This section summarizes the contents of each item in the App settings.
Abbreviations are used for some terms.
SP : Service Provider. the application to which the SSO is directed.
IdP : Identity Provider. Within this document, YubiOn Portal.
For other terms, please refer to the “SSO Glossary”.
Item | Contents |
---|---|
IdP login URL | The endpoint URL of the IdP set as the SP Some SPs may use the notation “single sign-on URL,” “IdP endpoint URL,” or “AuthnRequest URL. |
IdP Entity ID | The entity ID of the IdP set on the SP. Some SPs may not need to be specified. Some SPs may use a notation such as “IdP issuer”. |
Application name | The name of the application displayed on the YubiOn Portal, such as on the SSO App login screen. Since this name is not included in the SSO communication content, please specify a name that is easily identifiable within your organization. |
SP login URL | Set the login URL specified on the SP. Used when the app login icon on YubiOn Portal is clicked or when the SP login URL is not specified in the authn request from SP. Some SPs may use notations such as “ACS (Assertion Consumer Service) URL,” “SP Endpoint URL,” or “SAML Response URL”. |
SP Entity ID | Set the entity ID specified on the SP. If this field is omitted in YubiOn Portal, the SP login URL is specified as the SP entity ID for communication. Depending on the SP, the term “SP Issuer”, “Audience”, or “Relying party identifier” may be used. |
User ID value setting | Set the user ID value to be passed to the SP. The name “NameID” is used in the SAML standard, but many SPs use a notation such as “user ID,” which the YubiOn Portal also uses. For details on how to designate, please click here. |
Detailed settings below | |
User ID type | Set the type of the user ID. In most cases, “Unspecified” is also valud, but some SPs may not accept that type. In such cases, follow the instructions of the SP and select “Mail address” or “Others” to set the type required by the SP. In the SAML standard, the notation is “Format” for “NameID”. In the SAML standard, “Unspecified” is “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” and “Mail address” defined as “urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress”. If you need to specify a NameID Format other than these, specify the name on the SAML standard directly in “Others”. |
Default relay state | Set the RelayState value that is passed from the SSO App login to the SP when logging in. Depending on the implementation of the SP, it is possible to declare the page to be displayed after login by specifying an appropriate value Also, for many SPs, there is no problem with a blank field, but for some SPs, an empty field will not work properly and a “/” or similar may need to be specified. |
Default request method | Set the method to send SAML to the SP when starting the SSO from the YubiOn Portal (IdP). There are HTTP-Redirect and HTTP-POST formats, and some SPs accept only one of the two. |
Session timeout | Set the period for which the login by SSO will be valid. After SSO login, the user must log in again after the specified time has elapsed. However, some SPs may ignore this value and enforce their own timeout period. |
Support IdP-Initiated | Set whether the SSO login (IdP-Initiated) from the YubiOn Portal (IdP) is supported. When the app login icon on YubiOn Portal is clicked, if it is supported, SAML response will be sent to the SP login URL. If it is not supported, you will be transferred to the SP login URL. Some SPs only support logins if they are SP-Initiated and do not support IdP-Initiated logins. |
Verify the signature of the SP | Set whether or not to verify the signature of the authn request from SP. Depending on the SP, some may choose to sign the authentication request (AuthnRequest) while others may not. Setting this item to “Not verify” will allow for handling of any pattern, but, if possible, it is more secure to set it to “Verify” and verify the signature. If this item is set to “Verify”, the SP certificate must be set. |
SP certificate | Set the certificate to verify the signature of the authn request from the SP. This item must be set if the SP signature verification is set to “Verify”. YubiOn Portal supports certificates in a text format called PEM format, which starts with “—–BEGIN CERTIFICATE—–” and ends with “—–END CERTIFICATE—–”. If the SP provides a certificate in a different format, please set it up after converting it to the PEM format. |
Items | Contents |
---|---|
Attribute name | Set the identification name when passing attributes to the SP. Please refer to the SP manual for the attribute names accepted by SP and their meanings. |
Attribute friendly name | Set the name that indicates the content of the attribute. This setting is not used for SSO communication itself, but it is rather an alias set to make it easier to distinguish between the attribute keys on the YubiOn Portal when they are in a non-intuitive format. In the SAML standard, it is specified as “FriendlyName” of “Attribute” in the SP metadata standard, and some SP manuals may use a name such as “friendly name”. |
Attribute value | Set the attribute value to be passed to the SP. Although the format of this value can be specified in the SAML standard, YubiOn Portal sends attribute values uniformly as “string format”. |