Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Setting Up SAML Single Sign-On (SSO) in LEM / BP

            Modified on Wed, 15 Oct at 4:15 PM

            This guide walks you through the process of setting up a new customer to use the DiliTrust SAML-based Single Sign-On (SSO) solution. Follow the steps below to configure, import, and validate all necessary settings for a successful SSO integration.

            ⚙️ Overview

            The DiliTrust SSO solution is Service Provider (SP) initiated. To complete the setup, you’ll need to collect the following four key pieces of information from the customer’s Identity Provider (IdP):

            • EntityID
            • X509 certificate(s)
            • Login URL
            • Allowed domain name(s)

            Once you have these details, you can either import the information automatically using the metadata file or enter it manually.

            ? Importing the Information

            The simplest method is to request the customer’s metadata.xml file and upload it directly to the SAML Client Settings page.

            • If the file contains the EntityID, X509 certificate(s), and Login URL, these fields will be automatically populated.
            • Warning: Importing a new XML file will overwrite any existing Client Settings information.
            • If the XML file is incomplete, contact the customer to provide the missing information.

            ✍️ Manually Entering the Information

            If you prefer to enter the details manually, open the customer’s metadata.xml file and locate the required fields:

            • EntityID: Found within the EntityDescriptor node.
            • X509 Certificate(s): Found within the X509Certificate node (there may be multiple certificates—include all).
            • Login URL: Found within the SingleSignOnService node.

            Note that line numbers can vary, so always look for the correct XML node names.

            ⚙️ Configuring General Settings

            Once you have retrieved the EntityID, certificates, Login URL, and allowed domain names, open the SAML Client Configuration page and complete the following steps:

            1️⃣ Enable SAML

            Check the “Enable SAML” option to activate SSO for the client.

            2️⃣ Choose the Login Workflow

            • Full SAML login (recommended): Users log in exclusively through SAML.
            • Partial SAML login: Users can still log in using email and password at the data center level.

            If the client opts for full SAML login, check “Force all users to login through SAML.”

            3️⃣ Authentication Methods

            DiliTrust SSO supports six authentication methods by default:

            • Password
            • Password Protection Transport
            • TLS Client
            • X.509
            • Integrated Windows
            • Kerberos

            Refer to the training material on “Non-Standard Authentication Methods” for advanced configurations.

            4️⃣ Enable Strict Protocol

            This option enhances IdP validation and increases security by verifying information before processing. It is enabled by default.

            ? Additional Notes for ADFS Users

            For Windows Active Directory Federation Services (ADFS) environments, customers must ensure that both the message and assertion are signed. Run the following PowerShell command on the ADFS server:

            Get-AdfsRelyingPartyTrust -Identifier <A_DILITRUST_APP_IDENTIFIER>

            If SamlResponseSignature is not set to MessageAndAssertion, update it with:

            Set-AdfsRelyingPartyTrust -TargetIdentifier "<A_DILITRUST_APP_IDENTIFIER>" -SamlResponseSignature "MessageAndAssertion"

            Valid DiliTrust application identifiers include:

            • dilitrust_gov_eu
            • dilitrust_gov_na
            • dilitrust_exec_eu
            • dilitrust_exec_na
            • dilitrust_dataroom_prod_eu
            • dilitrust_dataroom_prod_na

            ? Client Settings

            In the Client Settings section, manually or through import, enter:

            • Entity ID
            • IdP Login URL
            • X509 Certificate(s)
            • Exclusive domain name(s) (separated by commas if multiple)

            Once complete, click Save. This will generate the client’s unique metadata. Copy and share it with the customer for validation and testing.

            ? DiliTrust Metadata & Troubleshooting

            If the customer experiences connection issues during testing—especially with Microsoft IdPs using biometric or hardware authentication—review the training material on non-standard authentication methods.

            Before enabling non-standard options, always confirm with R&D.

            ⚠️ Restrictions

            When creating a SAML configuration for a group, note that it cannot share the same email domain as the client configuration. Only one instance of an email domain can exist per configuration.

            Setup complete! Your customer can now log in securely using DiliTrust’s SAML SSO integration.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0