Scribd
Upload
58 views28 pages

Iuclid Saml Sso Configuration For Azure Ad en

This document provides instructions for configuring single sign-on (SSO) between IUCLID and Azure Active Directory using Security Assertion Markup Language (SAML). It describes setting up Azure AD as an identity provider and IUCLID as a service provider, and mapping Azure AD user and group data to IUCLID roles, security groups, and legal entities. Key steps include adding the IUCLID application to Azure AD, configuring SAML SSO, and enabling SSO in IUCLID while mapping Azure AD groups to IUCLID authorization structures.

Uploaded by

sebics
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views28 pages

Iuclid Saml Sso Configuration For Azure Ad en

This document provides instructions for configuring single sign-on (SSO) between IUCLID and Azure Active Directory using Security Assertion Markup Language (SAML). It describes setting up Azure AD as an identity provider and IUCLID as a service provider, and mapping Azure AD user and group data to IUCLID roles, security groups, and legal entities. Key steps include adding the IUCLID application to Azure AD, configuring SAML SSO, and enabling SSO in IUCLID while mapping Azure AD groups to IUCLID authorization structures.

Uploaded by

sebics
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

IUCLID Configuration for SAML-Based

SSO with Azure Active Directory


IUCLID Configuration for SAML-Based SSO with Azure Active Directory i

Legal Notice
The information in this document does not constitute legal advice. Usage of the information
remains under the sole responsibility of the user. The European Chemicals Agency does not
accept any liability with regard to the use that may be made of the information contained in this
document.

Title: IUCLID Configuration for SAML-Based SSO with Azure Active Directory
Issue date: August 2023
Language: en

IUCLID 6 is developed by the European Chemicals Agency in association with the OECD.
© European Chemicals Agency, 2023
Reproduction is authorised provided the source is fully acknowledged in the form
“Source: European Chemicals Agency, http://echa.europa.eu/”, and provided written notification is
given to the ECHA Communication Unit ([email protected]).
If you have questions or comments in relation to this document, please send them to ECHA via the
information request form at the address below, quoting the reference and issue date given above:
https://echa.europa.eu/contact

European Chemicals Agency


Mailing address: P.O. Box 400, FI-00121 Helsinki, Finland
Visiting address: Telakkakatu 6, Helsinki, Finland

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory ii

Changes to this document

Date Modification
23/08/2023 Chapter 4.3: updated the configuration to enable SSO in IUCLID
moving specific parameters from <jvm-options> to <system-property>
01/11/2022 Removed ending slash from the values of Identifier (Entity ID) and
Reply URL
Added extra configuration step to make sure Reply and Assertion are
both signed.
Added Sign-on URL config option to support IUCLID access through
MS application directory.
26/04/2022 First public release.
12/01/2022 First version.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory iii

Table of Contents
Changes to this document ....................................................................................................ii
Table of Contents ..................................................................................................................iii
Table of Figures .....................................................................................................................iii
1. Introduction ......................................................................................................................1
1.1. About SAML ................................................................................................................. 1
1.2. Mapping Azure Active Directory user data to IUCLID user data....................................... 2
2. Prerequisites ....................................................................................................................3
3. Configuring Azure Active Directory ..............................................................................4
3.1. Add the IUCLID application to the Azure AD tenant ........................................................ 4
3.2. Set up SAML-based SSO for IUCLID in the Azure AD tenant.......................................... 6
3.3. Collect information needed to configure SSO in IUCLID ................................................. 8
3.4. Create a group that represents access permission to IUCLID ......................................... 9
3.5. Create groups in Azure AD that map to IUCLID Roles and IUCLID Security Groups ...... 10
3.6. Assign users/groups in Azure AD to the IUCLID application .......................................... 11
4. Configuring IUCLID .......................................................................................................14
4.1. Configure public certificate of the external IDP ............................................................. 14
4.2. Configure user data synchronization from IDP to IUCLID.............................................. 14
4.3. Enable SSO in IUCLID ................................................................................................ 17
Appendix A. Example of the file idp-user-sync-config.yml ....................................19
Appendix B. Documentation of the file idp-user-sync-config.yml ........................21

