You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/marketplace/platform-supported-content/modules/SAML/_index.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -83,6 +83,7 @@ For easy configuration, the SAML module offers the following:
83
83
* The SAML module keeps a log/audit trail of login attempts. These can be downloaded.
84
84
* The SAML module allows you to have an SSO connection with multiple SAML IdPs. Each IdP can have its own keypair.
85
85
* SAML module versions 3.5.0 and above (compatible with Mendix version 9.22.0 and above) support multiple keypairs.
86
+
* The SAML module supports multi-instance apps (horizontal scaling).
86
87
87
88
### Limitations{#limitations}
88
89
@@ -203,9 +204,9 @@ If you use this method, do not forget to set the **SSOLandingPage** constant to
203
204
204
205
The table below introduces you to several key updates when you upgrade the SAML module from V3.x to V4.x.
205
206
206
-
| Feature | Changes in Version 4.0.0 |
207
+
| Feature | Changes in Version 4.X |
207
208
| --- | --- |
208
-
| SSO Configuration | You can now perform SSO configuration during design time and deploy time. <br>Introduced deploy-time configuration and `Custom_Create_IdPConfiguration` microflow for customized SSO configuration. |
209
+
| SSO Configuration | You can perform SSO configuration during design time and deploy time. <br>For versions below 4.2.0, the module introduced deploy-time configuration and `Custom_Create_IdPConfiguration` microflow for customized SSO configuration. <br> From the version 4.2.0, you can instead use the `IdPConfiguration_MicroflowName` constant and configure your custom microflow name in it. |
209
210
| Admin Screen Restructuring | The **Mapping** tab has been removed. Equivalent configurations can now be completed on the **User Provisioning configuration** tab. <br> `evaluateMultipleUserMatches` microflow is now moved to the **User Commons**. |
210
211
| User Commons Module Integration | 1. From versions 4.0.0 and above, SAML2.0 is compatible with the UserCommons v2.0.0. <br> 2. The SAML module now integrates with the User Commons module, offering a more uniform experience with the OIDC SSO module. <br> 3. A new method for creating custom user provisioning microflows using User Commons simplifies development and allows you to automatically set the user-type for users <br> 4. Deprecated: SAML 3.x provisioning flows will be unsupported in future versions. It’s recommended to create new provisioning flows using User Commons after upgrading.<br> 5. From UserCommons 2.0.0, new users without IdP-specified time zone or language will use default App settings; existing users retain their previously set values.|
211
212
| InCommon Federation Support | Pre-configured support for InCommon Federation has been removed. You now need to create custom user provisioning microflows in version 4.0.0 |
@@ -286,7 +287,7 @@ After configuring the eight constants, you need to deploy the application. For d
286
287
287
288
The [Easy Default Flow](#easy-flow) section above, gives you an overview of the default settings. If you have requirements to deviate from these defaults, for example, to enable Force Authentication, change encryption settings from the default, or support multiple Identity Providers (IdPs), Non-default configuration setup offers advanced options for your SAML integration needs. With these features, you can customize the SAML configuration to meet your specific requirements.
288
289
289
-
In this configuration, you have several options to customize the Identity Provider (IdP) settings. Firstly, you can configure the IdP using constants. Additionally, the SAML module supports further customization of the IdP configuration through the implementation of a custom microflow called `Custom_Create_IdPConfiguration`. To do this, create a new object in the `Custom_Create_IdPConfiguration` microflow and add your own custom values to it. `Dep_IdPConfiguration.return` microflow returns a list of configured IdPs, which the SAML module then uses to generate the necessary SSO configurations for multiple IdPs.
290
+
In this configuration, you have several options to customize the Identity Provider (IdP) settings. Firstly, you can configure the IdP using constants. Additionally, the SAML module supports further customization of the IdP configuration through the implementation of a custom microflow called `Custom_Create_IdPConfiguration`. However, this microflow is deprecated from the version 4.2.0 of the module. From version 4.2.0 onward, use the `IdPConfiguration_MicroflowName` constant instead and configure your custom microflow name in it. The custom microflow must return a list of configured IdPs (`Dep_IdPConfiguration.return`), which the SAML module then uses to generate the necessary SSO configurations for multiple IdPs. The default value of the `IdPConfiguration_MicroflowName` constant is `SAML.Default_CreateIDPConfiguration`.
290
291
291
292
In this configuration, users have the flexibility to introduce their own constants by creating custom IdP configurations. To enable this configuration, you need the IdP metadata obtained by creating an SSO app in the IdP without complete dependency on SP metadata.
292
293
@@ -310,6 +311,8 @@ The below table shows you the different attributes and their values for quick re
310
311
| IDPConfiguration(Non-Persistable entity) | Description | Default Value |
311
312
| --- | --- | --- |
312
313
| **Alias** (mandatory) | This represents IdPconfiguration Alias | |
314
+
| **IdPMetadataURL** (mandatory) | This represents the URL of the IdPMetadataURL | |
315
+
| **IdPConfiguration_MicroflowName** | This constant specifies a custom microflow that returns a list of IdP configurations and is used to create SAML IdP configurations at deploy time. | `SAML.Default_CreateIDPConfiguration` |
313
316
| **ResponseProtocolBinding** | Response protocol binding contains a caption value of SAML20.Enum_ProtocolBinding | POST_BINDING |
314
317
| **EnableAssertionConsumerServiceIndex** | EnableAssertionConsumerService Concept contains caption value of SAML20.Enum_AssertionConsumerServiceIndex | NO |
315
318
| **AssertionConsumerServiceIndex** | This should hold the same value for the SAML configuration and the IdPs. | 0 |
@@ -321,7 +324,6 @@ The below table shows you the different attributes and their values for quick re
321
324
| **InSessionServiceName** | It represents the In-Session Attribute Consuming Service name | Service2 |
322
325
| **InSessionAttributeConsumingServiceIndex** | It represents the In-Session Attribute Consuming Service Index | 2 |
323
326
| **InSessionDep_SPAttribute_Dep_IdPConfiguration**| It will display the details of Value, Name, IsRequired details | |
324
-
| **IdPMetadataURL** (mandatory) | This represents the URL of the IdPMetadataURL | |
325
327
| **PreferredEntityDescriptor** | It represents the entityID of the EntityDescriptor | |
326
328
| **AllowIdpInitiatedAuthentication** | Authentication should start at this application, which generates an ID. The authenticated response should match this generated Id. If no request can be found that matches the response Id the information is rejected. If your IdP can initiate a new transaction (with a new or no Id) and you want to allow this you can check this box. | FALSE |
327
329
| **EnableForceAuthentication** | will force the SAML IdP to (re)authenticate end-users, even if they are already signed in at the SAML IdP. | FALSE |
0 commit comments