Versions Compared

Old Version 2

changes.mady.by.user James English

Saved on

compared with

New Version 3

changes.mady.by.user Viacheslav Bessonov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Circulation Manager occupies the Service Provider (SP) role in the SAML Protocol and authenticates a patron against an Identity Provider (IdP).

SAML-based authentication workflow for patrons is depicted on the picture below:

Image Removed

Image I. SAML Authentication Workflow in Circulation Manager
(content provider does not use SAML)

Both the Circulation Manager and IdP MUST have their metadata registered with each other. In the simplest case it can be a Shibboleth environment where SP’s metadata (e.g. the Circulation Manager) is added to IdP’s configuration and vice versa. However, the better solution would be to register the Circulation Manager in InCommon Federation which would allow to use of any IdPs in the federation.

The picture below shows how the workflow looks like in the case when the content is protected by a SAML authentication mechanism: either via SAML proxy or EZProxy with SAML authentication turned on.

Image Removed

Image II. SAML Authentication Workflow in Circulation Manager
(content provider uses a SAML proxy or EZProxy with turned on SAML authentication)

In this case there are two authentication events:

...

You can find more information about SAML authentication in SAML Authentication article. 

Configuration

SAML-based authentication for patrons requires certain configuration to be set up to work correctly. Configuration parameters are described in the Table I.

Table I. SAML Authentication Provider Configuration

Parameter Name

Mandatory

Description

Service Provider’s XML metadata

Yes

SAML metadata of the Circulation Manager\'s Service Provider in an XML format. MUST contain exactly one SPSSODescriptor tag with at least one AssertionConsumerService tag with Binding attribute set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

You can use OneLogin SAML Tools to build SP metadata

Service Provider’s private key

No

Private key used for encrypting and signing SAML requests

Identity Provider’s XML metadata

Yes

SAML metadata of Identity Providers in an XML format.

MAY contain multiple IDPSSODescriptor tags but each of them MUST contain at least one SingleSignOnService tag with Binding attribute set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.

You can use OneLogin SAML Tools to build IdP metadata

Internal signing secret for OAuth and SAML bearer tokens

No

Secret used for signing Bearer tokens issued by SAML authentication provider and used by client applications to confirm their authentication status

Setting up a SAML authentication provider in Circulation Manager

...