SAML
This section describes how to setup and configure Form.io with a SAML Authentication Provider for Single-Sign-On functionality.
Introduction
Simplify and centralize your user authentication process by integrating SAML into your Form.io project. This integration allows you to configure your application login forms to support SAML SSO authentication for your application users.
SAML Provider
Choosing a SAML provider is the first step in the integration process. A SAML application will then be created and configured. Form.io offers integration with many providers, including the following:
Microsoft Entra ID (formerly Azure AD)
Once a provider has been chosen and a SAML application has been created, the next step is to integrate the SAML application with your Form.io project. The integration process involves transferring specific credentials and endpoints from the SAML application and then using that information to construct a Passport Configuration JSON object that will be saved within the Form.io Project connected to your application. Form.io utilizes the Node.js SAML Authentication library.
Form.io utilizes the Node.js SAML Authentication library. Click Here for documentation and a full list of SAML Passport properties
Form.io Authentication Configuration
After applying the correct information from your SAML Provider to your Project's authorization settings, the Form.io authentication form embedded in your application will be configured to support SAML SSO authentication.
The following documentation is centralized around applying SAML to a client-based application connected to the Form.io project. The same concepts detailed in this documentation can also be applied to the Form.io Portal Base project that controls your Developer Portal to allow Form.io users to utilize SAML SSO to authenticate into the Form.io environment.
Video Tutorial
The following video demonstrates the creation of a SAML application, integration with Form.io, and configuring the authentication form that will instigate the SAML authentication process for the client application. OneLogin serves as the SAML Provider in this video, however, the same principles can be applied to other Providers.
General Troubleshooting
While the SAML provider configuration and settings fall outside of Form.io, here are some common errors and troubleshooting tips if your SAML authentication isn't functioning correctly.
Errors
Invalid Signature
Cause: The signature in the SAML response or assertion could not be verified, often due to mismatched certificates between the IdP and Form.io or an unsupported signature algorithm.
Solution: Ensure that the public certificate used by the IdP matches the one configured in Form.io and that the IdP supported signature algorithm (preferably RSA-SHA256).
Ensure the cert from the Idp matches the cert saved in the Form.io SAML settings Form.io typically signs:
SAML Assertions (the payload that contains authentication and user details).
Optionally, SAML Responses (the overall message containing the assertion).
If the SAML signature isn't validated correctly, you may need to check the certificate used in the IdP configuration and ensure the hashing algorithm is compatible (e.g., SHA-256).
Audience URI mismatch
Cause: The Audience URI in the SAML response from the IdP does not match what Form.io expects.
Solution: Verify that the Audience URI in the IdP settings matches the URL of your Form.io application. This typically looks like:
Ensure there are no typos, extra slashes, or case-sensitivity issues.
SAML Assertion is not valid
Cause: The SAML assertion may have expired, the certificate used to sign the assertion could be invalid, or the assertion lacks the necessary conditions.
Solution: Check the SAML assertion for correct timestamps and validity. Ensure that the IdP is signing the assertion properly and that Form.io can validate the signature.
Ensure the 'Email Path' and 'Roles Path' in the Form.io SAML settings align with the email and group parameters provided by the IdP. Often, these parameters will be set to 'email' and 'groups.'
Invalid RelayState
Cause: The RelayState parameter in the SAML request is either missing or invalid.
Solution: Ensure that the RelayState parameter is properly set in the SAML authentication request, and that it is being passed correctly between the IdP and Form.io. This will often time be the hosted application domain.
NameID or Groups not found in SAML Assertion
Cause: The SAML assertion does not contain the
NameID or groups
attribute, which is essential for identifying the user or user SAML group.Solution: Ensure the IdP is configured to include the
NameID or group
attribute in the SAML assertion, typically within the<Subject>
element.
Missing Attribute Statement
Cause: The SAML assertion is missing required attributes that Form.io expects (e.g., email, username, or custom attributes).
Solution: Check the IdP configuration to ensure it is passing the required user attributes in the SAML assertion.
