The client administrator needs to configure the Identity Provider service to work with Streaming Server. The easiest way is to use the information found in the SAML Service Provider Metadata XML file, StreamingServerServiceProviderSAMLMetadata.xml, provided by Swank. If the file is not usable by your Identity Provider service, the Identity Provider needs to be configured for:
- Entity ID
- The Streaming Server's Entity ID is *https://digitalcampus.swankmp.net*
- Service Provider certificate with public key
- The Streaming Server's x.509 certificate as base-64 text encoded file base64certificate.cer or DER (distinguished encoding rules) binary encoded file derbinaryencoded.cer, provided by Swank with a public key
- Single sign-on service URL
- For Digital Campus clients, this is *https://digitalcampus.swankmp.net/saml/ReceiveSingleSignOn*
- For other clients you can open the SAML Service Provider Metadata XML file in a text editor and locate the tag md:AssertionConsumerService. Within that tag, find the Location attribute. That is the value to use for the Single sign-on service URL. For example, in the following tag you would find location value _https://sample.swankmp.net/saml/ReceiveSingleSignOn:_
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sample.swankmp.net/saml/ReceiveSingleSignOn" index="0" isDefault="true" />
- Single Sign-on service binding
- The Streaming Server's SSO SAML Service Binding must be configured in the Identity Provider so that the Identity Provider can be contacted by the Streaming Server when a user requests to authenticate using SAML. The value must be one of:
- urn:oasis:names:tc:SAML:20:bindings:HTTP-Redirect
- urn:oasis:names:tc:SAML:20:bindings:HTTP-POST
- We prefer the latter (urn:oasis:names:tc:SAML:20:bindings:HTTP-POST), if possible, to avoid HTTP Get request length limitations in some browsers.
- The Streaming Server's SSO SAML Service Binding must be configured in the Identity Provider so that the Identity Provider can be contacted by the Streaming Server when a user requests to authenticate using SAML. The value must be one of:
- Preferred Service Provider sign assertions and authn requests
- For best security we prefer that assertions and authn requests be signed using the certificate but this is not required. This protects against SAML being tamplered with and protects Identity Server information that is being transmitted to the Streaming Server.