SAML Configuration

 

To configure SAML, the system administrator has to do the following tasks:

Enable SAML authentication

  1. Login to OpenSpecimen as super admin
  2. Click on 'Settings' card 
  3. Click on 'Authentication' tab
  4. Edit 'Enable SAML authentication' property
  5. Click on 'Enable' and update.
  6. Ensure the Application URL is correctly configured. This URL is used for redirects from the IdP to the app.

Configure the SAML properties using the UI

Super admins can configure SAML via UI (v6.1 onwards) by going to Extras from home page. 

Click on 'Identity Providers' and create a new entry for registering to SAML. Select the type as SAML and fill all required details

Once SAML details are updated, download the OpenSpecimen (Service Provider) metadata from the UI to register it into IdP server.



ItemDescription
NameUnique name given to the identity provider or auth domain. This name appears in the sign-in dropdown. Selecting this option redirects users to the IdP page.
IdP URLThis is the value of entityID attribute present in the IdP metadata XML.
IdP MetadataIdP metadata XML. This can be downloaded from the IdP server. OpenSpecimen uses this metadata for securely exchanging the messages with the IdP server.
User ID Attribute

The name of the attribute in the SAML assertion (received from the IdP server) that contains the user ID. Example uid, sAMAccountName etc.

This is optional if the email attribute is specified (see below). The value of this attribute should match the login name of the OpenSpecimen user.

Email AttributeThe name of the attribute in the SAML assertion that contains the email address. This is optional if the user ID attribute is specified.
Certificate DN

This is used to generate the public & private keys for exchanging messages with the IdP server. The format of this field value is typically

cn=<Common Name>, ou=<Organisation Unit>, o=<Organisation>, c=<Country>

Example: cn=demo.openspecimen.org, ou=Engineering, o=Krishagni, c=India

Usually, OpenSpecimen instance hostname is used for the common name (cn) as in the above example.