How to Troubleshoot:
Use a SAML Tracing Tool: Browser extensions like SAML Chrome Panel or SAML-tracer (Firefox) can capture SAML requests and responses for analysis.
Check Configuration: Verify that both the IdP and Form.io configurations are aligned, particularly regarding the Audience URI, ACS URL, and signature settings.
Review Logs: Check the IdP and SP logs for more detailed error messages that might provide clues to what went wrong.
Password Configuration - Utilize the Passport Config over the SAML Metadata when configuring the SAML integration settings within the Form.io Project.
These error messages are typically due to configuration mismatches or signing issues, and can usually be resolved by carefully reviewing the settings on both sides.
OneLogin
This section covers the OneLogin Provider SAML application setup process and integration with the Form.io Project.
Create and Configure Application
From your OneLogin Admin dashboard, create a new application by clicking the Applications tab and then the Add App button.
Select the SAML Custom Connector (Advanced) for SAML2.0 application
Give the Application a name and click the Save button with the default configurations
Click the Configuration tab to set up the application details
Add the RelayState (optional) - Live endpoint of the hosted application
https://app.yoursite.com
Add the Audience (EntityID) - Live endpoint of the hosted application
https://app.yoursite.com
Add the ACS (Consumer) URL Validator - Live Endpoint of the Form.io Project with form.io\/saml\/acs appended at the end of the URL. Backslash characters
\
should be added in front of all forward slash characters/
https:\/\/myproject.domain\/abc123\/saml\/acs
Add the ACS (Consumer) URL - Live Endpoint of the Form.io Project with form.io/saml/acs appended at the end of the URL.
https://myproject.domain.com/abc123/saml/acs
The configuration should look similar to the following:
Within the Configuration tab, set the SAML signature element to the Both setting
Configuring Parameters
Click the Parameters tab and ensure the following parameter is set (this should be set by default) NameID value field is configured with the Email value
Click the Paramter Tab, click the + button to add a new Parameter
Set the Field Name to groups (case sensitive)
Set the Value to User Roles
Check the Include in SAML assertion flag
Save the Parameter
The application should have two parameters set NameID Value (created by default with the application) group parameter created in the previous step
Save the application
Create Users
With the application configured, create a user base within the OneLogin Admin dashboard. Users can then be assigned to a Role linked with the SAML Application, enabling mapping between SAML Groups and Form.io roles.
Within the OneLogin Admin dashboard, hover over the User tab and click Users
Click the New User button
Input the Information for the User and then click Save User
Click the More Action tab and set a Password for the User
Generate multiple users to assign them to different roles that will be created in the next step
Create & Assign Groups
With our Users in place, the next step is to create Roles the SAML Users will be assigned to. This will allow us to establish mappings between SAML Roles (Groups) and Form.io roles.
Within the OneLogin Admin dashboard, hover over the User tab and click Roles
Click the New Role button
Give the Role a name and select your SAML Application the Role should be associated with
Click the Save role
Within the Roles tab, click the Role that was just created and click the Users Tab
Using the search bar, search and select all Users that should be added to the Role and click Check
Click the Add To Role button for each user
Click Save
Assign Role To Application
With the Roles established, the next step is to assign the Role to the SAML application
Hover over the Application tab and select Applications
Navigate to your SAML Application
Click the Access tab
Select all of the Roles you wish to assign to the Application Users assigned to the selected roles will be associated with the Application.
Click Save
Passport Configuration
Once the SAML application setup is finalized, XML data will be extracted from the application and utilized for building the Passport Configuration. This JSON configuration will be saved to the Form.io Project to complete the integration.
Click Here for more information about SAML Passport Configurations
Download XML File
Navigate to the OneLogin application
Click the More Actions tab and click the SAML Metadata button to download the XML info
Store the XML information as it will be used to construct the Passport Config
Construct the Passport Config JSON object. Search the XML file for the property titles within the example below and input the data accordingly.
