Glyue SAML Config Reference

While the default SAML config settings will suffice for most use cases, changes may be necessary depending on the IdP and/or customer’s requirements.

If changes are made to an existing SAML Config, Glyue’s SAML metadata will change. All connected IdPs will need the updated metadata.

All SAML Config options

Attribute map

default: {"email": "email"}

A mapping table (in the format of a JSON object) that maps IdP user attributes (keys) to Glyue user attributes (values). If the name of the attribute for the user’s email address in the IdP is something other than email (such as emailAddress), this JSON object should be extended to include that mapping:

{
  "email": "email",
  "emailAddress": "email"
}

The user email address in Glyue is simply called email.

Some IdPs allow for mapping user attributes on their end as well.

Be sure to add the new attribute name to Required attributes.

Http client timeout

default: 10

Seconds to wait for a response from an IdP before giving up.

Logout http binding

default: REDIRECT

How Glyue should send logout requests to the IdP (user wants to logout of Glyue and their IdP). This is usually disabled by the IdP by default and is also not commonly used.

Cert file

Optional. A custom certificate and public key for Glyue to use for SAML communication.

Key file

Optional. The private key corresponding to the above cert.

By default, Glyue uses HTTPS and requires that IdPs sign their SAML assertions, and this is generally considered to be plenty secure. A key/cert pair is only needed if additional security, on top of https and SAML signature verification, is desired.

Required attributes

default: email

A comma-separated list of user attributes Glyue will require from the IdP. If a custom user attribute is added to the Attribute map it should also be added here.

Want assertions or response signed

default: True

Glyue will accept as valid all SAML assertions (login response) from trusted IdPs as long as either the assertion or the outer response containing it, is signed. This is considered secure in SAML standards and should suffice for most cases. If set to True, this overrides the next two settings.

Want assertions signed

default: False

Glyue will require SAML assertions to be signed. Automatically set to False if Want assertions or response signed is True.

Want response signed

default: False

Glyue will require the outer SAML response to be signed. Automatically set to False if Want assertions or response signed is True.

Authn requests signed

default: False

Glyue will sign its login requests to the IdP, using the cert/key pair. Generally not required.

Force authn

default: False

Requires IdP to authenticate the user directly rather than rely on a previous security context.

Last updated

#178:

Change request updated