Configuring an Identity Provider
After ensuring all prerequisites are met, the first step in setting up SAML authentication is to add an Identity Provider (IdP). If you already have configured an IdP and want to extend its usage (for example, you configured it for patrons and now want to use it for staff authentication too), you can edit the existing identity provider.
Adding a New Identity Provider
To add a new identity provider:
- In the Sierra Administration application, click SAML Configuration in the Back End Management section.
- Select the Identity Providers tab. The system displays previously configured identity providers, if any.
- Click ADD. The Identity Provider window appears.
- Enter the following information:
- Name -- The name of your IdP. This value is used as the display text on the SAML authentication button. This value must be unique and a minimum of three characters.
- Usage -- The type of SAML authentication you are configuring this IdP for. Possible values are:
- Patrons
- Staff
- Patrons and Staff
- Metadata URL -- The URL provided by your site's IdP admin. Sierra uses this URL to ingest metadata from the IdP. This value must start with https:// and be a minimum of 12 characters.
- Attribute -- The identifier for the attribute you are matching against from the IdP's authentication response.
- Duration in Seconds -- The length of time (in seconds) that the login verification from the IdP is valid in Sierra. Innovative recommends matching the value used by the IdP. If this field is left blank, the system defaults to a value of 3600 (one hour).
- Patron Index Tag -- (Patron authentication only) The indexed field from the patron record to use for authentication.
- Redirect -- (Patron authentication only) A Boolean value that determines the type of SAML configuration for patron authentication. Possible values are:
- True -- The system automatically redirects patrons to the external IdP without showing Sierra's login page. This option corresponds to the "External IdP Only" configuration described in Selecting a SAML Configuration.
- False -- The system displays Sierra's login page that offers options for both SAML and native authentication. This option corresponds to the "External IdP and Native Authentication" configuration described in Selecting a SAML Configuration. This is the default value.
- Click Submit. The system adds your IdP and does the following:
- Uses the Metdata URL to ingest the IdP's metadata.
- Generates a Service Provider (SP) URL, which the IdP uses later on to ingest the SP metadata.
- Enables the SSO ID parameter in staff user accounts if you are adding your first IdP for staff SAML.
When finished, the system returns you to the Identify Providers tab.
- Retrieve the URL for exchanging metadata with the Service Provider (SP). Sierra generated this URL when you submitted the information for your IdP in the step above.
- Click the link for the identity provider you just added. The Identity Provider window opens.
- Copy the content of the SP Metadata URL field. In Sierra 6.3 and later, you can click the icon on the right to copy the content of the field.
- Click Cancel.
- Upload Sierra's metadata to the IdP.
- Send the URL from the SP Metadata URL field to your IdP administrator, and ask them to upload the metadata to the IdP.
- The IdP admin uploads the SP metadata, which completes the metadata exchange.
If your IdP administrator would prefer a metadata file instead of a URL, you can create one by entering the URL in a browser and saving the resulting XML content as a file.
After adding your IdP, you can test your SAML configuration.
Editing an Existing Identity Provider
To edit an existing identity provider:
- In the Sierra Administration application, click SAML Configuration in the Back End Management section.
- Select the Identity Providers tab. The system displays previously configured identity providers.
- Click the link for the IdP you want to edit. The Identity Provider window appears.
- In the Usage dropdown list, select "Patrons and Staff".
- (Optional) Edit other fields as needed. The Name and SP Metadata URL fields are read-only and cannot be edited.
- Click OK.
After editing your IdP, you can test your SAML configuration.