SAML Login

Since version 3.18 TermWeb supports SAML authentication as a SAML Service Provider (SP).
TermWeb has an active SSO endpoint but does not support SLO right now.

These are the properties needed to be set for enabling SAML Authentication.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 # Specifies if SAML authentication is enabled. login.saml.enabled=true # Specifies if during SAML login users are automatically created when they do not exist in TermWeb. # If this feature is disabled, then non-existing users can be logged in as guests. login.saml.autocreate.users=true # Specifies if failed SAML login will log user in as Guest instead. login.saml.login.as.guest.when.usermissing=true # The entity Id of TermWeb Service Provider (SP) login.saml.sp.entityid=example.termweb.eu # Assertion consumer service (default value is: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST) login.saml.sp.acs.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST # Service provider nameidformat (default value is: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) login.saml.sp.nameidformat=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified # The entity Id of the Identity Provider (IdP) login.saml.idp.entityid=https://app.example.com/saml/metadata/12345678-abcd-1234-abcd-0123456789ab # The URL of the IdP for Single SignOn login.saml.idp.sso.url=https://termweb-dev.example.com/trust/saml2/http-post/sso/12345678-abcd-1234-abcd-0123456789ab (default value is: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) login.saml.idp.sso.binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect # The certificate of the IdP login.saml.idp.x509.certificate=CERTIFICATEPUBLICKEY # Enable XML validation (default is: true) login.saml.security.xml.validation.enabled=true|false

termweb.properties example:

  • login.saml.enabled=true

  • login.saml.autocreate.users=true

  • login.saml.sp.entityid=customer.termweb

  • login.saml.idp.entityid=customer.idp

  • login.saml.login.as.guest.when.usermissing=true

  • login.saml.idp.sso.url=https://customer.url.com/idp/startSSO.ping?PartnerSpId=customer.termweb

  • login.saml.idp.x509.certificate=\
    cA0GCSqGSIb3DQEBBQUAMGY\
    xCzAJBgNVBAYTAlVTMQswCQY\
    DVQQIEwJDTzEPMA0GA1UEBxM=

SAML SSO Login step by step

When enabling SAML Authentication with the above properties the user can access TermWeb both ways using the following endpoints:

Standard Login → <TermWeb URL>/login

SAML Login → <TermWeb URL>/login-saml/ssologin

The SAML ssologin endpoint creates a SAML request and sends it to the IdP specified by the properties. The IdP needs to authenticate the user and send back a SAML assertion to the following endpoint:

SAML Assertion Consumer Service → <TermWeb URL>/login-saml/acs

The Assertion Consumer Service of TermWeb consumes the assertion and acquires the authenticated user's information from it. It reads the username and checks if a user with the same username exists in the main TermWeb client (admin client). If the user exists, then TermWeb creates automatically a session for this user. If the user does not exist, either he/she gets created automatically or a guest session is initiated, depending on the property 'login.saml.autocreate.users'. The kind of user that gets automatically created falls under the case of automatic user creation as for the rest authentication methods. SAML Single Log Out (SLO) is not supported yet, so the user needs to logout normally by clicking on Logout in TermWeb.

Another important URL is the SAML Metadata, where you can read all the information you need to setup in your IdP, in order to access TermWeb as an SP.

SAML Metadata  → <TermWeb URL>/login-saml/metadata

Enabling external login buttons

For earlier releases before 4.0.5-9

To enable SAML login by default administrator must update distributive contents by replacing string '@useSAMLLoginAsDefault@' with boolean value true.

After release 4.0.5-9

To configure buttons for external logins, like SAML or OIDC, you need to find string "@externalLoginURLs@" and replace with values like this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 [ { label: 'Login with Microsoft', url: '/login-oidc?origin=https://login.microsoftonline.com/<tenant-id>', autologin: false, icon: 'fab fa-microsoft', styleStr: 'color:#2f55b9; font-weight:500;' }, { label: '① Login with SAML', url: '/login-saml/ssologin', styleStr: 'color:#414b54; font-weight:500;' } ]