Skip to main content

Specify Default Metadata Values

You can specify default values for the following GroupID metadata:

  • Issuer URL
  • Signing certificate

Specify the Default Issuer URL

  1. In GroupID Authenticate, go to the Settings tab.
  2. On the Settings page, the Base URL box displays the default Issuer URL, which is displayed in the Provider Issuer box on the Create Application page. See the GroupID Metadata for Service Provider Configurations topic.
    You may want to change the default base/Issuer URL for any reason, for example, replace it with a sub-domain URL or a load balancer URL.
    Replace or update the URL in the Base URL box and click Save.

Update the Default Signing Certificate

  1. In GroupID Authenticate, go to the Settings tab.

  2. On the Settings page, the Signing Certificate box displays the GroupID certificate created in IIS. It displays the certificate along with the private key. This certificate is displayed in the Provider Signing Certificate box on the Create Application page, though without the private key. See the GroupID Metadata for Service Provider Configurations topic.
    You may choose to use this certificate or create a custom certificate and use that in third-party applications.

  3. To use another certificate, do the following:

    1. Create your custom certificate and export it to a PFX file.
    2. On the Settings page, click Upload PFX.
    3. On the Import Windows Exported Certificate File dialog box, click Browse to select the exported certificate file. As it is password protected, enter the password and click Load Certificate File.
    4. Click Save.

    The new certificate is displayed in the Signing Certificate box on the Settings page and also on the Create Application page.

GroupID as an Identity Provider

GroupID can provide the services of an identity provider. You can register a third-party application as a service provider in GroupID to authenticate users in that application through GroupID.

To use GroupID as an identity provider, you have to register an application (service provider) in GroupID.

You can also specify default values for the issuer URL and signing certificate, that are used to configure GroupID in the service provider.

See Also

Register an Application (Service Provider) in GroupID

To register a service provider in GroupID, you have to create an application for the provider in GroupID.

Next, while configuring GroupID in the service provider, you have to provide GroupID metadata. You can copy metadata values and paste them in the service provider.

Create an Application for a Service Provider in GroupID

  1. In GroupID Authenticate, go to the SAML Applications tab and click New Application.

  2. On the Create Application page, enter a name for the application in the Name box. The application will be displayed on the GroupID Login page with this name.

  3. Copy the consumer URL from the service provider and enter it In the Consumer URL box.

  4. Copy the audience URL from the service provider and enter it In the Entity ID/Audience box.

  5. From the Identity store drop-down list, select the identity store to use for authenticating users.
    For single sign-on, third-party application users must authenticate through an identity store defined in GroupID. For example, to authenticate users through Active Directory, select an AD-based identity store.

  6. Next, specify an attribute as a claim. Service provider application users are authenticated in GroupID based on this attribute.
    Enter the attribute name in the Claims box. As you type, the system displays the attributes in the selected identity store that start with the text. Select the required attribute.
    GroupID will match the value of this attribute in the application and in the identity store for authentication.

  7. Click Browse under Identity Provider Image to upload an image for the application, such as the application logo.

    NOTE: Supported image formats: .jpg, .bmp, .webp, and .gif
    Image file dimensions: 210 x 60 pixels

Specify advanced settings for the application:

  1. Expand the Advanced section by clicking the down arrow head.
  2. Select Enabled or Disabled in the Response Signingdrop-down list, depending on whether it is enabled or disabled in the service provider.
  3. Select a response signing method from the Response Signing Method drop-down list. This method should be the same for the identity provider (GroupID) and the service provider (third-party application).
  4. Select Post or Redirect in the Response Binding drop-down list, depending on how the service provider accepts the response.
  5. If you are not using assertion encryption, make sure Disabled is selected in the Assertion Encryption drop-down list.
    To use assertion encryption as an advanced security feature, select Enabled. Then provide the certificate, key transport algorithm, and encryption algorithm to encrypt the response.
  6. Generate a logout URL in the service provider and enter it in the Single Logout URL box. When a user clicks this URL, he or she will be logged out of all applications that have been authenticated through GroupID (i.e., applications that he or she is single signed in through GroupID).
  7. Provide the GroupID metadata in the service provider to register GroupID as an identity provider in it. See the GroupID Metadata for Service Provider Configurations topic.
  8. Click Create Application to create the service provider in GroupID.

GroupID Metadata for Service Provider Configurations

As part of registering an application in GroupID, you also have to provide GroupID metadata in the service provider.

To copy metadata:

  1. On the Create Application page, expand the Metadata section by clicking the down arrow head.
  2. Copy the Issuer URL and GroupID certificate from the Provider Issuer and Provider Signing Certificate boxes and paste them in the service provider.
  3. Both the Provider IDP Redirect Endpoint and Provider IDP POST Endpoint are given here. Depending on how the service provider sends the request or the mechanism used, copy the appropriate URL and paste it in the service provider.
  4. The Single Logout Endpoint POST box displays a URL. Requests are posted on this URL for logging out from the current and all other third-party applications configured in GroupID.
  5. The Login URL box displays a URL. On clicking it, the user is redirected to the GroupID Login page where GroupID is acting as an identity provider. If the user is already logged into GroupID, he/she will be auto-authenticated; else the user will have to provide the credentials.

Sign In Using GroupID

Let’s assume that we configured three service providers in GroupID. Users should be able to access these applications through GroupID.

For single sign-on using GroupID, we can choose any of the following ways:

  • SP-initiated single sign-on - when the SSO operation is initiated from the SP end, i.e., from any of the registered service providers.
  • IdP-initiated single sign-on - when the SSO operation is initiated from the IdP end, i.e., from GroupID.

IdP-Initiated Single Sign-On

  1. In GroupID Authenticate, go to the SAML Applications tab and click New Application.
  2. On the Create Application page, click the Login URL displayed in the Metadata section.
    On clicking it, the user is redirected to the GroupID login page where GroupID is acting as an identity provider. If the user is already logged into GroupID, he/she will be auto-authenticated; else the user will have to provide the credentials.