Contents

Gather identity provider information

After you have selected an identity provider to use with your CIC Single Sign-On implementation, you must gather information from the identity provider.You will need the following information when you configure the CIC server as the service provider:

Item

Description

SAML 2.0 metadata XML file

Starting with CIC 2015 R4, you can use an Interaction Administrator feature to import an XML file that contains the necessary information for SAML SSO communications with the third-party identity provider.

List of supported SAML 2.0 profiles and binding implementations

This list can be useful if, in the future, you decide to change or add another profile and binding implementation in your CIC Single Sign-On environment.

Identity Provider signing requirement

Does the identity provider require that <AuthnRequest> SAML messages be signed (embedded signature and X.509 certificate)?

Additional <AuthnRequest> Identity Provider requirements

Determine if the identity provider requires any of the following SAML attributes:

ID
Version
Consent
ForceAuthn
IsPassive
ProtocolBinding

AssertionCustomerServiceIndex
AssertionConsumerServiceURL
AttributeConsumingServiceIndex
ProviderName
NameIDPolicy

If your identity provider requires SAML attributes, enter them through the SAML Attributes tab of the Configuration dialog box for a SAML profile and binding for the identity provider.Step 11 of the Manually configure identity provider settings procedure addresses this aspect.

Identity Provider URL address

Depending on which identity provider method you selected, acquire the URL address to which the CIC client application (user agent) will send all SAML response messages:

For a Microsoft AD FS server that is installed on-premises, this address is the FQDN of the AD FS server as seen by workstations hosting CIC Single Sign-On applications.
For an Internet-based identity provider, this address is its Internet URL address.
If you are using the same CIC server as the identity provider, you do not need to gather any information.

Identity Provider validation certificate

The certificate that the CIC server will use to validate all SAML response messages from the identity provider.

Contact your identity provider or consult the documentation for your identity provider for information on how to obtain the validation certificate.

Identity Provider claims

Claims are assertion attributes that identity providers include in SAML response messages.These claims represent identifying or conditional information associate with an authentication request, such as the Windows account name of the requesting user, an e-mail address, user role, expiration time periods, computer network environment information, and many others.

For example, the identity provider could include the following assertion attribute in their SAML response messages:

<AttributeValue>EXAMPLEDOMAIN\DomainAdmin</AttributeValue>

</Attribute>

</AttributeStatement>

For the CIC server acting as the Single Sign-On service provider, the CIC server must be able to equate the http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname SAML attribute with a CIC user ID with a matching CIC user attribute.