This information was last reviewed in April, 2019, by Scott Cantor.

Change Log:

This is not a replacement for the actual documentation and you cannot cut and paste your way to a working system. The examples are not usable without taking into consideration your local needs and requirements.

ReviewSnap is a pretty standard self-managed SP. Their official documentation was at https://www.reviewsnap.com/support-article-2/setting-saml-authentication/ at time of authoring.

They also have a presence in InCommon that has a different technical back-end (a Shibboleth SP). This document speaks to the non-InCommon version.

Identity Provider Metadata

The web UI has an interface under Settings → Authentication and SSO, that include toggle switches for enabling password, SAML, or LDAP. The SAML Configure panel has the usual options:

IdP SSO Target URL
- https://idp.example.org/idp/profile/SAML2/Redirect/SSO
IdP Certificate
- PEM blob. They have a field for fingerprint that would probably also work but no real reason to bother.
Issuer
- The SP's own name, which you can set. Easy to just use "https://app.reviewsnap.com" for consistency.
Username Attribute (Optional)
- You can use the NameID field, or make life easier and give it a SAML Attribute name, which Shibboleth is better at.
ACS (Consumer) URL
- This is populated for you with the right URL for your instance, see SP metadata below.

Service Provider Metadata

They do not provide any SP metadata; it has to be manually pieced together from their GUI. I have a key on record for them for encryption support, but I actually don't recall how I got it. It may be in their documentation, or was provided out of band when I conversed with them.

An example that includes the key we have on record:

Example ReviewSnap metadata

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.reviewsnap.com">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="encryption">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>
MIIDrzCCApegAwIBAgIJAMcDfI7jDKWsMA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMQ0w
CwYDVQQKEwRBVFNJMB4XDTE4MDQxOTE3MDA0M1oXDTI4MDQxNjE3MDA0M1owQzEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0
bGUxDTALBgNVBAoTBEFUU0kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDvqzdcdBmIR7tGanfgoUK962yIRLFIwZlKCbqf5tFrQ0PovhejI4jkOO+Zq8ji
+ZBvc3XA9k1KOhWkAIj4PpcTb3hB83ComVo39/MhM2n8XAphb4nIx0wuiia5vlGh
pJqPqCBbXRwNsFFxg4S30UJiVViHKoTf7LQDrFB/5G3KmLkrK+kIm84cYJiqRUGl
EAyEooq6XOVjCIgazefbYWRasl5WKDNl+PpzALN2VCYPKwQftVN/g2Lh3MujHv7f
ebHGzKhFWcjZ2Fti5kefo21o1EChOtX9yOdjkUYwkTQKLnZUCQ+WUHJoeBPLRy9d
eXh/QeJK3J4EbXwnioYRU+PFAgMBAAGjgaUwgaIwHQYDVR0OBBYEFNLx6NkfkUA8
PhXLNWt8bDQFR3xkMHMGA1UdIwRsMGqAFNLx6NkfkUA8PhXLNWt8bDQFR3xkoUek
RTBDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
U2VhdHRsZTENMAsGA1UEChMEQVRTSYIJAMcDfI7jDKWsMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADggEBABBYexSZKEzqRcOPFL1TTDqDEmDbceY6Rz2LGhNS
JuUoLpDqeTX8Aj+2cwCTKAiCGmaSKepZVK8pk3hP0TQDPFiONaEn144rGJbYbA+v
+doTfc+Hw8lnhq3aMV1+GSRaezYoUs2+DL+DUbaWVsIW0P06wo3FbkPM+EFWZ3mr
MvNWHHT/bczdbtpPjtdO+7ZmHZJCVBN7jZe6rVaJbw1JJQaRoTw3cCnse+7lXoV8
AX0iqnClgm26xjBfmOCQywGoYPl3vDu6h12SoE0Akxaw6w2PwgaM8zRv/iiBlP4Z
PeBepjDlEyDrPulx9c/iTEkacgrTITPjk4T/4WtlE3SX28U=
          </X509Certificate>
        </X509Data>
      </KeyInfo>
    </md:KeyDescriptor>
    <md:AssertionConsumerService index="1" isDefault="true"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://app.reviewsnap.com/auth/saml/callback?namespace=example"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Profile Requirements

The SAML SSO profile behavior is standard and relies on signed responses and supports encryption.

Logout is not supported.

Example Shibboleth Configuration

Refer to the RelyingPartyConfiguration topic and be cognizant that creating overrides for every service is generally an inefficient use of the software. Consider identifying common requirements across services and create overrides tied to multiple services that share those requirements, or that reference profile configuration beans containing common settings.

Required Profile Configurations

SAML2.SSO

Account Provisioning

The application assumes provisioning of matching accounts in advance.

NameID Requirements

They do support use of a NameID, but I haven't used or tested it. All indications are any Format would work, and it's just looking for a matching value.

Attribute Requirements

They support only a single Attribute to match application username against, and we've used this to match on an employee ID number.