Table of Figures
Figure 1: The protocol for Identity Provider (IDP) and Service Provider in Single Sign On (SSO). 1

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 1 | 24

1. Introduction
The purpose of this document is to provide instructions regarding the configuration of the IUCLID
application, for SAML-based Single Sign On (SSO) with Azure Active Directory acting as an
external identity provider (IDP).
A successful integration of IUCLID with an external identity provider via SSO requires the
collaboration between business and IT units of your organisation. They should work together to
review existing authorisation policies both at organisation level and at IUCLID level. These policies
should be reviewed to capture a streamlined configuration that’s reflects the desired access to data
and actions in IUCLID.

1.1. About SAML


Security Assertion Markup Language (SAML) is an open standard for exchanging authentication
and authorization data between parties: an identity provider and a service provider.
The single most important use case that SAML addresses is single sign on (SSO) via a web
browser. A user employs a user agent, usually a web browser, to request a web resource that is
protected by a SAML service provider. The service provider, wishing to know the identity of the
requesting user, issues an authentication request to a SAML identity provider through the user
agent. The resulting protocol flow is depicted in the following diagram:

Figure 1: The protocol for Identity Provider (IDP) and Service Provider in Single Sign On (SSO)

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 2 | 24

Note: In this document the IUCLID application acts as the SAML service provider (above right),
and Azure Active Directory has the role of the SAML identity provider (above left). The client in the
middle of the above diagram is the user acting from a web browser.

The SAML standard defines a set of XML-based messages for security assertions:
• SAML Request, example fields: ID, Issuer, Assertion consumer URL
• SAML Response, example fields: ID, Issuer, In response to (ID), Recipient, Subject
The SAML messages are signed and potentially encrypted.

1.2. Mapping Azure Active Directory user data to IUCLID user data
The authentication and authorisation setup of IUCLID is built upon 4 main concepts:
• Legal entities: Several legal entities can be assigned to a user, however, when logged in,
only one legal entity can be the user’s working legal entity. This working legal entity is
passed to the entities the user creates, e.g. substances, mixtures.
• Roles: Each role includes a set of permissions that determine the actions users can
perform (read, write, delete) with each type of entity (substance, mixtures, dossiers, etc.) or
inventory (reference substances, legal entities, etc.). Special permissions are included for
general operations (print, export, import) and for system administration.
• Security groups: If Instance Based Security (IBS) is enabled, access is defined per
individual entity, and can also be limited to the users belonging to certain security groups.
• Users: Per user, IUCLID stores the basic user information (username, first name, last
name, etc.), and also the legal entities, roles, and security groups assigned to the user.

For more information about these concepts, refer to the document: Functionalities of IUCLID in the
web interface.
The maintenance of user information can be delegated from IUCLID to an external identity provider
(IDP), like Azure Active Directory, that supports Single Sign On (SSO) using the SAML standard.
Thus, a centralised system can hold the user information, including the password. However, the
data objects that will be assigned to users must first exist in IUCLID, e.g. IUCLID Roles, IUCLID
Security Groups, and IUCLID Legal entities.
The main objects which need to be managed in Azure Active Directory are:
• Users: The user object contains information about the individual including password and
logon credentials.
• Groups: Groups are primarily used for the purpose of managing and securing groups of
users. Groups can also be used for representing different access rights of users in different
systems of an organization.

