Authentication using Saml2
This SecurityModule uses federated authentication and is tested against a MobilityGuard ... endpoint. To be able to use authentication using Saml2 you will need setup your Imagevault as a Saml2 service provider.
To activate Saml2 authentication the following changes must be done in web.config.
Authentication
When using Saml2 authentication, the authentication mode must be set to None.
<system.web>
<authentication mode="None"/>
ConnectionStrings
To use Saml2 with ImageVault add/modify the connection string named ImageVaultSecurityManager.
<connectionStrings>
<add name="ImageVaultSecurityManager"
providerName="ImageVault.Saml2.Providers.Saml2SecurityManager,ImageVault.Saml2.Providers"
connectionString="spEntityId=http://imagevaultui.local/Saml2;idpEntityId=https://stubidp.sustainsys.com/xxxxxxxxxxx/Metadata;spCertificate=~/App_Data/myivsp.cer;idpCertificate=~/App_Data/stubidp.sustainsys.com.cer;"/>
</connectionStrings>
name
Must be ImageVaultSecurityManager for the UI to detect which connection string that should be used for the SecurityManager
providerName
Tells ImageVault.UI which SecurityManager it will use (See the ISecurityManager for more information)
For Saml2, use the following providerName: ImageVault.Saml2.Providers.Saml2SecurityManager,ImageVault.Saml2.Providers
connectionString
This is a key value string where key and value are separated by equals (=) and each pair is terminated with a semicolon (;)
See the following list of supported configuration parameters
Configuration parameters
spIvBaseUrl
Url of the Imagevault site
idpEntityId
This is the Application ID for the application. You find it as a GUID when opening the applications tab.
Certificates
There are two certificates that needs to be configured, one for decrypting the incoming trafic from the idp and one for the outgoing traffic.
The service providers certificate is configured either by spCertificate OR spCertThumbprint (se below).
You configure the certificate of the idp in the same manner using idpCertificate OR idpCertThumbprint.
spCertificate (Alternative 1...)
Specifies a filebased certificate, relative to the Imagevault rootpath, used to encrypt the outgoing traffic.
spCertThumbprint (...Alternative 2)
The thumbprint of the Sp's certificate, installed in the certificate store.
spCertSubject (...Alternative 3)
The subject of the Sp's certificate, installed in the certificate store.
spCertificatePwd
The certificate password, if any.
spMinIdpSigningAlgorithm
The minimum level of digest method for Idp certificates to be allowed by IV (sp).
Default level is: rsa-sha256
Available values:
rsa-sha1
rsa-sha256
rsa-sha384
rsa-sha512
idpCertificate
Specifies a filebased certificate, relative to the Imagevault rootpath, used to decrypt the incoming traffic from the idp.
idpCertThumbprint
Specifies a certificate by thumbprint, in the local machine store, used to decrypt the incoming traffic from the idp.
idpCertificatePwd
The certificate password, if any.
Optional connectionString keys
The following configuration options all have default values and only needs to be adjusted if you need to change the default behavior.
spEntityId
This is the url to the Saml2 metadata of Imagevault (the service provider).
Default value is spIvBaseUrl/Saml2
spLoggedoutUrl
The idp will redirect to this url after successfully logged a user out.
Default value is spIvBaseUrl/Account/Loggedout_
cookieName
Default name is .saml2session
idClaimType
Use this parameter to inform the provider of which type of nameidentifier claim you will get from the idp.
It could be any string, like "oid" or "sub".
Default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier".
nameClaimType
Use this parameter to inform the provider of which type of name claim you will get from the idp.
It could be any string.
Default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name".
roleClaimType
Use this parameter to inform the provider of which type of role claims you will get from the idp.
It could be any string, like "role" or "group".
Default is "http://schemas.microsoft.com/ws/2008/06/identity/claims/role".
rolesClaimRegex
Regex for extracting rolename from role claims from complex strings.
Defaults to '([^,\s]+)'.
groupClaimType
Use this parameter to inform the provider of which type of group claims you will get from the idp.
It could be any string, like "role" or "group".
Default is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
groupClaimRegex
Regex for extracting group names from group claims from complex strings.
Defaults to '([^,\s]+)'.
idpMetadataUrl
Introduced in v5.18
If you would like to load the saml2 idp metadata from another url than the idpEntityId, you can specify it using this parameter.
Default is to use the same value as idpEntityId
doNotLoadEntityIdSSLCertificateAsIdpSigningKey
Introduced in v5.18
If the IdpCertificate is not explicitly referenced using the idpCertificate or the idpCertThumbprint, the SSL certificate of the idpEntityId will be used. If you instead would like to use the SSL certificate in the manifest file idpMetadataUrl, then set this value to true.
Default is false
Examples
Example 1
ImageVault is running on the my.imagevault.app domain
spIvBaseUrl=https://my.imagevault.app;with a custom entity id
spEntityId=https://my.imagevault.app/sp;has a file based certificate
spCertificate=~/App_Data/sp-cert.pfx; spCertificatePwd=sp-cert-pwd;idp has also a custom id
idpEntityId=https://idp.server.com/idp;with a custom metadata url
idpMetadataUrl=https://idp.server.com/metadata/idp-metadata.xml;with the idp certificate contained in the metadata document
doNotLoadEntityIdSSLCertificateAsIdpSigningKey=true;specifying the SAML attribute name for the user identifier
NameClaimType=urn:oid:2.16.840.1.113730.3.1.241;and extracting roles by supplying a regexp
rolesClaimRegex=^CN=([^,]+)
<add name="ImageVaultSecurityManager"
providerName="ImageVault.Saml2.Providers.Saml2SecurityManager,ImageVault.Saml2.Providers"
connectionString="doNotLoadEntityIdSSLCertificateAsIdpSigningKey=true;spIvBaseUrl=https://my.imagevault.app;idpEntityId=https://idp.server.com/idp;spEntityId=https://my.imagevault.app/sp;idpMetadataUrl=https://idp.server.com/metadata/idp-metadata.xml;spCertificate=~/App_Data/sp-cert.pfx;spCertificatePwd=sp-cert-pwd;NameClaimType=urn:oid:2.16.840.1.113730.3.1.241;rolesClaimRegex=^CN=([^,]+)"
/>