HalogenTalentspace

This information was last reviewed in August, 2018, by Scott Cantor.

Change Log:

This is not a replacement for the actual documentation and you cannot cut and paste your way to a working system. The examples are not usable without taking into consideration your local needs and requirements.

This is a page for documenting Shibboleth integration with Saba's Halogen Talentspace.

Identity Provider Metadata

The GUI for Halogen has a panel for its SAML Configuration and the only mechanism it appears to support for establishing the IdP settings is via uploading a metadata file, which is unusual. It does work but is not going to validate a signature, and it may enforce a validUntil value, so it's best to strip that ahead of time.

Service Provider Metadata

Halogen is a bit of an odd duck in that they will put their tenant metadata into InCommon upon request, but as a typical point to point app, they do serve up a copy at a URL you can download it from. The metadata they serve up is not correct of course, apart from the entityID, keys, and endpoint. They have flags set incorrectly (e.g., they claim to need signed assertions but don't), and they include unnecessary NameID formats.

A curated version with the unnecessary bits stripped works fine, but if you're a member of a federation, ask them to register it for you and they will do that.

Profile Requirements

They have no unusual outbound requirements, a standard encrypted profile response works fine.

They appear to require the HTTP-POST binding on the request side, so that may trip up some deployments. They also sign their requests.

Encryption is supported. Logout is not.

Account Provisioning

I don't believe there are any in-band options for provisioning, it's just the usual link up to existing accounts.

NameID Requirements

They do support use of a NameID to link users but they also support Attributes, so do not use the NameID support.

Attribute Requirements

They support a standard "use one Attribute to match an existing field in the user record" model for SSO. They support Username, Employee ID, and Email Address as matching fields on their side, so pick one and map in a corresponding SAML Attribute to supply it. Just release that Attribute to the SP and you're done.

Other Considerations

You have to execute a Test button to perform a round trip test before it provides an option to save the settings.