Users are created in Azure Active Directory (AD) and they are assigned to different Azure AD
Groups. An Azure AD user will correspond to a IUCLID user.
During configuring SSO in IUCLID it is possible to do the following mappings:
• Azure AD Groups -> IUCLID Roles
• Azure AD Groups -> IUCLID Security Groups (only if IBS is enabled in IUCLID)

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 3 | 24

• Azure AD Groups -> IUCLID Legal Entities

Different strategies can be applied when defining Azure AD Groups and IUCLID Roles/Security
Groups/Legal Entities:
• One-to-one mapping: One Azure AD Group can correspond to a single IUCLID
Role/Security Group/Legal Entity
• One-to-many mapping: One Azure AD Group can correspond to multiple IUCLID
Roles/Security Groups/Legal Entities
• Combination of the above
After a successful authentication with a 3rd party SAML IDP provider, the IUCLID application
updates the user information in its local database, and assigns the user to the relevant IUCLID
Roles, IUCLID Security Groups, and IUCLID Legal entities.

2. Prerequisites
IUCLID 6 v6 is installed successfully. If you want to define IUCLID security groups in your SSO
configuration Instance Based Security needs to be manually enabled during the installation
process. See Installation and Update Instructions for IUCLID6 Server for details.
Azure Active Directory is available.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 4 | 24

3. Configuring Azure Active Directory

3.1. Add the IUCLID application to the Azure AD tenant


In the Azure AD portal, select Enterprise applications.

Click on New application.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 5 | 24

Click on Create your own application.

Enter the application name and select the option:


Integrate any other application you don't find in the gallery (Non-gallery).

The application is created.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 6 | 24

3.2. Set up SAML-based SSO for IUCLID in the Azure AD tenant


In the Azure AD portal in the overview page of the newly created application:
Click on Set up single sign on.

Select the single sign on method SAML.

Set up Single Sign-On with SAML:


• Basic SAML configuration:
o Identifier (Entity ID): https://<IUCLID URL>/iuclid6-idp/ws
E.g.: https://localhost:8181/iuclid6-idp-ws
o Reply URL (Assertion Consumer Service URL): https://<IUCLID URL>/iuclid6-idp/ws
E.g.: http://localhost:8181/iuclid6-idp-ws
o Sign-on URL: https://<IUCLID URL>/iuclid6-web
E.g.: https://localhost:8181/iuclid6-web

• User Attributes & Claims


o user.givenname
o user.surname
o user.mail

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 7 | 24

o user.userprincipalname
o user.groups [SecurityGroup]
• Use user.userprincipalname as the Unique User Identifier
• Add the security groups to User Attributes & Claims

• In the opened dialog select Security groups.

• In the section SAML Certificates (#3) press Edit:

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 8 | 24

Set Signing Option to Sign SAML response and assertion

3.3. Collect information needed to configure SSO in IUCLID


Download the file SAML Signing Certificate.

Make a record of the values of the following parameters, for later use:
• Login URL
• Azure AD Identifier
• Logout URL

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 9 | 24

3.4. Create a group that represents access permission to IUCLID


Create a group that represents access permission to the instance of the IUCLID application.

Add users to the group.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 10 | 24

3.5. Create groups in Azure AD that map to IUCLID Roles and IUCLID
Security Groups
Create Azure AD security groups that will be mapped to IUCLID Roles and IUCLID Security
Groups in the IUCLID application. For example, an Azure AD security group that can be mapped to
the IUCLID Role, Full Access.

Add users to the group.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 11 | 24

3.6. Assign users/groups in Azure AD to the IUCLID application


In Azure AD users can be assigned to a given application, as such specifying the set of users who
can access the application. This serves the same purpose as the special security group that
represents access permission to IUCLID (see above). Select Add user/group under:
Enterprise Applications > My IUCLID Application > Users and groups

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 12 | 24

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 13 | 24

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 14 | 24

4. Configuring IUCLID
The configuration files referred to in this section are in the IUCLID installation at:
<iuclid6-installation-
folder>\glassfish4\glassfish\domains\domain1\config\

4.1. Configure public certificate of the external IDP


Import into the keystore of IUCLID, the SAML Signing Certificate which was downloaded in an
earlier step. This is done from the command line, in the folder:
<iuclid6-installation-
folder>\glassfish4\glassfish\domains\domain1\config\
Ensure that the following file is present. It is delivered with IUCLID.
sso-default-third-party.jks
Ensure that the SAML Signing Certificate is present, for example in a file named:
My-IUCLID-Application.cer
Execute the command:
keytool -importcert -file My-IUCLID-Application.cer -keystore sso-
default-third-party.jks -alias SamlSigningCertificate

The default password for the keystore file is admin12345_.

