Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Using SAML for User Authentication

    SAML (Security Assertion Markup Language) is an XML-based, open standard data format for exchanging authentication and authorization data between parties (in particular, between an identity provider and a service provider such as Primo). Primo supports the SAML 2.0 Web Browser SSO profile, which enables Primo to exchange authentication and authorization information.
    The SAML specification defines three roles: the user, the identity provider (IDP), and the service provider (SP). Primo is the service provider, and for example, Shibboleth is the identity provider. The following steps describe the interaction between the user, Primo, and the IDP to provide authentication and authorization:
    1. The user invokes the sign-in option in Primo.
    2. Primo sends an authentication request to the IDP using the HTTP-Redirect binding.
    3. The IDP performs a single-sign-on check.
    4. If the user is not logged on to the IDP, the IDP’s login page (which is not Primo’s login page) opens.
    5. After the user logs on, the IDP redirects back to Primo with a SAML response, which includes an assertion (encrypted or non-encrypted), using the HTTP-POST binding.
    6. Primo retrieves the user attributes from the SAML response (or fetches user attributes from Alma or Aleph) and logs the user in.
    To configure Primo to use SAML authentication:
    1. Gather the necessary information about your IDP provider from your authentication manager. In SAML terms this means to compile IDP metadata.
    2. Open the User Authentication Wizard page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard).
    3. From the list of profiles, click Edit next to the SAML profile that you want to configure.
      The Login Profile page opens.
      SAML Login Profile Page
    4. Use the following table to configure the SAML authentication fields:
      SAML Configuration Fields
      Parameter Description
      IDP_LOGIN_URL
      (Required) The IDP login URL. This is the URL Primo uses when it sends the authentication request.
      IDP_ISSUER
      (Required) The IDP entity ID.
      USER_ID_ATTR_NAME
      Defines the user attribute that should be used as the user’s unique ID. If not defined, the SAML default will be used.
      IDP_LOGOUT_URL
      This is the sign-out URL. When users sign-out or the Primo session ends, Primo will redirect them to this URL. Depending on the setting of the IDP_LOGOUT_URL_REDIRECT_ONLY field, Primo will also attach a SAML Logout Request to this URL.
      IDP_LOGOUT_URL_
      REDIRECT_ONLY
      This option indicates whether a SAML Logout Request is attached to the IDP logout URL. The following values are valid:
      • blank or False – The user is redirected to the IDP logout URL and a SAML Logout Request is attached to the URL so that the logout process can be handled further by the IDP. Check with your Authentication administrator to make sure that this functionality is supported by your IDP provider.
      • True – The user is redirected to the IDP logout URL only.
      SILENT_LOGIN_
      ENABLE
      The valid values are True (default) and False.
      Enable or disable “silent login” in Primo. If “silent login” is enabled and a new session is opened with the same browser in a new window or tab, the user is automatically logged on to Primo.
      EMAIL_OVERRIDE
      The valid values are True and False (default).
      If set to True, the email returned with the user information will always override the email stored in the user’s profile in Primo.
      AUTH_BASE_URL
      The base URL name used by the institution. For example:
      https://<institution>-primo.hosted.exlibrisgroup.com
      There is no path after the server name.
      Use http or https according to your needs.
      ADFS
      Indicates whether Active Directory Federation Services (AD FS) is enabled on the system. The valid values are True and False.
      Certificate File
      (Required) Click Choose File to select which public encryption key certificate file to load from the IDP provider. The certificate file must be in text format and have one of the following extensions: .cer or .pm.
    5. Select SAML, ALEPH (see Aleph Information Request Fields), or ALMA (see Alma Information Request Fields) from the Select User Information Method drop-down list.
    6. Click Save to save your profile and return to the Login Profiles page.
    7. From the list of profiles, click Edit next to your SAML profile.
      The Login Profile page opens with an additional option.
      SAML Login Profile Page - Additional Option
      The Attributes Mapping button displays only when the user information method has been selected and saved.
    8. Map the user attributes that are associated with SAML authentication. For more information, see Attribute Mapping.
    9. Click Save to save your profile and return to the list of profiles on the Login Profiles page.
    10. Create the certificate and send it to your IDPs. For more information, see Managing Certificates for SAML Authentication.