Configure a new SAML service

MIRACL provides predefined profiles for popular SAML2 Service Providers in the M-Pin SSO Server.

Instructions for installing these can be found in the next page of this menu section.

If the Service Provider you wish to use with M-Pin SSO is not listed there, then use this document which describes how to configure the M-Pin SSO Server to work with a generic SAML2 Service Provider.

For more information, please see your Service Provider’s SAML documentation and the OASIS consortium’s SAML wiki: https://wiki.oasis-open.org/security/FrontPage

  1. Declare M-Pin SSO as a SAML2 identity provider on your SAML2 Service Provider using the SAML2 Identity Provider metadata of M-Pin SSO.

  2. Go to http[s]://your.domain.com/idp/saml2/metadata to obtain the metadata from your service provider.

  3. Add and configure a new SAML2 service provider in M-Pin SSO using the metadata of the service provider obtained in step 2.

You first need to create a new SAML2 Service Provider entry. This requires the SAML2 metadata of the Service Provider as described above.

Login to your SSO instance and go to Dashboard › Saml › Service providers › Add service provider (http[s]://your.domain.com/admin/saml/libertyprovider/add/)

Fill in the form fields:

Note: The service provider must be enabled. See below about configuring the service provider with policies: options of the service provider protocol policy attribute policy

Save

The SAML2 options of the service provider are configured using sp options policies.

You may create a regular policy and configure your service provider to use it.

  1. Go to: http[s]://your.domain.com/admin/saml/spoptionsidppolicy/add/

  2. Configure your policy

  3. Save.

Applying the policy to the service provider:

Example with a policy ‘Default’:

Example with a policy ‘All’:

If no policy is found for the configuration of the SAML2 options of a service provider, an error message “No SP policy defined” is displayed to the users when a SSO request is received.

The added service will appear on the M-Pin SSO homepage: