Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    SAML-Based Single Sign-On/Sign-Off

    Translatable
    To configure a SAML type of integration profile, you must have the following role:
    • General System Administrator

    Alma supports the SAML 2.0 Web Browser SSO profile. This enables Alma to exchange authentication and authorization information, allowing a user to sign in or out of an external system and be automatically signed in or out of Alma, or vice versa.

    Following Alma profile activation and third-party configuration, your your institution’s support staff changes the Alma login shortcut to the following URL (see Your Alma Domain Names): https://<Alma domain>/SAML.

    For a detailed overview of SAML-based SSO, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml.

    If your production server and the sandbox use the same SAML identity provider, Ex Libris recommends that you use the same authentication profile in both environments. In this case, no additional configuration of SAML is required on the sandbox after a sandbox refresh. If your production server and the sandbox use different SAML identity providers, see Recommended Configuration to Account for Sandbox Refresh for more information.
    To configure a SAML type of integration profile:
    1. On the Integration Profile List page (Administration > General Configuration > Configuration Menu > External Systems > Integration Profiles), select Add Integration Profile. The first page of the integration profile wizard appears.
    2. Enter a code and name for the integration profile.
    3. Select the SAML option from the Integration Type drop-down list.
    4. From the System drop-down list, select the system to be used for authentication such as Shibboleth.
    5. Select Next to complete the remaining configuration parameters.
      SAML_Definitions_04_TC.png
      SAML Definitions
    6. You can populate the profile information from metadata. To use a metadata link, select the Metadata Link option and provide the location of the link in the Metadata file link field. To use a metadata upload, select the Metadata upload option and select the file in the Upload IdP metadata file field.
    7. Select Default SAML profile to configure the profile as the default.
    8. If the profile was not automatically populated with metadata (in the above steps), enter the settings for the IDP issuer, IDP Login URL, User ID Location, User ID Attribute Name, IDP Logout URL, and IDP Single Logout Service, and Sign Single Logout Requests. For more information on these fields, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml.
    9. Select an Alma metadata file version. When creating a new profile, two options are available, The self-signed Version 2025 and Signed certificate. When editing an existing profile, three options are available, the self-signed Version 2025, Signed certificate, and whichever certificate you were using previously. Version 2025 expires in December 2025 and the Signed certificate expires in January 2021.  If you opt to use a previous certificate, Alma continues to accept it, even after the expiration date. If you edit an existing profile and select a new certificate, once you save the profile, the previous certificate becomes unavailable. Before changing your certificate, you must check with your IT department.
    10. In Certificate upload method, select the type of certificate to upload (see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml). Alma accepts certificate file uploads, free-text certificate entry, and JKS files. If JKS file or certificate file is selected, a field will be displayed to select the file from the user's file system. If Free-text certificate is selected, a field is displayed to accept the text of the certificate. A note beside the field indicates if a certificate has already been uploaded.
      As of January 1, 2017, Alma no longer supports certificates using the MD5withRSA encryption algorithm. For more information, see https://blogs.oracle.com/java-platform-group/entry/strengthening_signatures.
    11. When an authenticated SAML user logs in that does not have an existing Alma user, if you want a new Alma user to be automatically created, select Active in the Self Registration section.
      1. Enter the User Group, Resource Sharing Library, and Statistical Category that you want to have assigned to the automatically created user.
      2. You can also define the mapping of SAML attributes to their corresponding user fields in Alma by selecting the Mapping of assertion fields to Alma fields link.
        1. Enter the Alma field name in the Code field. Enter the SAML assertion code in the Description.
        2. Select Customize.
    12. Select Save.
    To use a profile that is not the default, use the /SAML/idpCode/[profile code] suffix in the Alma URL.

    Replacing a Signed Certificate

    If you need to replace your Signed Certificate, you must do it with both Alma and Primo VE, in coordination with your IDP.

    Send the certificate file to your IT department along with the new metadata that is produced by selecting the appropriate link below (inserting your university's base Alma or Primo VE URL in place of <ALMA_VE_BASE_URL>):

    https://<ALMA_VE_BASE_URL>/view/saml/metadata?VERSION=VERSION_2025_NEW (2025 self signed)

    https://<ALMA_VE_BASE_URL>/view/saml/metadata?VERSION=SIGNED_2021 (Jan 2021 DigiCert)

    Make note of the date and time that the IDP will switch the certificate. As close as possible to that time, follow the process in step 9, above, to select the new certificate in the integration profile.

    When either the institution or the IDP upgrades their certificate, the login will not work until the other switches over as well. This is why it is important to note when the IDP is switching over to minimize the down time.

    • Was this article helpful?