4.2. Configure user data synchronization from IDP to IUCLID


Create a text file named idp-user-sync-config.yml in the folder:
<iuclid6-installation-
folder>\glassfish4\glassfish\domains\domain1\config\
Note: an example is provided with this document, that can be used as a starting point. For more
information on the different configuration parameters please see the annex.
The configuration file serves two main purposes:

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 15 | 24

1. Specifies how to read the SAML XML attributes in the response that is returned from IDP
after a successful authentication. This is required to perform synchronization of user-data
and to validate access, e.g.:
a. A single IDP group or role indicating access permission to this specific IUCLID
instance;
b. User account data that is saved to the IUCLID database: username, first name, last
name, email;
c. List of mappings of groups in IDP, to Roles in IUCLID. This is used to assign
IUCLID roles to the authenticated username;
d. List of mappings of groups in IDP, to security groups in IUCLID. This is used to
assign IUCLID security groups to the authenticated username. This setting is
optional and is relevant only if Instance Based Security (IBS) is enabled in IUCLID;
e. List of mappings of groups in IDP, to Legal entities in IUCLID. This is used to assign
IUCLID Legal entities to the authenticated username. This setting is optional
2. Defines SAML specific configuration parameters:
a. The URL of the external SAML provider;
b. The path to the keystore file where the IDP’s SAML signing certificate is stored;
c. The alias of the IDP’s SAML signing certificate provided when adding it in the
keystore;
d. The alias of IUCLID’s SAML request signing certificate;
e. The password of IUCLID’s SAML request signing certificate;
f. The URL that will be used when performing log-out.

The image below is a screenshot from a text editor showing an example of the configuration file
idp-user-sync-config.yml
It shows the first part of the file, which contains the configuration of how to read the attributes from
the SAML response XML, based on the values in Azure AD, such as group object IDs, and the
settings under Single Sign-On with SAML > User Attributes & Claims.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 16 | 24

In the lower part of the file, configuration parameters specific to SAML are defined.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 17 | 24

4.3. Enable SSO in IUCLID


In IUCLID, the configuration file for IDP/SSO is declared, and user management via the web
interface is turned off. The settings are in the file domain.xml in the folder:
<iuclid6-installation-
folder>\glassfish4\glassfish\domains\domain1\config\
Set the following system-properties elements in the section:
<config name="server-config">

Option Description Value


iuclid6.admin.user.create Enables/disables user creation in false
the web UI.
iuclid6.admin.user.assignToRole Enables/disables role assignment false
to users in the web UI.
iuclid6.admin.user.assignToGroup Enables/disables group false
assignment to users in the web UI.
idp.sso.config Path to the configuration file for the <path>
synchronization of user data.

Example:

<system-property name="iuclid6.admin.user.create" value="false"></system-
property>
<system-property name="iuclid6.admin.user.assignToRole"
value="false"></system-property>
<system-property name="iuclid6.admin.user.assignToGroup"
value="false"></system-property>

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 18 | 24

<system-property name="idp.sso.config"
value="${com.sun.aas.instanceRoot}/config/idp-user-sync-config.yml"></system-
property>

After doing the above steps restart the IUCLID application for the changes to take effect.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 19 | 24

