Connect client applications using SAML

In 10Duke SysAdmin, you can connect client applications to 10Duke Enterprise using Security Assertion Markup Language (SAML).

If you’re connecting a third-party system as a client application, SysAdmin provides templates with predefined settings for several common systems, such as Salesforce, BambooHR, Atlassian, and Zendesk.

Step 1: Define the general details for a client application

1. In the left sidebar, go to IDENTITY > Client applications.

2. Go to the SAML 2.0 clients tab and select Actions > Create. A dialog opens.

3. Optional: To use settings from one of the templates for third-party applications, select a template on the menu.

   The template overrides any values you have already entered in the fields, including setting the response attributes to the predefined ones from the template.

4. In Title, define a name of the client application.

5. In Entity id, enter the unique entity ID of the client (NameID).

6. In Name ID format, select the subject NameID format expected by the client. For most clients, you can select unspecified.

Step 2: Define the login and logout callback URLs

1. In Login callback URL, define the URL where your client application receives login responses.

   This is usually the Assertion Consumer Service (ACS) that can be found in the SAML metadata of you client.

2. In Logout callback URL (optional), define the logout callback URL for this client application if you’re using single logout (SLO) to handle logouts for multiple client applications.

   This is usually the Assertion Consumer Service (ACS) that can be found in the SAML metadata of you client.

   If the user is signed in to this client application and SLO is started from another application, 10Duke Enterprise calls this URL to log the user out from this client application as well.

Step 3: Enable the use of XML digital signatures

1. Optionally, enable the use of XML digital signatures to secure user assertions in SAML responses.

   • Enable Require signed assertions to have 10Duke Enterprise sign the user assertions.

     If you enable this, also define Client signature algorithm.

   • In Client signature algorithm, select the algorithm to use for signing SAML response assertions.

2. Click Save to create the connection to the client application.

Step 4: Create user detail mappings

Define the mappings for sending the user details to the client application.

A mapping defines the following:

• The user attribute in the SAML response.

• The source data used for the SAML attribute. This can be either a user data field in 10Duke Enterprise or a custom value.

To create a mapping:

1. On the SAML 2.0 clients tab, select the connection in the table. The settings open below.

2. Go to the Response attributes tab.

3. In the first field, define the SAML attribute.

4. In the second field, define the source data.

   To use data from a user account field in 10Duke Enterprise, select a field with the format @internal/<field name>.

5. Click Add.

To edit a mapping, edit the values and click Save next to it. Before you have saved the changes, you can click Reset changes to revert your edits.

To delete a mapping, click the trash can icon next to it.

Next steps

• Implement the SAML connection in the client application.

• If you connected a third-party system as a client application, configure the connection also at the third-party system’s end.

  10Duke Enterprise provides a SAML Identity Provider metadata document, which contains information that you need when defining the connection. The document is available at https://<your 10Duke Enterprise instance>/user/saml20/idp-metadata.

If you later make changes to the client application connection in SysAdmin, the changes take effect immediately.

You can disconnect a client application when it no longer needs to be connected to or delegate authentication to 10Duke Enterprise. To disconnect, delete the connection on the SAML 2.0 clients tab.