SAML Authentication

SAML Authentication Integration Flow

The procedure for integrating SAML authentication in a WebPerformer-NX application is as follows.

1. Click the SP Info icon at the top of the User Manager screen.

2. Select SAML

3. Confirm the Single Sign-on URL and Audience URI, and set them to the external IdP.

	Setup for Okta	Setup for Entra ID	Setup for ID Entrance
Single Sign-on URL	English：Single Sign on URL Japanese：シングルサインオン URL	English：Reply URL (Assertion Consumer URL) Japanese：応答 URL	English：Sign-on URL Japanese：サインオンURL
Audience URI	English：Audience URI Japanese：オーディエンス URI	English：Identifier (Entity ID) Japanese：識別子	English：Entity ID Japanese：エンティティID

Note

• In ID Entrance, “Sign the response” must be enabled

4. Retrieve SAML metadata documents from external IdPs.
   • For Entra ID

   1. Open the single sign-on page of the application which is being created

   2. Click on the download link for the “Federation Metadata XML” of the SAML certificate

   3. Save the downloaded XML file

   • For Okta

   1. Open the SignOn tab of the application being created.
   2. Click Actions under SAML Signing Certificates.
   3. Click View IdP metadata.
   4. An xml file will open in a new window. Right click on the browser and click "Save As" to save the file.

   • For ID Entrance

   1. Open the ID Entrance Information page from the Management Portal’s linked services management.
   2. Click “Download” under the SAML metadata URL.
   3. Save the downloaded XML file.

5. Register an identity provider.

6. Place a push button from the component list as a button for external authentication on the sign-in screen (Sign In ID) of the authentication UI.

7. Open the properties screen of the button for external authentication placed in step 6, and set the following.

   • Select "IdP" from the click event.
   • Enter the name of the identity provider registered in step 5 in the “IdP” field.

8. Save the sign-in screen (Sign In ID) of the authentication UI.

Identity Provider Registration

1. Click the Create icon in the upper right corner of the screen.

2. Select SAML.

3. Enter the Identity Provider information.

Item	Input	Description
Identity Provider Name	Required	Use any name except single-byte spaces, underscores, and commas. The maximum number of characters is 32.
Metadata	Required	Upload metadata documents obtained from external IdP.
Attribute Mapping	Required	Set up a mapping between user attributes and IDP attributes. User attribute IDP attribute Required Email （Enter IDP attribute name） ○ Name （Enter IDP attribute name） custom:custom_01 （Enter IDP attribute name） custom:custom_02 （Enter IDP attribute name） custom:custom_03 （Enter IDP attribute name） custom:custom_04 （Enter IDP attribute name） custom:custom_05 （Enter IDP attribute name） custom:custom_06 （Enter IDP attribute name） custom:custom_07 （Enter IDP attribute name） custom:custom_08 （Enter IDP attribute name） custom:custom_09 （Enter IDP attribute name） custom:custom_10 （Enter IDP attribute name） Be sure to map the IDP attribute that maps to the user attribute [email] to the attribute for which email information is registered.
Sign out flow	Required	Please set [ON] or [OFF]. If [ON], sign-out flow setting is required for external IdP.

4. Click the "Add" button.
5. The added Identity Provider will appear in the IdP list.

Note

• For Entra ID, the [IDP attribute] should be set to the claim name.
  Please note that the claim name will be different if the namespace is set or not.

Setting up a sign-out flow

SAML authentication allows you to configure a sign-out flow.

• For Entra ID

1. Open the single sign-on page for the application being created.
2. Set Logout URL to the logout URL in the basic SAML configuration.

Note

• In Entra ID, if [SAML]>[Logout URL] in the [SP Info] icon is set to [Logout URL] used during configuration, an error screen will be displayed during logout.
• To display the application login screen after logout, click Domain and set [https://validdomainname].

• For Okta

1. Open the SignOn tab of the application being created
2. Upload the Signature Certificate downloaded from the Vertical Three Point Reader to the right of the IdP name in the IdP list
3. Check the Enable Single Logout item
4. Set Logout URL to Single Logout URL after logout.
5. Set Audience URI to the SP Publisher.
6. Click Actions under SAML Signing Certificates.
7. Click View IdP metadata.
8. An xml file will open in a new window, right click on the browser and save the file using Save As.
9. Upload the metadata again.

Note

• In Okta, the Logout URL to be used during configuration can be found by clicking the SP Info icon and then clicking SAML>Logout URL.
• For the Signature Certificate to be used when setting up, click the Vertical Three Point Reader to the right of each record in the IdP list, and download the signature certificate.
• ID Entrance does not allow you to set up a sign-out flow.