I'm looking into switching our sunapsis authentication from CAS to SAML which, in our case, will be handled through Azure AD. This is my first time dealing with SAML so I have a few questions on getting things setup. I'd appreciate any help and hope this will be helpful to others.
I understand that in order to setup the trust between the Idp (Azure) and the SP (sunapsis) we need to exchange metadata files that tell each system about the other system.
Regarding the metadata file provided to me by the IdP:
- Where does the xml from the Idp go? Based on the sunapsis configuration instructions it sounds like I need to save the xml somewhere on the CF server, preferably somewhere outside the web root, and configure that as the location of the metadata file. Any modifications needed? Any recommended best practices for location, naming, etc?
- Are there any concerns with the certificate information in the IdP's metadata file expiring? I imagine that's handled on the IdP side of things so we shouldn't have to replace the metadata file as long as the IdP keeps renewing, correct?
- It's my understanding that the SP isn't required to provide an x509 certificate if token encryption is not used. Is that correct, and if so, what are your thoughts on using it or not using it if your institution doesn't already have a policy dictating its use?
- If an x509 certificate ends up being required, it seems that I can create my own using openssl. Anyone have any shortcuts they'd like to share? Any recommendations on how long the cert should be valid for, etc?
- I'm planning on using this tool to create the xml file. https://www.samltool.com/sp_metadata.php . Any helpful tips?