example urn:oasis:names:tc:SAML:2.0:nameid-format:transient which does not require attribute mapping and generates a random uuid for the subject. Leave the the Subject confirmation method set to the default value urn:oasis:names:tc:SAML:2.0:cm:bearer.

  5. In the Attribute statement section, specify the attribute that you want to send to the SP configuring them in the Attribute mapping rules. For example you may choose to map authentication attribute email with the value of username user attribute in this way:

    • Click New rule and insert email
    • Click Add
    • Choose username from available items
    • Click Add
info

If the selected IDP declares a list of attributes, you can configure the mapping for only those specific attributes. However, if no attributes are declared in the IDP, you have the flexibility to insert any attribute you want. For additional information, please refer to the IDP's documentation.

  1. Click the bottom right corner Create button to save the configuration.

  2. Now proceed to import the Monokee IDP metadata you select in the 13th step into your SP. You can learn how to download Monokee IDP Metadata from the dedicated section

  3. You can assign the application to an user as explained in the user management section and access to it using this url https://(new.monokee.com|<domain-custom-fqdn>)/app/saml/sso?domain_id=<domain-id>&application_id=<application-id>. To retrieve the application id for a newly created application, you can visit the application's page and look at the last portion of the browser URL. The domain id parameter is mandatory only if you are using monokee default hostname. In this way you can test the IDP Initiated flow, you can also test the SP Initiated flow triggering the SSO directly from the SP.