WSFed IdP Configuration
LabShare’s WSFed implements the wsignin1.0 and wsignout1.0 flows.
| Property | Type | Details |
|---|---|---|
| issuer | string | Name of the issuer of the token. Required. |
Configuring a WSFed IdP using the LabShare Auth UI
Steps
- Login to the Auth UI (ng-auth) instance connected to the LabShare Auth API service.
- View or create an
Tenant. - From the main
Tenantdashboard, go to theProvidersdashboard on the left navigation menu to register one or moreIdentity Providers. - Navigate to the
Applicationsdashboard and click theAdd Newbutton. - In the form, specify the
name, optional OAuthclientID(defaults to a UUID), and set the type towsfed. - Select the identity providers for the application. This step will connect the user directories from the identity providers to the SAML OAuth client. For example, assigning a Google IdP to the SAML IdP OAuth Client would allow anyone with a Google account to access the SAML Service Provider the SAML IdP is associated with.
- (Optional) Restrict access using authorization.
- In the JSON editor, provide the configuration options for the WSFed IdP listed below based on the requirements of the WSFed Service Provider.
- After creating a new WSFed application, click on the settings icon next to the new entry in the
Applications
Options
By default, none of the options below are required when configuring a new WSFed IdP.
| Property | Type | Details |
|---|---|---|
| claims | object | An object containing key/value pairs for custom claims to add or remap in the SAML assertion. |
| sites | array | A list of hostname to OAuth client ID to pairings. This is a workaround to separate SharePoint web applications with multiple applications on the same server farm. |
| encryptedAssertion | string | Encrypt the WSFed assertion. Requires encryptionPublicKey and encryptionCert to be set if enabled. |
| lifetimeInSeconds | number | The WSFed assertion lifetime. |
| cookie | object | WSFed cookie settings |
| cookie.session | boolean | Enable/disable session cookies. Session cookies persist until the user agent is closed. |
Example
{
"lifetimeInSeconds": 7200,
"sites": [
{
"hostname": "hedwig.org",
"client": "123214124"
}
],
"cookie": {
"session": false
},
"claims": {
"http://schemas.xmlsoap.org/claims/WSFedProvider": "NCATS UNA"
}
}
Notes
SharePoint
When enabling WSFed authentication in a SharePoint web application that hosts an SPA, ensure the lifetimeInSeconds duration matches the duration of the WSFed login session cookie generated by SharePoint. This will prevent a session timeout conflict when Auth’s custom WSFed cookie expires.