Appendix A. Example of the file idp-user-sync-config.yml

# Configure the IDP Group that represent access to this IUCLID instance.
# In this example 430d72f5-b91d-4902-9f2b-6ce0e54cce40 is the ID of the Group from Azure AD
that is named My_IUCLID_App_Access.
instanceAccess:
samlAttributeName:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
samlAttributeValue: 430d72f5-b91d-4902-9f2b-6ce0e54cce40
# Configure the SAML attribute that holds the user-name value
userUserName:
samlAttributeName: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
# Configure the SAML attribute that holds the user's first name value
userFirstName:
samlAttributeName:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
# Configure the SAML attribute that holds the user's last name value
userLastName:
samlAttributeName:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
# Configure the SAML attribute that holds the user's email-address value
userEmail:
samlAttributeName:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
# Configure the SAML attribute that holds the list of values that could be mapped to IUCLID Roles. Specify
the one-to-one mappings.
# In this example 4916feac-40d1-4c9d-86ab-63da999d1348 is the ID of the Group from Azure AD
that is named IUCLID6_Full_Access. It is configured to map to a IUCLID Role named Full access.
roles:
samlAttributeName:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
mappings:
- samlAttributeValue: 4916feac-40d1-4c9d-86ab-63da999d1348
iuclidValue: Full access
- samlAttributeValue: eaf45536-6667-468c-adec-40af5b193291
iuclidValue: Test role
# Configure the SAML attribute that holds the list of values that could be mapped to IUCLID Legal Entities.
Specify the one-to-one mappings and provide fallback values.
# In this example ef469666-9752-4459-8dab-0bebe70b2f74 is the ID of the Group from Azure AD
that is named Test Group for a IUCLID LE. It is configured to map to a IUCLID Legal Entity named
Test Legal Entity. If no corresponding IUCLID Legal entity is found then the user will be assigned to a
default/fallback Legal entity, named My LE.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 20 | 24

legalEntities:
samlAttributeName:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
mappings:
- samlAttributeValue: ef469666-9752-4459-8dab-0bebe70b2f74
iuclidValue: Test Legal Entity
fallbacks:
- My LE
# Configure the SAML attribute that holds the list of values that could be mapped to IUCLID Security
Groups. Specify the one-to-one mappings and provide fallback values.
# In this example b97cc4dc-8d5d-425d-8ddd-c3763970a935 is the ID of the Group named Test
Group for a IUCLID Group which comes from Azure AD. It is configured to map to a IUCLID Security
group named Test group. If no corresponding IUCLID Security group is found then the user will be
assigned to a default/fallback group, named Common.
groups:
samlAttributeName:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
mappings:
- samlAttributeValue: b97cc4dc-8d5d-425d-8ddd-c3763970a935
iuclidValue: Test group
manager: true
fallbacks:
- Common
# Configure the URL of the SAML IDP provider
# In this example it is the value of the Login URL as specified in Azure AD under SAML based SSO
settings

idp.saml.provider.url: https://login.microsoftonline.com/26f31e25-c550-40cc-
8af6-449e72b90388/saml2
# Configure the alias of the 3rd party identity provider certificate you provided when adding it in the keystore
idp.certificate.alias: SamlSigningCertificate
# Configure the location of the keystore file containing the 3rd party identity provider certificate. It is
recommended to keep the below default value.
keystore.file: ${com.sun.aas.instanceRoot}/config/sso-default-third-party.jks
# Configure the keystore password. Default value is admin12345_.
keystore.pass: admin12345_
# Configure the alias of IUCLID's own certificate. It is recommended to keep the below default value.
sp.certificate.alias: sso-sp
# Configure the URL that will be used when performing log-out
slo.redirect.path: /iuclid6-web/index.html

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 21 | 24

Appendix B. Documentation of the file idp-user-sync-


config.yml
Property Description Remarks

Defines the element of the


SAML response that is
instanceAccess.samlAttributeName Mandatory
searched for the instance
access property.

