Using SAML
To set up a SAML integration in Activate, the Service Provider and Activate (the IdP) require certain details to communicate with each other.
The diagram below shows how Activate and the Service Provider interact through a SAML integration. Since Activate supports the IdP-initiated flow, the process starts at step 4.
Requirements
- VTS entity ID
- VTS X.509 certificate
- SAML provider entity ID
- SAML provider endpoint (ACS or Service URL)
- SAML provider required custom attributes
If you do not have the required items above please refer to section Getting Started section to get the required items above.
Supported Fields/Attributes
VTS only supports sharing the user email as a dynamic attribute. Any other attributes that you would like to share with the SAML service provider will be static and must be configured through Activate.
Static Fields/Attributes
Through a static attribute, you can share any static information with the SAML service provider. Although you can specify any attribute (as a string), the listed attributes below are examples of standard items that you may want to share with the provider. For example, if you want to include "tenant_id" in the assertion, you would need to set a specific value that will be sent in all assertions to the service provider.
| Attribute (Examples) |
|---|
| building_id |
| building |
| tenant_id |
| tenant |
| latitude |
| longitude |
| building_address |
The value for the attribute is specified when enabling the integration in Activate (i.e. you would set the value you want to send for the fields listed):
SAML assertion XML example
Decoded SAML assertion XML that VTS sends to the service provider looks like this:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4ab93801-71e0-414b-b897-a962db526607" Version="2.0" IssueInstant="2022-09-21T17:56:47.732Z" Destination="http://localhost/saml" InResponseTo="undefined">
<saml:Issuer>app.joinlane.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#_4ab93801-71e0-414b-b897-a962db526607"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iN0glpeb8uQ/Us7UdGeiahPpXfQYLMOyej0AWkpSDQg=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ExBmhAy0svD4jkfq/tzEL515xHGxTaV1jGQ/YjNglnWwdQtGZEMMyc4g3ClBntuzZEUXDoDkWtZkOO8nnzTQtxVniTQZ8fXy1uhI6SlMR/Ci9tmGEF4KW9dhSb39tcArcTDOKy76raOxzfXIPJ2Kb0+nCbmhzMRxr8z+JZod1ny6uYqc+xXws0hN+3dplCriiDHeGr3qiCrUw8RQy+Iyv1uVOoLHPeqbMi1rQaCcebgdLI5jLpBMt2d7XjyHvcdEs1f5czfTJhjSc+PR3u6ywhTFmQtEcf23lvauUkRkSslZQUkxJPKpbpVGNuXmtho86nNP3Ift0a5culOxwTtgbA==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDzjCCArYCCQCQkU4LkG7lezANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xEDAOBgNVBAcMB1Rvcm9udG8xHzAdBgNVBAoMFkxhbmUgVGVjaG5vbG9naWVzIEluYy4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRkwFwYDVQQDDBBhcHAuam9pbmxhbmUuY29tMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGpvaW5sYW5lLmNvbTAeFw0yMTAzMjYxOTE2MThaFw0zMTAzMjQxOTE2MThaMIGoMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEQMA4GA1UEBwwHVG9yb250bzEfMB0GA1UECgwWTGFuZSBUZWNobm9sb2dpZXMgSW5jLjEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEGFwcC5qb2lubGFuZS5jb20xIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAam9pbmxhbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jjjhnIIDpw5KGylowL/MUnLPWsQmJ9WAOJ6U7VirmmIRmRsILKoK1159qJObm7ZGmMqc2opc6JJBBma2+M5pQushQe/cxrr9n7IuPFn7FV6NCh3ud7u3V1Bfe6y20gyGNClJtzr8XO3z+GFrKvzq0a/trkDykchW7bhMJxPyvfJ2SMk1824V798dTsKOBKkmcgHB5I/jUNNsbwNtCPlSChlCyu4gE8rkmZ7HmULB7JMSyoVs+olSi3d+Vx52clJt6zYJX0fjYcYzkt60Hr51aMlc8CtMSVfYrySVFxMtemvwkTfD0ej+AN4y55EdvgTQg+ukOtdAbG2I5BexdVwHwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCQU+mHcLzmFILBPNzyrepiM1lKusfrZVggeVHjA2IAN3tIeKO092ZKS9rer4OEn0QjR/27DwBx4LeMa0LnWBcT6YHSvUc5MUxfO9NDW1nPfUx2aFGMQ5afSpVsU7SkjsrKBjh3z1DN1N3Ti3E9BacN8ClrN3qKClaNUfpM6XzkYNs6qEoVNw0yk9qaFcw7qKeNQdoABuhJ+RIzBekIdAKDY3w9lSs7Gf2BGD9jNoguKF9ibcRBkEshKTFg1AgVQMNNwNzlD3M52EYKt2PD4n8Bc0z2zo8ySZckUeiDij6caZRjiaW+d3ZoV+SJCdSrpzJSSMdTdGusS/niEvoQGqNF</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_82992fb8-044d-44f6-8549-16b6a394ed24" Version="2.0" IssueInstant="2022-09-21T17:56:47.732Z">
<saml:Issuer>app.joinlane.com</saml:Issuer>
<saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2022-09-21T18:01:47.732Z" Recipient="http://localhost/saml" InResponseTo="undefined"/>
</saml:SubjectConfirmation></saml:Subject>
<saml:Conditions NotBefore="2022-09-21T17:56:47.732Z" NotOnOrAfter="2022-09-21T18:01:47.732Z">
<saml:AudienceRestriction><saml:Audience>TestService</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2022-09-21T17:56:47.732Z" SessionIndex="_4ab93801-71e0-414b-b897-a962db526607">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="CustomParam1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">token-239asd978bd9an8afs2</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Updated 10 days ago