The identityProviderUrl and entryPoint endpoint can be found by searching the SingleSignOnService HTTP-REDIRECT endpoint
The logoutUrl endpoint can be found by searching SingleLogoutService
The cert can be found by searching the X509Certificate
The identifierFormat can be found by searching NameIDFormat
The audience must match the Audience (EntityID) endpoint within the Configuration tab within your OneLogin SAML application.
The issuer can be found by searching the entityID
Quickly generate the JSON object by utilizing the SAML Passport Generator found within the SAML Settings of the Form.io Project.
Form.io Integration
With the Passport Config JSON object constructed, the Form.io project can now be configured.
Within the Form.io Project, click Settings > Authentication > SAML
Click the Authorization Settings tab
Scroll down and paste the Passport Config JSON from the previous step
Click the Configuration tab and add the following to the Email Path setting field
email
Click the Save Settings
Role Mapping
In many cases, you may want to map the SAML Role associated with the SAML User to a Form.io Role. Apply the following configurations to configure the Role mappings.
Within the Form.io SAML settings, click the Configuration tab and set the following to the Role Path
Within your OneLogin SAML Application, click the Access tab and take note of the Role Names assigned to the application.
Back to the Form.io SAML settings, scroll down to the Role Mapping setting
Map SAML Roles (case sensitive) to the desired Form.io Roles
Save your settings
After authentication, SAML users assigned to the Admin SAML role will obtain the Form.io Administrator role, while those assigned to the Member role will receive the Form.io Authenticated role. This can be seen by inspecting the user object within the dev console.
Authentication Configuration
The final step is to configure the Form.io Login form embedded in your application to support SAML. Alternatively, you can modify your application to support a similar process. Follow the link below for documentation.
Form.io Authentication Configuration
Okta
This section covers the Okta SAML application setup process and integration with the Form.io Project.
Create and Configure Application
From your Okta Admin dashboard, create a new Okta application by clicking Applications and then Create App Integration.
Select SAML 2.0 from the modal window and click Next
Provide a Name for the application and click Next
Provide the Single Sign-On URL Copy your Form.io project endpoint and append /saml/acs at the end of the URL. Example: if your project API endpoint is https://myproject.domain.com/abc123 then your Assertion Consumer Service URL will be the following.
Provide the Audience URI Copy your Form.io project endpoint and append the path /saml/metadata at the end of the URL. Example: if your project API endpoint is https://myproject.domain.com/abc123 then your Audience URI will be the following.
Ensure the Name ID format is set to EmailAddress
Ensure the Application username is set to Email
The Attribute Statements and Group Attribute Statements section is where we can define the name for different User Information (attributes) and define the name for SAML Groups. This will ensure the required information is provided by the SAML user when they authenticate.
Set the following for the Attribute Statements
Basic
user.email
firstName
Basic
user.firstName
lastName
Basic
user.lastName
Set the following for the Group Attribute Statements Ensure the Matchest regex filter is set to:
.*
groups
Unspecified
Matches regex: .*
Click Next to complete the configuration of your Okta SAML 2.0 application.
Create Users
With the application configured, create a user base within the Okta Admin dashboard. These Users can then be assigned to a SAML group which will be associated with the SAML Application and allow for mapping between SAML Groups and Form.io roles.
Within your Okta Admin dashboard, click the Directory tab and select People
Within the People tab, click the Add Person button
Enter person details for the SAML User
Click the Password dropdown to determine how Users password will be set
Click Save to add the User
Create & Assign Groups
With our Users in place, the next step is to create Groups the SAML Users will be assigned to. This will allow us to establish mappings between SAML Groups and Form.io roles.
Within your Okta Admin dashboard, click the Directory tab and select Groups
Click the Add Group button
Give your Group a Name and click Save
With a Group created, the next step is to assign users to the Group.
From the Group tab, select the Group to add Users to
Click the Assign people button
Click the + button next to a User to assign them to a Group
Assign Groups To SAML Application
To assign the Group, open the Directory tab, select the Group, and click the Applications tab
Click the Assign applications button
Within the modal window, click the Assign button next to your SAML application
Passport Configuration
Once the SAML application setup is finalized, XML data will be extracted from the application and utilized for building the Passport Configuration. This JSON configuration will be saved to the Form.io Project to complete the integration.
