To configure a SAML type of integration profile, you must have the following role:
- General System Administrator
Alma supports the SAML 2.0 Web Browser SSO profile. This enables Alma to exchange authentication and authorization information, allowing a user to sign in or out of an external system and be automatically signed in or out of Alma, or vice versa.
For a detailed overview of SAML-based SSO, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml.
To configure a SAML type of integration profile:
- On the Integration Profile List page (Administration > General Configuration > Configuration Menu > External Systems > Integration Profiles), click Add Integration Profile. The first page of the integration profile wizard appears.
- Enter the external system information, such as (Profile) Code and Name, select SAML as the integration type, and click Next. The SAML Definitions configuration dialog box appears: SAML Export Section Settings
- You can populate the profile information from metadata. To use a metadata link, select the Metadata Link option and provide the location of the link in the Metadata file link field. To use a metadata upload, select the Metadata upload option and select the file in the Upload IdP metadata file field.
- Select Default SAML profile to configure the profile as the default.
- If the profile was not automatically populated with metadata (in step 3), enter the settings for the IDP issuer, IDP Login URL, User ID Location, User ID Attribute Name, IDP Logout URL, and IDP Single Logout Service, and Sign Single Logout Requests. For more information on these fields, see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml.
- Select an Alma metadata file version. When creating a new profile, only one option, Signed certificate, is available. Existing profiles include 3 options, version 1, version 2, and Signed certificate. It is recommended that Signed certificate be selected. It has a shorter expiration date and stronger encryption than Version 1 and Version 2. The Version 1 certificate expires in 2023 while Version 2 expires in 2114.
- In Certificate upload method, select the type of certificate to upload (see https://developers.exlibrisgroup.com/alma/integrations/user-management/authentication/inst_idp/saml). Alma accepts certificate file uploads, free-text certificate entry, and JKS files. If JKS file or certificate file are selected, a field will be displayed to select the file from the user's file system. If Free-text certificate is selected, a field is displayed to accept the text of the certificate. A note beside the field indicates if a certificate has already been uploaded. As of January 1, 2017, Alma will no longer support certificates using the MD5withRSA encryption algorithm. For more information, see https://blogs.oracle.com/java-platform-group/entry/strengthening_signatures.
- Click Save.
To use a profile that is not the default, use the /SAML/idpCode/[profile code] suffix in the Alma URL.