Glyue SAML Config Reference
While the default SAML config settings will suffice for most use cases, changes may be necessary depending on the IdP and/or customer’s requirements.
If changes are made to an existing SAML Config, Glyue’s SAML metadata will change. All connected IdPs will need the updated metadata.
All SAML Config options
Attribute map
default: {"email": "email"}
A mapping table (in the format of a JSON object) that maps IdP user attributes (keys) to Glyue user attributes (values). If the name of the attribute for the user’s email address in the IdP is something other than email (such as emailAddress), this JSON object should be extended to include that mapping:
The user email address in Glyue is simply called email.
Some IdPs allow for mapping user attributes on their end as well.
Be sure to add the new attribute name to Required attributes.
Http client timeout
default: 10
Seconds to wait for a response from an IdP before giving up.
Logout http binding
default: REDIRECT
How Glyue should send logout requests to the IdP (user wants to logout of Glyue and their IdP). This is usually disabled by the IdP by default and is also not commonly used.
Cert file
Optional. A custom certificate and public key for Glyue to use for SAML communication.
Key file
Optional. The private key corresponding to the above cert.
By default, Glyue uses HTTPS and requires that IdPs sign their SAML assertions, and this is generally considered to be plenty secure. A key/cert pair is only needed if additional security, on top of https and SAML signature verification, is desired.
Required attributes
default: email
A comma-separated list of user attributes Glyue will require from the IdP. If a custom user attribute is added to the Attribute map it should also be added here.
Want assertions or response signed
default: True
Glyue will accept as valid all SAML assertions (login response) from trusted IdPs as long as either the assertion or the outer response containing it, is signed. This is considered secure in SAML standards and should suffice for most cases. If set to True, this overrides the next two settings.
Want assertions signed
default: False
Glyue will require SAML assertions to be signed. Automatically set to False if Want assertions or response signed is True.
Want response signed
default: False
Glyue will require the outer SAML response to be signed. Automatically set to False if Want assertions or response signed is True.
Authn requests signed
default: False
Glyue will sign its login requests to the IdP, using the cert/key pair. Generally not required.
Force authn
default: False
Requires IdP to authenticate the user directly rather than rely on a previous security context.
Last updated