Click Here for more information about SAML Passport Configurations
Within the Okta Admin Dashboard, click the Application tab and select your SAML app
Click the Sign On tab and copy the Metadata URL
Copy the Metadata URL and open the URL within your browser
Store the XML information as it will be used to construct the Passport Config
Construct the Passport Config JSON object. Search the XML file for the property names within the example below and input the data accordingly.
The identityProviderUrl and entryPoint endpoints can be found by searching SingleSignOnService
The cert can be found by searching the X509Certificate
The identifierFormat can be found by searching NameIDFormat (emailAddress endpoint)
The issuer can be found by searching the entityID
The audience must match the Audience Restriction endpoint within the General tab of your Okta SAML application.
Quickly generate the JSON object by utilizing the SAML Passport Generator found within the SAML Settings of the Form.io Project.
Example Template:
Form.io Integration
With the Passport Config JSON object constructed, the Form.io project can now be configured.
Within the Form.io Project, click Settings > Authentication > SAML
Click the Authorization Settings tab
Scroll down and paste the Passport Config JSON from the previous step
Click the Configuration tab and add the following to the Email Path setting field
email
Save your settings
Role Mapping
In many cases, you may want to map the SAML Role associated with the SAML User to a Form.io Role. Apply the following configurations to configure the Role mappings.
Within the Form.io SAML settings, click the Configuration tab and set the following to the Role Path
Within your Okta SAML Application, click the Assignments tab and click Groups. Take note of the Group Names assigned to the application.
Back to the Form.io SAML settings, scroll down to the Role Mapping setting
Map Okta SAML Groups (case sensitive) to the desired Form.io Roles
Save your settings
After authentication, SAML users assigned to the Admin SAML role will obtain the Form.io Administrator role, while those assigned to the Member role will receive the Form.io Authenticated role. This can be seen by inspecting the user object within the dev console.
Authentication Configuration
The final step is to configure the Form.io Login form embedded in your application to support SAML. Alternatively, you can modify your application to support a similar process. Follow the link below for documentation.
Form.io Authentication Configuration
Microsoft Entra ID
This section covers the Microsoft Entra ID SAML application setup process and integration with the Form.io Project.
The UI and theming may differ slightly between the free plan and paid plan
Create and Configure Application
After setting up your account, navigate to the Azure Portal, click the left navigation panel, and select Microsoft Entra ID.
Within the left-hand navigation bar, select Enterprise Applications
Click the +New Application button
Search and select Entra SAML Toolkit
Give the Application a name and click the Create button
Within the Entra ID application, click the Single sign-on button in the Manage toolbar
Select the SAML option
Within the application Set up section, scroll down and copy the Microsoft Entra Identifier endpoint
Scroll back up to the Basic SAML Configuration section and click the Edit button
Apply the following SAML Configuration for the Application
Add the Identifier (Entity ID) - Microsoft Entra Identifier copied in the previous step
https://sts.windows.net/abc-123-def-456
Add the Reply URL (Assertion Consumer Service URL) - Live Endpoint of the Form.io Project application with form.io/saml/acs appended at the end of the URL.
https://myproject.domain.com/abc123/saml/acs
Add the Sign On URL - Application domain endpoint
https://myapplication.domain.com
Save the settings
Within the Single sign-on of your application, click the Edit button for the SAML Certificates
Set Signing Option to Sign SAML response and assertion
Set Signing Algorithm to SHA-256
Create Users
With the application configured, we can now add Users that will authenticate against Entra ID.
Click the Home button, User tab within the left-hand navigation bar, and then All Users
Ensure you a assign Microfosft License to users or groups within Entra ID
Click the +New User button
Input the User information and click Review + create button
Select how the User Password should be set
Ensure the User email address and name is set within the Properties tab of the user profile
Contact your Azure administrator if these properties are not available
Click the Create button after reviewing the User information
Create several other users to test Group and Role mapping detailed in the next section.
