The following minimal set of configuration is needed for an identity provider to work with GRAVITY as a service provider:
Assertion Consumer Service (ACS) URL:
https://your.domain/gravity/services/admin/saml/login/callback
Users who need access to the GRAVITY Admin site should be assigned a specific role (group). User’s roles (groups) should be part of the SAML response.
Signing of SAML requests is not supported yet, therefor configuration of the service provider's public certificate can be skipped for now.
JSON-based configuration of the SAML SSO service to configure mapping of the SAML response claims to the system-known attributes.
“claimMapping” - mapping of IdP claims to GRAVITY-specific
"userLogin" - namespace for a claim containing a unique value which will be used as GRAVITY user login
”userName” - namespace for a claim containing a value which will be used as GRAVITY user name (optional)
“userRole” - namespace for a claim containing a list of roles (groups) assigned to the user
“roleMapping” - mapping of IdP roles (groups) to GRAVITY-specific
“adminRole” - mapping of an external role (group) to GRAVITY admin role. Users with a such role assigned will be considered as GRAVITY administrators having access to the Admin site.
“issuer” - shared identifier to let IdP identify SP from which the request is coming.
XML-based description of the IdP SAML endpoint. Signing certificate and login URL are required.
All the requests are signed by default. Please use 'Show certificate' button to get the public key certificate to configure validation of SAML requests on IdP side.
Problem: If the GRAVITY server is hosted behind the load balancer/proxy, the real https scheme may be erroneously replaced with the http scheme.
Solution: define external server base URL (domain & context) in the server settings: