SAML 2.0

The Federated Security SAML 2.0 tab has these options:

Option Description
SAML 2.0 Enabled This flag enables or disables federated security using SAML 2.0. When disabled, the Federated Security page is disabled.
SLO response URL text box This text box is available only when SAML 2.0 Enabled is selected and Authenticate with InforSTS is selected. The text box accepts a URL only.
Display Name This option is displayed to users during the sign-in process if you allow users to select their own authentication method on the Authentication URL Options page.
Note: There is a limitation in the STS adapter side that causes this option not to accept some characters.
Display Icon This option is displayed to users during the sign-in process if you allow users to select their own authentication method on the Authentication URL Options page.
Import SAML Metadata If you have an Identity Provider metadata XML file available to be uploaded, click From File and select the metadata XML file.

If you have a publicly accessible URL to an Identity Provider metadata XML file, click From URL and enter the metadata XML URL.

The XML file is parsed, and the following input fields on this page are automatically completed.

  • Issuer
  • Identity Provider Certificate
  • Assertion Consumer Service
  • Single Logoff Service

Verify the inputs and add any additional information required.

If you are not importing Identity Provider SAML metadata, enter the following information manually.

Issuer Enter the SAML issuer entityId.
Identity Provider Certificate Select the certificate file. Only *.CER files are supported.

The certificate is parsed and the Current Certificate and Expiration information are displayed.

Sign Authentication Request Save the identity provider by enabling the SAML 2.0 Enabled and Authenticate with InforSTS check boxes. You can save the identity provider by enabling the Sign Authentication Request check box. SSO and SLO will work properly with the identity provider.
Assertion Consumer Service Select the type and enter the location of the assertion consumer end point.
Single Logoff Service Select the type and enter the location of the single logoff end point.
Assertion Identity Key

This specifies the field from the incoming assertion used to identify the user.

Select one of these options:

  • Identity is the NameIdentifier element of the Subject statement
  • Identity is an Attribute element

Attribute Name – This is where the claim uri is entered.

IFS user lookup field This specified which value from the IFS user definition is being used to identity the user. The administrator can use the drop-down to select a user property.
Service Provider Certificate An additional drop-down field is added to the screen if the identity provider connection is created in the proxy mode. The field is auto-populated with the current Service Provider signing certificate of Infor OS. If the certificate is due to expire, a secondary certificate will be available in the drop-down for certificate rollover.
Service Provider Information Click View to open a dialog box that contains the Infor OS Portal Service Provider information. This information is displayed:
  • Entity Id

    This is the unique identifier of the identity provider.

  • Certificate

    This is the encrypting certificate public key of the service provider.

  • Expiration

    This is the expiration date of the encrypting certificate of the service provider.

  • Assertion Consumer Service

    This is the end point of the assertion consumer service.

  • Binding

    This is the SAML binding of the Identity Providers assertion consumer service.

  • Single Logoff Service

    This is the end point of the Identity Providers single logoff service.

  • Single Logoff Binding

    This is the end point of the Identity Providers single logoff binding.

You also have the option to export the above information as a SAML metadata XML file. Click Export SAML Metadata and save the file.

The Service Provider Information Certificate is in Base-64 format. Both the certificate and the download are on the Federated Security screen.

JIT User Provisioning Enabled This flag enables or disables Just In Time Provisioning. When enabled, users can be authenticated without first being defined in IFS. Upon their initial sign-in through the current federated identity provider, their user definition is created in IFS.
First Name Claim Specify the First Name Claim from your trusted federated security identity provider.
Last Name Claim Specify the Last Name Claim from your trusted federated security identity provider.
Email Address Claim Specify the Email Name Claim from your trusted federated security identity provider.
Authorization Claim Specify the authorization claim from your trusted federates security identity provider.
User Name Claim Specify the user name claim from your trusted federated security identity provider.

This is applicable only if Infor OS Portal does not require an email address for all users.

Enable Proxy Mode To be available, STSProxy mode must be enabled.

This option is visible only when the proxy feature set is enabled at the tenant level. The proxy feature allows the same identity provider to be federated for multiple Infor OS tenants.

Authenticate with InforSTS This option is visible only when the proxy feature set is enabled at the tenant level. The proxy feature allows the same identity provider to be federated for multiple Infor OS tenants with additional performance measures. You are encouraged to use this option over Enable Proxy Mode.
Note: If you are using Infor OS Portal Federated Security for any of the Infor mobile applications that are available, your SAML 2.0 identity provider must use Forms Authentication by default.
Note: The NameID value must be sent as part of the SAML subject by the trusted federated identity provider.