Create & Assign Groups
With our Users in place, the next step is to create Groups the Entra ID Users will be assigned to. This will allow us to establish mappings between SAML Groups (Roles) and Form.io roles.
Click the Groups tab and All Groups within the left-hand navigation bar.
Ensure you a assign Microfosft License to users or groups within Entra ID
Click the +New Group button
Give the Group a Group Name and keep the remaining settings at their default values
Click the No Members Selected button to assign users
Search for the User created in the previous section
Select the User
Click the Select button
Click the Create button
Follow the same steps to create additional Groups
Enable Group Claims
With the Groups established, the next step is to enable the Group claim within the EntraID application.
Navigate back to your Entra ID SAML application
Click the Single sign-on tab
Edit the Attributes & Claims section
Click the +Add a group claim button
Select the Groups assigned to the application option
Click the Source attribute dropdown and select the Cloud-only group display names option
Save the claim
Within the Attributes & Claim page, take note of the Group Claim endpoint
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Assigning Groups to Application
Navigate back to your Entra ID SAML application
Select the Users and groups tab then click the + Add user/group button
On the next screen, click the None Selected
Select the Groups created in the previous steps
Click the Select button at the bottom of the screen and then Assign on the following page
After assigning the Groups, you should see the Groups displayed within the User and Groups tab of the Entra ID application. Users assigned to the selected groups will be associated with the Entra ID Application.
Passport Configuration
Once the SAML application setup is finalized, XML data will be extracted from the application and utilized for building the Passport Configuration. This JSON configuration will be saved to the Form.io Project to complete the integration.
Click Here for more information about SAML Passport Configurations
Download XML File
Navigate to your Entra ID SAML application
Click the Single sign-on tab
Within the SAML Certificates click the download button for the Federation Metadata XML
Store the XML information as it will be used to construct the Passport Config
Construct the Passport Config JSON object by locating the parameter titles in the XML file as shown in the example below, and input your specific data accordingly
The identityProviderUrl, entryPoint, and logoutUrl endpoint can be found by searching the SingleSignOnService
The cert can be found by searching the X509Certificate
The issuer can be found by searching the entityID
The callbackUrl must match the Reply URL endpoint within the Single sign-on tab of your Entra ID application
The signatureAlgorithm will be set to sha256
Quickly generate the JSON object by utilizing the SAML Passport Generator found within the SAML Settings of the Form.io Project.
Form.io Integration
With the Passport Config JSON object constructed, the Form.io project can now be configured.
Within the Form.io Project, click Settings > Authentication > SAML
Click the Authorization Settings tab
Scroll down and paste the Passport Config JSON from the previous step
Click the Configuration tab and add the following to the Email Path setting field
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Save your Settings
Role Mapping
In many cases, you may want to map the SAML Role associated with the SAML User to a Form.io Role. Apply the following configurations to configure the Role mappings.
Within the Form.io SAML settings, click the Configuration tab and set the following to the Role Path
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Back to your EntraID SAML Application, click the Users and group tab. Take note of the Group Names assigned to the application.
Back to the Form.io SAML settings, scroll down to the Role Mapping setting
Map SAML Roles (case sensitive) to the desired Form.io Roles
Save your settings
After authentication, SAML users assigned to the Admin SAML role will obtain the Form.io Administrator role, while those assigned to the Member role will receive the Form.io Authenticated role. This can be seen by inspecting the user object within the dev console.
Authentication Configuration
The final step is to configure the Form.io Login form embedded in your application to support SAML. Alternatively, you can modify your application to support a similar process. Follow the link below for documentation.
Form.io Authentication Configuration
AuthO
This section covers the Auth0 Provider SAML application setup process and integration with the Form.io Project.
