Signiant Support

Configuring SAML for Media Shuttle Print


Media Shuttle supports authentication using SAML 2.0 compatible identity providers to allow portal members to use Single Sign-On (SSO). To use an external identity provider with Media Shuttle, both Media Shuttle and your identity provider require configuration so that they communicate using SAML.

In Media Shuttle you must configure your Configuration Type, Service Provider Metadata, Domain Restrictions and Identity Provider Metadata.

Metadata Configuration Files

In establishing the trust between the service provider and the identity provider, there are two metadata configuration files:

  • Service Provider Metadata: This file allows the identity provider to know the request is originating from an authorized service provider. The service provider metadata file also provides the location to which users are returned after authenticating through the identity provider.

    Note: Some identity providers accept a Service Provider Metadata URL. Others require you to input service provider metadata manually. For configuration details, see Service Provider Metadata.

  • Identity Provider Metadata: This file tells Media Shuttle where to send the user to be authenticated. Its information is stored within Media Shuttle. The metadata can be updated by referencing the file again and selecting Save Changes.

    Note: The identity provider metadata must include an HTTP-Post login service location. HTTP-Redirect services are not supported.

    Example:
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com:9031/idp/SSO.saml2"/>

To configure SAML for Media Shuttle:

  1. In the Account Administration console, click Security.
  2. Under Authentication, select Login is required.
  3. Under Authentication type, select SAML 2.0.
  4. Select a configuration type:
    • Account level: Configure access to all existing portals and any new portals with the same SAML authentication settings.
    • Portal level: Configure access to portals with SAML on an individual basis.
  5. Add Media Shuttle’s Service Provider Metadata to your identity provider.
    • If your identity provider accepts a URL, copy and paste the metadata link.
    • If your identity provider requires you to input metadata, open the link in your browser and copy the properties from the XML file.
  6. Select domain restrictions:
    • Unrestricted domains: Uses the same identity provider for all portal members and administrators authenticating with SAML.
    • Restricted domains: Allows you to require SAML authentication for users from specified email domains. Users from all other domains will be authenticated through Media Shuttle. You can also select Configure identity provider for all other users to specify that users from other domains require authentication by another identity provider.
  7. Enter your Sign in display name. By default, the displayed text is “Sign in with SAML”.
  8. Ensure that Auto-add SAML authenticated members to this portal is selected to give all authenticated members access to Media Shuttle. If this option is disabled, membership is controlled by the portal administrator.
  9. Specify your Identity Provider Metadata by pasting in the identity provider’s metadata URL or by clicking Browse and selecting the XML file that contains the identity provider’s metadata.
  10. Click Save Changes.

Service Provider Metadata

Some identity providers do not accept a Service Provider Metadata URL. If you are required to input the metadata, refer to the following configuration information to make your SAML identity provider compatible with Media Shuttle.

Account level configuration

Single Sign-on URL: https://portals.mediashuttle.com/auth
Audience URI (SP Entity ID): mediashuttle
Name ID format: Email Address
Application Username: Email

Advanced Settings
Enable Single Logout: Allow application to initiate Single logout Single Logout URL: https://portals.mediashuttle.com/auth
SP Issuer: mediashuttle
Signature Certificate: X509 Certificate, which can be found in your service provider metadata

Attribute Statements (optional)
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name Format: Unspecified
Value: user.email

Portal level configuration

Single Sign-on URL: https://<Portal URL>/auth
Audience URI (SP Entity ID): https://<Portal URL>/
Name ID format: Email Address
Application Username: Email

Advanced Settings
Enable Single Logout: Allow application to initiate Single logout
Single Logout URL: https://<Portal URL>/auth
SP Issuer: <PORTAL URL>
Signature Certificate: X509 Certificate, which can be found in your service provider metadata

Attribute Statements (optional)
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name Format: Unspecified
Value: user.email

