<aside> đź’ˇ You can find more information about SAML authentication and its communication flow in the SAML Authentication article.
</aside>
The instructions given below are based on version 3.0.12 of the Collection Manager. Currently, the Collection Manager supports only SAML version 2.0 or greater. As of this writing, successful implementations have been tested with the following single-sign-on products:
SAML-based authentication for patrons requires certain configuration to be set up to work correctly. Configuration parameters are described in the Table I.
Table I. SAML Authentication Provider Configuration
Table I. SAML Authentication Provider Configuration
Please note that Collection Manager supports both non-federated and federated IdPs simultaneously, but there MUST be at least one IdP configured.
Since the Collection Manager acts as the SAML Service Provider, you must create an XML document with the appropriate service information included. If you are new to SAML, it will be easiest to use tools provided by OneLogin, Inc., to create the required XML data. The instructions below provide information needed by the tools, and show how to generate the Service Provider XML metadata you will need to create the SAML configuration in Configuring a SAML Patron Authentication Integration below. The steps included have been demonstrated to work in one instance; however, a couple of values and the placement of the X.509 certificate value may need to change in other circumstances. Two of the OneLogin SAML Tools are important in building the Circulation Manager's SP metadata document:
While the Service Provider private key described above is optional, we highly recommend–and the SAML Identity Provider may require–that the SAML requests from the Collection Manager be signed. So we will begin by creating a self-signed X.509 certificate (public key) to be included in your Service Provider metadata document. If you will not be using a certificate for signing requests, you can skip section A below, and go straight to section B.
Last, in addition to the Service Provider metadata, you will also need an XML document describing access to the Identity Provider's system. However, that document will have data that must come from the organization operating the Identity provider (perhaps a third-party to the library). If possible, obtain a copy of the provider's Identity Provider XML metadata document. If you must create your own (and you receive the requisite data from the provider), OneLogin also provides a tool to generate the IdP document: Build IdP Metadata.
For the configuration steps below, we assume you will get the Identity Provider XML metadata document direct from the provider.
To begin, you will need an X.509 certificate. This could be a commercially obtained certificate. However, in our limited experience, a self-signed certificate will be acceptable. We will use OneLogin's online form to create a basic cert. They do provide a warning related to the security of information you supply. For most implementations, the online generator provides sufficient security; however, if security is a major concern for your Collection Manager implementation, you should create the certificate separately, on a local computer.