Create and Configure Application
From your Auth0 Admin dashboard, create a new Auth0 by clicking the Applications tab and clicking the +Create Application button
From the application Modal window, select Single Page Web Applications
Provide a name for the Application and click the Create button
Click the Addons tab
Toggle the SAML 2.0 button
Click the Settings tab
Within the Modal window, provide the Allowed Callback URL. Also known as the by other SAML providers. For this value, copy your Form.io project endpoint and append /saml/acs at the end of the URL. Example: if your project API endpoint is https://yourdomain.com/myproject, then your Assertion Consumer Service URL will be the following.
https://yourdomain.com/myproject/saml/acs
Scroll down and click the Enable button
After enabling the application, click Save
The application should now be ready for SAML Authentication. The next step is to create Groups the SAML users will be assigned to. These Groups will then be mapped to Form.io roles for granular permissions.
Create Users
With the application configured, create a user base within the Auth0 Admin dashboard. These Users can then be assigned to a SAML group which will be associated with the SAML Application and allow for mapping between SAML Groups and Form.io roles.
Within the Auth0 admin dashboard, click the User Management tab and then Users
Click the +Create User button
Input user information and click Create
Create additional users to assign to the different Roles that will be established in the next step.
Create & Assign Groups
With our Users in place, the next step is to create Groups the SAML Users will be assigned to. Auth0 groups are created and managed through extensions. This group extension will allow us to establish mappings between SAML groups and Form.io roles for granular permissions.
Within the left-hand navigation bar, click Extensions
Select Auth0 Authorization
Click Install within the Extension modal
Once installed, click the Extension and Authorize the extension for your application
Click the GO TO CONFIGURATION button
Click the Groups radio button
Click the Publish Rule button
Within the Extension, click the Groups tab then + Create Your First Group button
Give the Group a Name and Description
Click the +Add Member button
Search and select the user(s) to assign to the Group and Save
Passport Configuration
Once the SAML application setup is finalized, XML data will be extracted from the application and utilized for building the Passport Configuration. This JSON configuration will be saved to the Form.io Project to complete the integration.
Click Here for more information about SAML Passport Configurations
Within the Auth0 Admin Dashboard, click the Application tab and select your SAML app
Click the Add On tab and click the SAML2 Web App
Within the Usage tab, click the Download to extract the XML file
Store the XML information as it will be used to construct the Passport Config
Construct the Passport Config JSON object. Search the XML file for the property titles within the example below and input the data accordingly.
The identityProviderUrl and entryPoint endpoint can be found by searching the SingleSignOnService HTTP-REDIRECT endpoint
The cert can be found by searching the X509Certificate
The identifierFormat can be found by searching NameIDFormat
The logoutUrl endpoint can be found by searching SingleLogoutService
The callbackURL must match the Application Callback URL endpoint within the Setting tab of your Auth0 SAML application.
The issuer can be found by searching the entityID
Set the wantAuthnResponseSigned to false
Quickly generate the JSON object by utilizing the SAML Passport Generator found within the SAML Settings of the Form.io Project.
Form.io Integration
With the Passport Config JSON object constructed, the Form.io project can now be configured.
Within the Form.io Project, click Settings > Authentication > SAML
Click the Authorization Settings tab
Scroll down and paste the Passport Config JSON from the previous step
Click the Configuration tab and add the following to the Email Path setting field
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Save your settings
Role Mapping
In many cases, you may want to map the SAML Role associated with the SAML User to a Form.io Role. Apply the following configurations to configure the Role mappings.
Within the Form.io SAML settings, click the Configuration tab and set the following to the Role Path
http://schemas.xmlsoap.org/claims/Group
Within your Auth0 SAML application, click the Extensions tab, and the Auth0 Authorization extension.
Click the Groups tab and take note of the Groups Names assigned to the extension.
Back to the Form.io SAML settings, scroll down to the Role Mapping setting
Map SAML Roles Names (case sensitive) to the desired Form.io Roles
Save your settings
After authentication, SAML users assigned to the Admin SAML role will obtain the Form.io Administrator role, while those assigned to the Member role will receive the Form.io Authenticated role. This can be seen by inspecting the user object within the dev console.
Authentication Configuration
The final step is to configure the Form.io Login form embedded in your application to support SAML. Alternatively, you can modify your application to support a similar process. Follow the link below for documentation.