Example of SAML Response

<samlp:Response
            ID="_445ccef1-bd01-4db3-9070-00f647cec462"
       Version="2.0"
  IssueInstant="2014-05-13T13:42:26.698Z"
   Destination="https://portals.mediashuttle.com/"
       Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
   xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
  http://DOMAIN.SIGNIANT.COM/adfs/services/trust</Issuer>

<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>

<Assertion  ID="_0edfeecb-d4b9-4c05-94b1-87f481fbef5f"
  IssueInstant="2014-05-13T13:42:26.698Z"
       Version="2.0"
         xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

<Issuer>http://DOMAIN.SIGNIANT.COM/adfs/services/trust</Issuer>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
  <ds:Reference URI="#_0edfeecb-d4b9-4c05-94b1-87f481fbef5f">
    <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <ds:DigestValue>eBqiql2K1DeMs9E9dma0xmX8f5Q=</ds:DigestValue>
  </ds:Reference>
</ds:SignedInfo>

<ds:SignatureValue>
  XYH8aMT83V8x2UKiuq8nmq6fJHUwh9tPgITOecz04ZPtkyIFxd35trwT52apask0E7NKVAV5YLwhAQTMWIXN0n37
  kK8u+vH8NhOvtc/vWFjtP9xJtfpV3z5Bpr+DicotcJQtdYrVOTPp/hi4VFGVsvltGgOKP8wWKoqgSpYIxW+0XAa+
  GGjU3R1/02xdh+Kxu2jSSEh7KVVHfJczaBBcnWNpdqQGW34pi/o9mIAfFt84JdDL6XDA9s5gmQtYEq57mefnWu7C
  y1KhMn280oSfehXX/IrjLw+Ul6O83COuGlGk4NkP7+lhtlykdBT75VcDeLuzT0buE+UarPB2r6ELw==
</ds:SignatureValue>

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
  <ds:X509Data>
    <ds:X509Certificate>
      MIIDCjCCAfKgAwIBAgIQItadkVa/169JQ50mMowjrjANBgkqhkiG9w0BAQsFADBBMT8wPQYDVQQDEzZBREZTI
      FNpZ25pbcgLSBBVVRPRE9NQUlOMS5BVVRPTUFUSU9OLk9UVC5TSUdOSUFOVC5DT00wHhcNMTMxMDIyMTcyNzU
      A2WhcNMTQxMDIyMTyNzA2WjBBMT8wPQYDVQQDEzZBREZTIFNpZ25pbmcgLSBBVVRPRE9NQUlOMS5BVVRPTUFUS
    </ds:X509Certificate>
  </ds:X509Data>
</KeyInfo>
</ds:Signature>

<Subject>
  <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
    mDRQfjMoWYFpeu5DCWD6kbJlAlNyrYXzXgMT/PVF3pk=
  </NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <SubjectConfirmationData NotOnOrAfter="2014-05-13T13:47:26.698Z"
                                Recipient="https://sample.mediashuttle.com/"/>
  </SubjectConfirmation>
</Subject>

<Conditions NotBefore="2014-05-13T13:42:26.695Z" NotOnOrAfter="2014-05-13T14:42:26.695Z">
  <AudienceRestriction>
    <Audience>https://sample.mediashuttle.com/</Audience>
  </AudienceRestriction>
</Conditions>

<AttributeStatement>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>testuser@signiant.com</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">
    <AttributeValue>testuser@signiant.com </AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
    <AttributeValue>testuser</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
    <AttributeValue>Test User</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
    <AttributeValue>Test</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
    <AttributeValue>User</AttributeValue>
  </Attribute>
  <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
    <AttributeValue>Domain Users</AttributeValue>
  </Attribute>
</AttributeStatement>

<AuthnStatement AuthnInstant="2014-05-13T13:42:13.933Z"
                SessionIndex="_0edfeecb-d4b9-4c05-94b1-87f481fbef5f">
<AuthnContext>
  <AuthnContextClassRef>
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  </AuthnContextClassRef>
</AuthnContext>

</AuthnStatement>
</Assertion>