How to setup SAML SP (Trust Relationship) without SP metadata: Dashlane

By: Guilherme Capilé Account Admin 08 Jul 2019 at 10:38 a.m. CDT

9 Responses
Guilherme Capilé gravatar
When trying to configure Dashlane as a SP, their documentation doesn't provide a SP metadata, but rather different URLs to setup: > IdP-agnostic general configuration settings: > Assertion Consumer Service (ACS) URL: https://ws1.dashlane.com/1/teamPlans/verifyAndAddMemberFromIdp > Relying Party Identifer: https://ws1.dashlane.com/1/teamPlans/verifyAndAddMemberFromIdp > Endpoint Trusted URL: https://ws1.dashlane.com/1/teamPlans/verifyAndAddMemberFromIdp > NameID: Email > Encryption: Do not encrypt SAML messages > Signing: Sign Assertions (only sign assertions) See <https://support.dashlane.com/hc/en-us/articles/212111089-Integrating-Dashlane-with-SAML-2-0> Is it possible to configure a TR with these settings? Should we ask for Dashlane's SP metadata instead? Thanks in advance, Guilherme Capilé
CentOS 7.0
closed

Answers

By Mohib Zico Account Admin 09 Jul 2019 at 10:05 a.m. CDT

Copy
Mohib Zico gravatar
SP metadata is mandatory to create SAML Trust relationship. Either you can force SP to give you one or can write one simple one by yourself. [Here](https://gluu.org/docs/ce/3.1.6/integration/saas/google/#google-metadata) is one sample one.

By Guilherme Capilé Account Admin 09 Jul 2019 at 7:22 p.m. CDT

Copy
Guilherme Capilé gravatar
Ola, got it, I was able to create a matadata file. Now how can I create a link to Gluu specifically for authenticating for this service provider? For example, if I want a list of services, I click on a link, go to Gluu, authenticate and then I'm redirected to the service -- is this possible? Is it also possible to filter, based on the LDAP properties, which users are allowed to each service?

By Mohib Zico Account Admin 12 Jul 2019 at 4:30 a.m. CDT

Copy
Mohib Zico gravatar
Ola, >> For example, if I want a list of services, I click on a link, go to Gluu, authenticate and then I'm redirected to the service -- is this possible? That's how SSO works. It's called "SP-initiated" SAML SSO. You don't need to do anything to achieve such from Gluu Server's side. - Just configure your SP to point your Gluu Server. - Configure your IDP with SP's metadata ( Create trust relationship / release attribute etc. ) - Test SSO. >> Is it also possible to filter, based on the LDAP properties, which users are allowed to each service? You can do that with attributes. Say.. some SP1 require a set of attributes, another SP2 require others etc.

By Guilherme Capilé Account Admin 22 Jul 2019 at 8:50 a.m. CDT

Copy
Guilherme Capilé gravatar
Ola, this is the issue, what if the service doesn't provide a SP-initiated SSO request? Is there a way to build one or trigger a IdP-initiated SSO request from a third party redirect? (SAML-based) Could we build a portal on our website that lists all services, and those links initiate SSO requests for these services? Or does Gluu requires that the service itself initiates the request? Some services, like Dashlane, provide no support for SP-initiated SSO requests... so we can't use them with Gluu? Best regards, Guilherme Capilé

By Mohib Zico Account Admin 22 Jul 2019 at 9:06 a.m. CDT

Copy
Mohib Zico gravatar
Yes, in that case... you can do IDP-initiated SSO.

By Guilherme Capilé Account Admin 22 Jul 2019 at 9:12 a.m. CDT

Copy
Guilherme Capilé gravatar
ok, exactly how can I make Gluu do an IDP-initiated SSO? Should I have to build this portal and have it send a redirect SAML request to Gluu to initiate the authentication for the service?

By William Lowe user 23 Jul 2019 at 7:37 a.m. CDT

Copy
William Lowe gravatar
Guilherme, IDP initiated wasn't well supported in Gluu 3.1.x. In Gluu 4.0, which is now in public beta, we are offering more standard guidance: https://gluu.org/docs/ce/4.0/authn-guide/inbound-saml-passport/#idp-initiated-inbound-flow Thanks, Will

By William Lowe user 23 Jul 2019 at 9:03 a.m. CDT

Copy
William Lowe gravatar
Actually, I've been corrected by my colleagues on two levels. 1. The docs above I linked to are for IDP initiated *inbound* SAML.. but you need IDP initiated *outbound* SAML. 1. 3.1.6 and 4.0 have improved support for IDP Initiated SAML Here's the link to 3.1.6 IDP initiated outbound SAML: https://gluu.org/docs/ce/admin-guide/saml/#idp-initiated-outbound-saml-flow

By William Lowe user 01 Aug 2019 at 11:10 a.m. CDT

Copy
William Lowe gravatar
Guilherme, Did the above docs help you implement the solution? Thanks, Will

Post an answer