Defines the value that the


SAML response must contain
instanceAccess.samlAttributeValue Mandatory
for the user to have access to
the IUCLID instance.

Defines the element of the


SAML response that is
userUserName.samlAttributeName Mandatory
searched for the username of
the user.

Defines the username that


userUserName.fallback will be used if no value is Optional
present in the above element.

Defines the element of the


SAML response that is
userFirstName.samlAttributeName Mandatory
searched for the first name of
the user.

Defines the first name that


userFirstName.fallback will be used if no value is Optional
present in the above element.

Defines the element of the


SAML response that is
userLastName.samlAttributeName Mandatory
searched for the last name of
the user.

Defines the last name that


userLastName.fallback will be used if no value is Optional
present in the above element.

Defines the element of the


SAML response that is
userEmail.samlAttributeName Mandatory
searched for the email of the
user.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 22 | 24

Property Description Remarks

Defines the email that will be


userEmail.fallback used if no value is present in Optional
the above element

Defines the element of the


roles.samlAttributeName SAML response that is Mandatory
searched for roles.

Defines a set of one-to-one


Optional (if
role mappings between the
roles.mappings fallbacks are
SAML response role names
set)
and the IUCLID role names.

Defines an entry of a SAML There is one


roles.mappings.samlAttributeValue / response role name and the instance of
roles.mappings.iuclidValue corresponding IUCLID role to these per
which it will be mapped. mapping.

Defines a list of IUCLID roles


Optional (if
that will be used in case no
roles.fallbacks mappings are
mapping is provided or no
set)
iuclid roles were mapped.

Defines the element of the


SAML response that is
groups.samlAttributeName Mandatory
searched for the roles of the
user.

Defines a set of one to one


group mappings between the Optional (if
groups.mappings SAML response group names fallbacks are
and the IUCLID security set)
group names.

Defines an entry of a SAML


There is one
response group name and
groups.mappings.samlAttributeValue / instance of
groups.mappings.iuclidValue the corresponding IUCLID
these per
security group to which it will
mapping.
mapped.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 23 | 24

Property Description Remarks

Defines a list of IUCLID


security groups that will be
Optional (if
used if no mapping is
groups.fallbacks mappings are
provided or no IUCLID
set)
security groups were
mapped.

Defines the element of the


legalEntities.samlAttributeName SAML response that is Mandatory
searched for Legal entities.

Defines a set of one to one


mappings between the SAML Optional (if
legalEntities.mappings response legal entity names fallbacks are
and the IUCLID legal entity set)
names.

There is one
instance of
these per
mapping.
There can be
more than one
legal entity
Defines an entry of a SAML
with the same
legalEntities.mappings.samlAttributeValue response legal entity name
name in a
/ and the corresponding
legalEntities.mappings.iuclidValue IUCLID
IUCLID legal entity to which it
database. All
will mapped.
matching legal
entities are
assigned to
the user, but
the first one is
set as working
legal entity.

A list of IUCLID Legal Entities


that are used if no mapping is
legalEntities.fallbacks Mandatory
provided, or no IUCLID Legal
Entities were mapped.

The URL of the external


idp.saml.provider.url Mandatory
SAML provider.

iuclid_saml_sso_configuration_for_azure_ad_en.docx
IUCLID Configuration for SAML-Based SSO with Azure Active Directory Page 24 | 24

Property Description Remarks

The path to the keystore file


keystore.file that contains the IDP sync Mandatory
certificates.

The alias of the certificate of


idp.certificate.alias the third-party identity Mandatory
provider in the keystore

Mandatory
The password of the
(Predefined
keystore.pass certificate of the service
value:
provider.
admin12345_)

Mandatory
The alias of the certificate of
sp.certificate.alias (Default
the service provider (IUCLID)
Value: sso-sp)

The URL to which the user is


slo.redirect.path redirected on logging out of Optional
IUCLID.

iuclid_saml_sso_configuration_for_azure_ad_en.docx

You might also like