This information was last reviewed in April, 2019, by Scott Cantor. Change Log: |
This is not a replacement for the actual documentation and you cannot cut and paste your way to a working system. The examples are not usable without taking into consideration your local needs and requirements. |
ReviewSnap is a pretty standard self-managed SP. Their official documentation was at https://www.reviewsnap.com/support-article-2/setting-saml-authentication/ at time of authoring.
They also have a presence in InCommon that has a different technical back-end (a Shibboleth SP). This document speaks to the non-InCommon version.
The web UI has an interface under Settings → Authentication and SSO, that include toggle switches for enabling password, SAML, or LDAP. The SAML Configure panel has the usual options:
They do not provide any SP metadata; it has to be manually pieced together from their GUI. I have a key on record for them for encryption support, but I actually don't recall how I got it. It may be in their documentation, or was provided out of band when I conversed with them.
An example that includes the key we have on record:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.reviewsnap.com"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIIDrzCCApegAwIBAgIJAMcDfI7jDKWsMA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMQ0w CwYDVQQKEwRBVFNJMB4XDTE4MDQxOTE3MDA0M1oXDTI4MDQxNjE3MDA0M1owQzEL MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0 bGUxDTALBgNVBAoTBEFUU0kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDvqzdcdBmIR7tGanfgoUK962yIRLFIwZlKCbqf5tFrQ0PovhejI4jkOO+Zq8ji +ZBvc3XA9k1KOhWkAIj4PpcTb3hB83ComVo39/MhM2n8XAphb4nIx0wuiia5vlGh pJqPqCBbXRwNsFFxg4S30UJiVViHKoTf7LQDrFB/5G3KmLkrK+kIm84cYJiqRUGl EAyEooq6XOVjCIgazefbYWRasl5WKDNl+PpzALN2VCYPKwQftVN/g2Lh3MujHv7f ebHGzKhFWcjZ2Fti5kefo21o1EChOtX9yOdjkUYwkTQKLnZUCQ+WUHJoeBPLRy9d eXh/QeJK3J4EbXwnioYRU+PFAgMBAAGjgaUwgaIwHQYDVR0OBBYEFNLx6NkfkUA8 PhXLNWt8bDQFR3xkMHMGA1UdIwRsMGqAFNLx6NkfkUA8PhXLNWt8bDQFR3xkoUek RTBDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH U2VhdHRsZTENMAsGA1UEChMEQVRTSYIJAMcDfI7jDKWsMAwGA1UdEwQFMAMBAf8w DQYJKoZIhvcNAQEFBQADggEBABBYexSZKEzqRcOPFL1TTDqDEmDbceY6Rz2LGhNS JuUoLpDqeTX8Aj+2cwCTKAiCGmaSKepZVK8pk3hP0TQDPFiONaEn144rGJbYbA+v +doTfc+Hw8lnhq3aMV1+GSRaezYoUs2+DL+DUbaWVsIW0P06wo3FbkPM+EFWZ3mr MvNWHHT/bczdbtpPjtdO+7ZmHZJCVBN7jZe6rVaJbw1JJQaRoTw3cCnse+7lXoV8 AX0iqnClgm26xjBfmOCQywGoYPl3vDu6h12SoE0Akxaw6w2PwgaM8zRv/iiBlP4Z PeBepjDlEyDrPulx9c/iTEkacgrTITPjk4T/4WtlE3SX28U= </X509Certificate> </X509Data> </KeyInfo> </md:KeyDescriptor> <md:AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://app.reviewsnap.com/auth/saml/callback?namespace=example"/> </md:SPSSODescriptor> </md:EntityDescriptor> |
The SAML SSO profile behavior is standard and relies on signed responses and supports encryption.
Logout is not supported.
Refer to the RelyingPartyConfiguration topic and be cognizant that creating overrides for every service is generally an inefficient use of the software. Consider identifying common requirements across services and create overrides tied to multiple services that share those requirements, or that reference profile configuration beans containing common settings. |
Required Profile Configurations
SAML2.SSO
The application assumes provisioning of matching accounts in advance.
They do support use of a NameID, but I haven't used or tested it. All indications are any Format would work, and it's just looking for a matching value.
They support only a single Attribute to match application username against, and we've used this to match on an employee ID number.