Edit SAML

The AppDirect platform acts as a SAML identity provider to support single sign-on (SSO) for applications.

This topic covers the steps you need to take to configure SAML Authentication for single sign-on (SSO).

For technical information describing the integration and SSO flows for SAML, see the Integrate SAML topics.

To configure SAML authentication

1. Click Manage > Billing and Distribution > Products > productName | Edit. The product configuration page opens.
2. (Optional) If the product you are editing is an add-on product, two additional toggle settings appear at the top of the Single Sign-On pane. Note that you can only select one of them. The optional settings are:

   • Use Parent Application Authentication Method—Select this setting if you want the product to inherit the same authentication settings as the parent product with which the add-on is associated.

   • Hide Application Tile—Select this setting to hide the application tile on the user's MyApps page. Note that this also turns off single sign-on for this product.

   📝 Note
   If you configure either of the settings described in this step, all other authentication fields described in the following steps disappear. Proceed to step 11 to save your settings.

3. On the left menu, click Integration | Edit Authentication. The Edit Authentication page opens.
4. Under Single Sign On | select SAML. The SAML configuration fields appear.
5. From the SAML Version drop-down menu, select a SAML version.
   AppDirect recommends using SAML version 2.0, but also supports SAML 1.0, and 1.1.
6. Select the IdP Configuration Method. By default, AppDirect supports unique identity provider (IdP) configurations to be created for each subscription. Alternatively, you can choose to share a configuration across subscriptions within a marketplace or across marketplaces. Choose the model that best matches your system requirements.
7. Enter the Entity ID (Service Provider). This is the unique identifier representing your application in a SAML transaction.
8. (Optional) Enter the service provider-initiated Login URL. This is the URL a user is redirected to when they click the MyApps tile. Set this value if your application only supports SP-initiated SSO.
9. In the Name ID field, enter a Name ID value. This can be any value, and is normally a placeholder, such as:
   • {user.uuid} (default)
   • {userEntitlement.externalVendorIdentifier}
   • {user.emailAddress} For additional options, see .
10. From the Name ID Format drop-down list, select your preference.
    The Name ID identifies users authenticating to your application. You can specify it in any of the following three types (formats):
    • Persistent (default)—Identifies users by an immutable identifier such as the AppDirect user.uuid, or an immutable userEntitlement.externalVendorIdentifier, that you provide when they are assigned your app.
    • Email—Identifies users by their email addresses, such as the AppDirect user’s.email address.
    • Unspecified—Selected when neither the Persistent nor Email option is appropriate.
      This format is declarative only. It is included in the assertions but it does not limit or define the values that you can specify in the Name ID.
11. Enter a Response Signature Mode from the drop-down list. This defines how the response token is signed when a user signs into an application using SSO. If you select Sign Entire Response, the entire token is digitally signed. If you select Sign Assertion, only the assertion contained within the token is digitally signed. Note that the default is Sign Entire Response. if you select Sign Response Message & Assertion, the entire token is digitally signed and the assertion contained within the token is digitally signed.
12. (Optional) Enter RelayState parameter value for a product. This value is used for the ‘RelayState’ parameter when the SAML response is sent to the assertion consumer service (ACS) during identity provider-initiated SSO flows.
13. Under Assertion Attributes, for each one, enter the Name and Value.
    You can configure an unlimited number of attributes in the assertions (and add, remove or rename them, if required). To fully customize your assertions, you can use placeholders in the attribute values. For additional options, see Incorporate placeholders (optional).
14. Under Response Signature Algorithm, select an algorithm from the drop-down list. The default is RSA-SHA256. For products previously configured with RSA-SHA1, you can upgrade them to RSA-SHA256.
15. (Optional) If the product is defined as importable when it is created, an Import Setup Form pane appears on the Edit Authentication page. The purpose of this form is to collect the information necessary to connect the application to the company when Company Administrators are importing an application. See Configure the Import Setup Form for information on how to configure this form.
16. Click Save. Your authentication settings are saved.