What parameter values should I set while configuring Bonita SP in my SAML IdP?

Q&A
1

Hi,

In order to set up SAML SSO in Bonita server, the third-party IdP (Identity Provider, e.g.: Keycloak IdP Server, Microsoft AD, ForgeRock OpenAM, ...) must be configured so it recognises the Bonita server as an SP (Service Provider).

 

Could you please validate I got these IdP configuration parameters right?

  • SSO end point: 
    <ul>
	<li>Login: <span style="font-family:Courier New,Courier,monospace;"><span id="CaseDetail:j_id31:j_id60:j_id61:13:j_id208">https://bonitasoft.host:port/bonita/loginservice</span></span></li>
	<li><span>Logout: </span><span id="CaseDetail:j_id31:j_id60:j_id61:13:j_id208"><span style="font-family:Courier New,Courier,monospace;">https://</span></span><span style="font-family:Courier New,Courier,monospace;"><span id="CaseDetail:j_id31:j_id60:j_id61:13:j_id208">bonitasoft.host:port</span></span><span><span style="font-family:Courier New,Courier,monospace;">/bonita/logoutservice</span> or <span style="font-family:Courier New,Courier,monospace;">https://</span></span><span style="font-family:Courier New,Courier,monospace;"><span id="CaseDetail:j_id31:j_id60:j_id61:13:j_id208">bonitasoft.host:port</span></span><span><span style="font-family:Courier New,Courier,monospace;">/bonita/samlLogout</span> ?</span></li>
</ul>
</li>
<li><strong><span>HTTP-POST url / Assertion url</span>:</strong> <span style="font-family:Courier New,Courier,monospace;"><span id="CaseDetail:j_id31:j_id60:j_id61:13:j_id208">https://bonitasoft.host:port</span><span>/bonita/saml</span></span></li>
<li><strong>Nameid format:</strong> <span style="font-family:Courier New,Courier,monospace;">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</span> <em>(i.e. the one in the Bonita server's keycloak-saml.xml <span style="font-family:Courier New,Courier,monospace;">nameIDPolicyFormat</span> attribute)</em></li>

 

Thanks in advance for your help.

     Unai

 

 

2

Hello Unai,
I don't know why the IdP would need a login URL. Normally a "base URL" is enough. Like https://bonitasoft.host:port/bonita
Unless this is the URL to redirect to once logged in ? In any case, the IdP doesn't need loginservice
For the logout, it's https://bonitasoft.host:port/bonita/samlLogout
The rest is ok.

HTH
 

3

Thanks, Anthony!