SAML Metadata
To exchange SAML metadata with Digital.ai App Management, export a SAML metadata file from your authentication server and send it to Digital.ai App Management. A SAML metadata file provides configuration data that tells an Identity Provider and Service Provider how to establish a connection and communicate with each other. Your metadata file must provide authentication attributes and user attributes.
Based on your metadata, Digital.ai App Management will create an IdP connection in PingFederate and then export and send you a SAML metadata file. Import Digital.ai App Management's SAML metadata file into your authentication server to create an SP connection.
Authentication Attributes
Your metadata file must provide these authentication attributes:
- Entity ID: Also referred to as the "issuer," this is the unique ID included in all SAML messages sent from your authentication server.
- Certificate: An authentication certificate saved in .pem format.
- Redirect URL: The URL of your organization's web-based authentication page.
User Attributes
The metadata file should also identify the user attributes that will be included in SAML assertions sent from your authentication server. When a user is authenticated, Digital.ai App Management uses attributes in the assertion to locate the user in the Digital.ai App Management database and log the user in to the App Catalog. If the user is not already listed in the database, a new user account is created for the user (this is called "auto-provisioning").
Required Attributes
Your SAML assertions must include the following user attributes:
- First Name
- Last Name
- Email Address and/or User
During auto-provisioning, the User attribute sets the value for "User ID," which is a unique identifier for the user in the Digital.ai App Management database. If you do not provide the User attribute, Digital.ai App Management uses Email Address for both the "Email Address" and "User ID" parameters in the database. The User attribute must be 200 characters or less, and cannot include spaces. Valid characters include:
a-zA-Z0-9/~!$%^&*_=+.@,
Both "Email Address" and "User ID" must be unique within your organization. If you provide a value for Email Address or User that is not unique, the SSO login will fail.
Optional Attribute (Groups)
If your IdP supports the exchange of group information, a SAML assertion can include a Groups attribute to specify user groups to which the user will be added. For more information, see Group Assignment During SSO.