SAML2

Search Knowledge Base by Keyword

Contents
  1. Go to the WinKK Passport partner management tool https://passport.winkk.com/partner.
  2. Follow the sign in procedure using Login button. You have to scan optical mark by the WinKK Pass mobile application to complete sign in.
  3. Go to the “Company” category in the management tool to see the company you can manage. The company name should appear under your user name in the title bar.
  4. Go to the “Applications” category in the management tool to see all the applications that are registered within the company.
  5. Use the (+)Add button to bring up the new application registration form.
  6. Fill the required fields of the form:
    • Name – The application title;
    • URL – The root URL of the website where application has its redirect URL (with protocol prefix https://, with port (if not default), without redirect page address).
  7. Choose the interface (integration scheme) for the application – SAML2.
  8. Choose the authentication type for the application in the APPLICATION SECURITY REQUIREMENTS section.
    • Simple – Client has to scan an optical mark to enter the service;
    • Secure – Client has to scan an optical mark and pass additional authentication on the device to enter the service.
  9. Set the SAML-specific settings.
    • Audience – what audience the issued SAML assertion should be targeted to.
    • ACS URL (Assertion Consumer Service) – where the issued SAML assertion will be sent to.
  10. Click the save button on the form. A page with application details will be displayed.
  11. To edit the application settings, click on the Edit button.
  12. To review the application settings, copy application ID click on the application name in the “Applications” section. A page with application details will be displayed. This value will be used during SAML integration procedure at the service provider.
  13. Set the identity provider certificate for the service provider. The certificate can be downloaded at https://passport.winkk.com/partner/example/idp.winkk.com.crt
  14. Set the SSO Sign In page URL at the service provider. Construct the link URL using the following pattern https://passport.winkk.com/saml2a/auth?client_id=…
    • client_id – The application ID.
  15. Set the SSO Logout page URL at the service provider. Construct the link URL using the following pattern https://passport.winkk.com/saml2a/logout?client_id=…&RelayState=…
    • client_id – The application ID.
    • RelayState – The URI client will be redirected to on successfull authorization via WinKK Passport, starting with https://.
  16. For IdP-initiated authentication, place the WinKK Passport authorization link on the web page of the your web service. Construct the link URL using the following pattern (the same as SSO Logon page URL) https://passport.winkk.com/saml2a/auth?client_id=…
    • client_id – The application ID.
  17. The issued SAML assertions have the attributes filled with the selected profile data. Note that SAML2 integration scheme does not allow client to stop sharing Personal information and Email at the “Choose Profile” dialog of WinKK Pass App, in contrast to the OAuth2 integration scheme.
    In addition, client has to select a profile with already validated Email field, WinKK Passport will not accept profiles with non-validated email or having no email. The email attribute of the assertion acts as the primary verified key, while other attributes are for information only and are not validated automatically.
    Client profile data is transformed to SAML attributes according to the following table, this list is subject to expand in future.
Field NameSAML assertion
email.email<saml:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>
email.email<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
email.email<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
personal.first_name<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
personal.last_name<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
personal.nickname<saml:Attribute Name=”http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:uri”>
Was this article helpful?
How can we improve this article?

Leave a Reply

Your email address will not be published. Required fields are marked *