1 About SAML Login and Proof of Identity Configuration
The ATIPXpress PAL SAML Login and Proof of Identity Configuration manual was created to assist administrators when configuring the SAML Login and Proof of Identity Verification features. This document provides information on how to complete PAL SAML Configuration, as well as Proof of Identity Configuration, and using the PAL SAML Configuration to create a PFX Certificate.
The Public Access Link (PAL) works with forms authentication by default, however if an agency needs to enable Security Assertion Markup Language (SAML) Authentication for requester login, the system can be configured with your identity provider details following the directions in this section. PAL can also be configured to provide Proof of Identity verification with identity providers such as Login.gov.
NOTE: The Assertion Consumer URL for PAL Requester Login and Proof of Identity are different. Consult step 5 in the PAL SAML Configuration Tool section of this document for additional information.
Ensure you have the Personal Exchange Format (PFX) file and its public key ready as well. You will need to provide the PFX file in PAL SAML Configuration, and the corresponding public key in the IDP app/account. Consult the Create PFX Certificate section for information on how to get the PFX Certificate file and its public key.
2 Enable PAL Requester Login Using SAML SSO
Follow the steps below to enable PAL requester login using SAML authentication:
NOTE: To configure the SAML SSO from PAL Configuration, the PAL configuration application must have permission to the PAL application folder with full control. If this is not applicable, use the PAL SAML Configuration Tool (Section 4.5).
Log in to PAL Configuration, and access Authentication in the left-hand menu.
Select the SAML SSO radio button:
First select the Purpose of SAML Configuration (Sign In or Proof of Identity).
Enter the Service Provider details as outlined below:
Field | Description |
Issuer | Enter the Service Provider Entity ID. This is a unique ID/name for an identity provider. |
Assertion Consumer URL | Replace āmypalā in the below URLs with your āhostnameā: For PAL Login, enter https://mypal/App/AssertionConsumerService.aspx For Proof of Identity, enter |
Signature Certificate/Encryption Certificate | Use the PFX file that you have ready for SAML use, as mentioned at the beginning of this document. Enter the password for the PFX file in the Signature Certificate Password/Encryption Certificate Password fields. Also provide the IDP Entity ID/Issuer URL. |
NOTE: This is case-sensitive. This PFX file should correspond to the public key you uploaded in your Identity Provider account. If you are using a different public key in your Identity Provider account, extract the public key form this PFX file and replace your public key in the Identity Provider account with this public key.
Next, enter the Identity Provider details:
Field | Description |
IDP Entity ID/Issuer URL, SAML SSO URL, SAML SLO URL | To be provided by IDP. |
SAML SSO URL Binding Type | To be provided by IDP if required. |
Name ID Format | To be provided by IDP if required. |
Authentication Context | To be provided by IDP if required. |
Authentication Context Comparison | To be provided by IDP if required. |
NOTE: These will be different for test and production. Some IDPs do not support single logout, and it wonāt be provided. If SLO is not supported, you should leave the SLO URL and SLO Binding fields blank. For some IDPs, SAML SSO URL and SAML SLO URL must be updated each year, approximately quarterly.
Once that is complete, fill in the Certificates field, as shown below and detailed in the following table:
Field | Description |
Signature Certificate Text | To be provided by IDP. |
Field | Description |
Encryption Certificate Text | To be provided by IDP (same as Signature Certificate Text). |
Certificate Path | We recommend using Signature Certificate text and Encryption Certificate Text and skipping this field. For Login.gov the IDP certificate x509 can be found at the following URL: https://developers.login.gov/saml/ |
NOTE: For some IDPs the x509 certificate text has to be updated each year and a reminder that the sandbox and production certificates may not be the same.
The five checkboxes (Sign Authentication Request, Want SMAL Response Signed, Want Assertion Signed, Want Assertion Encrypted, Encrypt Logout Name ID) should remain unchecked, which is the default setting. If ID Provider provides single logout service, then the Single Logout Request and Single Logout Response checkboxes must be checked.
When all fields are complete, move on to the SAML Field Mapping section. Here, you can add or delete the fields based on what attributes/return value you have selected for your IDP entity app settings. The First Name, Last Name, Email, and Login fields are mandatory and cannot be removed. All three fields (Provider Field, PAL Field, and Description) are required while adding a new SAML Field in Mappings.
