Configuring Authentication Settings

On-demand administrators can enable authentication for end users via a third-party identity provider using SAML2. This means an external entity such as Tivoli, SiteMinder, or Oracle Identity Manager can perform user authentication for SBM and send authenticated user credentials back to SBM to log the user in to the system.

SAML2 requires a trust relationship between the external identity provider and the service provider (SBM) via an exchange of metadata between the two entities. In SBM, you retrieve the service provider metadata (which includes a unique entity ID) and you use it to register SBM with your identity provider. You will then obtain metadata from the identity provider and enter it into SBM to establish the trust.

The following steps describe how to perform a typical metadata exchange.

  1. On the Authentication page, under Use SAML2 Service Provider select Enabled for All Users. If you want to test authentication using SAML2 before you enable it system-wide, select Enabled for Test User Only, and then select a user account to use in your tests.
  2. Select the Force authentication option to instruct the identity provider to force re-authentication on every call from SBM. If force authentication is supported by your SAML2 identity provider, you can use this option to ensure that sessions are not inadvertently expired.
    Note: If your identity provider is configured to use an auto-login mechanism such as NTLM, the session is automatically re-authenticated and valid for an additional time period according to the identity provider. However, if the identity provider uses a login form to gather credentials, this option will force users to reenter their credentials as soon as their SSO token expires.
  3. Use the Maximum authentication age option to set the default tolerance period for the SAML2 authentication statement. This helps prevent login issues related to stale authentication statements. Enter the maximum number of seconds that the identity provider allows for its authentication statements.
  4. Select an applicable Login Method. The default is login-form. Select saml2p to have authenticated users logged in automatically without using a login form.
  5. In the Identity Provider section, you enter metadata that you obtain from the identity provider. Click Import metadata from file and browse to a local file that contains the metadata. Alternatively, copy and paste the identity provider metadata directly.
  6. In the Service Provider section, click Generate certificate to add a self-signed certificate. This creates a certificate with a private key and adds the x509 certificate information to the service provider metadata that you will send to the external identity provider. Click Import certificate to use your own self-signed certificate.
  7. Decide if you will use the same certificate for encryption or generate a separate certificate.
  8. In the Service Provider Metadata section, click Copy to clipboard or Export to file and save the data that appears to a text file. Use this metadata to register with the identity provider.
The exchange of metadata is now complete and the trust relationship between SBM and your external identity provider has been established.