Form.io Authentication Configuration
Form.io Authentication Configuration
SAML Authentication can be set up either by utilizing a Form.io Login form or by modifying the code within your application
Login Form Configuration
Follow the steps below to achieve SAML SSO authentication using a Form.io Login form.
Edit the authentication Form embedded within your application
Drag and drop a Button component
Modify the Label to reflect SAML authentication
Click the Action dropdown and select Custom
Copy the following code and paste it into the Button Custom Logic code block
Add a Hidden component
Click the Data tab and open the Custom Default Value tab
Add the following JavaScript within the code block
Save the Settings and Form
Application Configuration
To achieve authentication within your application, the following code will instigate the SSO process.
The Formio.ssoInit
method is used to both instigate the SSO process as well as handle the callback once the authentication occurs. Because of this, it may be beneficial to place this code within a button on so that the login will occur once you click on a "Login" button, and then trigger the Formio.ssoInit
method once the page returns with the ?saml=
query parameter (which indicates that the SSO process has completed).
SAML Passport Configuration
The "Passport Config" setting simplifies the process of configuring SAML authentication settings for your Form.io project, allowing you to specify how your application interacts with the SAML identity provider using JSON configuration. Passport then utilizes this configuration to manage the authentication flow and grant access to authenticated users
Form.io utilizes the Node.js SAML Authentication library. Click Here for documentation and a full list of SAML Passport properties
As an example, many Microsoft Azure Active Directory deployments do not cryptographically sign their SAML assertions (despite signing the top-level SAML response). Form.io, however, expects both the SAML response and the SAML assertions to be signed by default. In this case, your Passport Config JSON object would set the wantAssertionsSigned
parameter to false, and might look something like this:
This JSON configuration will ensure that Form.io is aware that it should not expect the assertions to be cryptographically signed.
For those customers that use private key encryption for SAML responses and/or a private key for decryption, we provide two environment variables which allows you to provide the absolute paths to those key files in your container's file system rather than as plain text string values in the Passport Config JSON object. Those variables are SAML_PASSPORT_PRIVATE_KEY_PATH and SAML_PASSPORT_DECRYPTION_PVK_PATH. Alternatively, you can specify the private key and/or the decryption private key as strings in the JSON object.
SAML Passport Generator
Quickly generate the Passport JSON object by utilizing the SAML Passport Generator found within the SAML Settings of the Form.io Project. This generator allows the user to simply input the required endpoints and credentials from the XML data of the SAML provider. The generator will then output the correct JSON structure for the user saving time and relieving potential user error.
To access the Passport Generator, navigate to the SAML settings page:
Settings > Authorization > SAML > Authorization Settings
Scroll down to the Passport Configuration of the settings page. Here you can select different SAML Properties required by the SAML provider. Once selected, input the correlated endpoint or settings from the XML file of your SAML provider.
A full JSON object will be generated and passed to the Passport configuration which will be used to authenticate and authorize SAML users.
Custom Parser
The Custom Parser generates a custom payload for the JWT token based on the SAML Profile object of the authenticating SAML user. This feature opens up additional SAML Profile attributes and claims within the user object as well as more granular control over SAML/Form.io role mappings.
The API Server will first check if there is data saved to the "Custom Parser" tab before generating a token. If the Custom Parser is being utilized, then the filled Profile Fields are not taken into account when generating the JWT token.
The Project ID within the payload can not be changed.
Custom Parser Example
This example will include additional profile claims saved to the SAML Profile object as well as the
Profile – the data from the SAML profile object.
Roles - These are the IDs of the project roles you would like this user to have when authenticating.
Test Connection to SAML - COMING SOON
After the XML Metadata or Passport Config is filled in, you can use a test connection to SAML. Сlick on the "Save SAML Authorization Settings and Connect to SAML" button, and all unsaved authorization SAML settings will be saved and a new window will open with a test connection to the SAML provider.
After successful authorization, the authorized user's profile object will be available. This will make it easier to fill in the Profile Fields or use Custom Parser.
Last updated