NOTE: The provider fields for both āEmailā and āLoginā PAL Fields are the same.
Column | Description |
PAL Field (Proof of Identity) | The PAL Field column contains labels for corresponding Provider fields that display in the Proof of Identity attachment. For Proof of Identity, the selected fields are displayed in the verification document provided with the request submission to ATIPXpress/ATIPXpress. The attachment is automatically added to the Proof of Identity attachment area and available in the Correspondence Log of the request.
|
Column | Description |
PAL Field (Login) | PAL Fields are the labels for corresponding provider fields that are displayed in the SAML Requester Registration page for a new requester (requester whose email doesnāt exist in the PAL).
|
Provider Field | Provider Fields are the corresponding IDP attribute names for the requesterās details such as first name, last name, address 1, and country. |
Description | Description of mapped field. |
NOTE: For Social Security number, the field will be masked only if the PAL Field is named āSSNā, āSocial Securityā, or āSocial Security Numberā.
Once all the required fields are complete, click Save to save the settings.
3 Enable Proof of Identity Verification in PAL
Review the following identity provider prerequisites if you are enabling PAL to support proof of identity verification.
Configure your IDP entity account(s). You cannot use the same account for PAL login and for Proof of Identity Configuration.
Set up your sandbox environment (See your providerās instructions; some providers allow you to set up the environment while other providers will perform the setup on your behalf
When enabling Proof of Identity Verification in PAL, you can use either level 1 or level 2 for login, however level 2 is required for Proof of Identity Verification. Ensure that the assertion URL in your Identity Provider Entity settings matches with URL provided in step 5 of the PAL SAML Configuration Tool section.
Follow the steps below to enable proof of identity verification in PAL:
Log in to PAL Configuration and select Request Fields in the left-hand menu.
Locate the Proof of Identity Mode request field and select Digital Authentication or Upload Attachment/Digital Authentication from the drop-down list within the Default column.
Scroll down and click Save.
4 PAL SAML Configuration Tool
Follow the steps below to use the PAL SAML Configuration Tool:
Navigate to the PAL Application Server.
Search for SAML in the windows search box, then select the tool once located.
a. Alternatively, navigate to the PAL Setup folder and locate the PAL.WebApp folder and in the bin folder you will find the application file
āATIPXpress.Utilities.SamlConfigā
Right click SAML Configuration Tool and select Run as administrator.
The SAML Configuration interface appears as shown below. Select either Login or Proof of Identity from the SAML Using For drop-down list:
Next, configure the Service Provider information, as shown below and detailed in the following table:
Field | Description |
Issuer | Enter the Service Provider Entity ID. This is a unique ID/name for an identity provider. Note: This is case-sensitive. |
Assertion Consumer URL | Replace āmypalā in the below URLs with your āhostnameā: For PAL Login, enter https://mypal/App/AssertionConsumerService.aspx For Proof of Identity, enter |
NOTE: This PFX file should correspond to the public key you uploaded in your Identity Provider account. If you are using a different public key in your Identity Provider account, extract the public key form this PFX file and replace your public key in the Identity Provider account with this public key.
Field | Description |
Signature Certificate/Encryption Certificate | Use the PFX file that you have ready for SAML use, as mentioned at the beginning of this document. Enter the password for the PFX file in the Signature Certificate Password/Encryption Certificate Password fields. Also provide the IDP Entity ID/Issuer URL. |
NOTE: This PFX file should correspond to the public key you uploaded in your Identity Provider account. If you are using a different public key in your Identity Provider account, extract the public key form this PFX file and replace your public key in the Identity Provider account with this public key.
Next, complete the required Identity Provider fields, as shown below and described in the following table:
Field | Description |
IDP Entity ID/Issuer URL, SAML SSO URL, SAML SLO URL | To be provided by IDP. |
SAML SSO URL Binding Type | To be provided by IDP if required. |
Name ID Format | To be provided by IDP if required. |
Authentication Context | To be provided by IDP if required. |
Authentication Context Comparison | To be provided by IDP if required. |
NOTE: These will be different for test and production. Some IDPs do not support single logout, and it wonāt be provided. If SLO is not supported, you should leave the SLO URL and SLO Binding fields blank. For some IDPs, SAML SSO URL and SAML SLO URL must be updated each year, approximately quarterly.
Once that is complete, fill in the Certificates field, as shown below and detailed in the following table:
Field | Description |
Signature Certificate Text | To be provided by IDP. |
Encryption Certificate Text | To be provided by IDP (same as Signature Certificate Text). |
Certificate Path | We recommend using Signature Certificate text and Encryption Certificate Text and skipping this field. For Login.gov the IDP certificate x509 can be found at the following URL: https://developers.login.gov/saml/ |
NOTE: For some IDPs the x509 certificate text has to be updated each year and a reminder that the sandbox and production certificates may not be the same.
The five checkboxes (Sign Authentication Request, Want SMAL Response Signed, Want Assertion Signed, Want Assertion Encrypted, Encrypt Logout Name ID) should remain unchecked, which is the default setting. If ID Provider provides single logout service, then the Single Logout Request and Single Logout Response checkboxes must be checked.
When all fields are complete, move on to the SAML Field Mapping section. Here, you can add or delete the fields based on what attributes/return value you have selected for your IDP entity app settings. The First Name, Last Name, Email, and Login fields are mandatory and cannot be removed. All three fields (Provider Field, PAL Field, and Description) are required while adding a new SAML Field in Mappings.
NOTE: The provider fields for both āEmailā and āLoginā PAL Fields are the same.
Column | Description |
PAL Field (Proof of Identity) | The PAL Field column contains labels for corresponding Provider fields that display in the Proof of Identity attachment. For Proof of Identity, the selected fields are displayed in the verification document provided with the request submission to ATIPXpress/ATIPXpress. The attachment is automatically added to the Proof of Identity attachment area and available in the Correspondence Log of the request.
|
Column | Description |
PAL Field (Login) | PAL Fields are the labels for corresponding provider fields that are displayed in the SAML Requester Registration page for a new requester (requester whose email doesnāt exist in the PAL).
|
Provider Field | Provider Fields are the corresponding IDP attribute names for the requesterās details such as first name, last name, address 1, and country. |
Description | Description of mapped field. |
NOTE: For Social Security number, the field will be masked only if the PAL Field is named āSSNā, āSocial Securityā, or āSocial Security Numberā.
Once all the required fields are complete, click Save to save the settings.
NOTE: If using forms authentication, youāll need to provide dummy data for the Proof of Identity settings options, even if these settings are not being used.
For login.gov, please visit https://developers.login.gov/ for all details about identity provider fields.
5 Create PFX Certificate
For first-time setup, follow the steps below to create a PFX certificate file and extract a public key from the PFX file using OpenSSL.
Open IIS and click Server.
In the Security section, double click the Server Certificates.
In the top right corner, click Create Self-Signed certificate:
A pop-up window appears where you can Specify a friendly name for the certificate in the field provided.
Next, select Personal from the Select a certificate store dropdown:
Now that the certificate is created, and you can export the certificate into the PAL folder. Go to Manage Computer Certificate (located in the Control Panel or by using the Windows search feature)
In the Manage Computer window, click Personal and then click Certificate.
From the list of certificates, locate your certificate using the friendly name provided.
Right click the Certificate, select All Tasks, and then select Export.
In the new pop-up window, click Next to continue.
Under Export Private Key, select Yes, export the private key and click Next.
Under Export File Format:
Select Personal Information Exchange (PFX)
Uncheck āDelete the private key if the export key if successful.
Check all other options, then click Next.
Under Security, check Password, and type the password for your certificate.
NOTE: You will need this password in order to use the certificate i.e., in SAML configuration tool and to extract public key
For Encryption, select AES256-SHA256, then click Next.
Under File to Export, click Browse and choose your certificate location. We recommend putting the certificate in the PAL folder where your PAL web.config is located.
Type in your certificate name and click Next. Once the process is complete, Click Finish.
Now you have PFX certificate ready for SAML Service Provider Certificate. Next, we will derive public key from this PFX file. Remember the certificate containing public key, which we upload to login.gov, must be generated from the PFX certificate file that we use in SAML Configuration tool.
To create a certificate with public key, install OpenSSL on your computer and then open the command prompt by typing ācmdā in Windows search.
Go to you PFX file location (type cd full_path_of_pfx), and type the following command:
openssl pkcs12 -in your_file_name.pfx -clcerts -nokeys -out give_name_for_cert_public_key.crt\
When complete, press Enter. The certificate with a public key for login.gov is created.