Navigation to this function
Manage the identity providers for SAML-based login here (e.g. Microsoft Entra ID, ForgeRock). You configure the connection parameters, security settings and authentication behavior for each provider. This configuration enables your users to log in to the portal securely with their company accounts (single sign-on).
ButtonMenu
Imports the federated metadata XML generated from Azure. Among other things, this XML also contains the required certificates.Provider
Basic identification and connection parameters of your identity provider. Specify here which provider is active, how it is addressed and whether automatic login should take place. The metadata URL enables the provider configuration to be read in automatically.| Property | Description |
| MetaData URL | URL from which the identity provider's metadata XML can be automatically retrieved. The metadata contains all the necessary technical parameters for the SAML configuration (certificates, endpoints, signing specifications). |
| Code | Unique short name to identify the identity provider in the configuration (e.g. "ENTRA", "FORGEROCK", "OKTA"). |
| Active | Activate this option to enable the identity provider for the login. Only active providers can be used by users for authentication. |
| AutoLogin | Activate this option to automatically log users in via SAML when they access the portal URL. If authentication fails, no login is performed and the user receives an error message. Only use this function if all users use this identity provider. |
| Exhibitor | Issuer URL. Provides information about which provider performs the SAML identification |
| Login URL | Login URL of the SAML provider |
Requirement guidelines (1)
SAML message types are expected to be signed or encrypted by the identity provider.| Property | Description |
| Signed AuthnRequest expected? | Activate this option if your identity provider requires authentication requests to be digitally signed. If this requirement is active, only signed authentication requests are accepted by the identity provider. This complies with the security guidelines of many companies and increases the integrity of authentication. |
| Encrypted assertion expected? | Activate this option if you require the identity provider to transmit the assertions in encrypted form. Encryption protects the confidentiality of user information (user ID, attributes) during transmission in addition to TLS encryption. This offers additional protection for the highest security requirements (e.g. for critical infrastructures). |
| Sign AuthnRequest? | Activate this option so that your eTASK instance digitally signs outgoing authentication requests (AuthnRequest). Signing increases security as it guarantees the integrity and authenticity of the request to the identity provider. Many identity providers expect or require signed requests. |
| NameIDFormat | Specify the format of the NameID used to uniquely identify users in SAML assertions. Common formats are: emailAddress (email address), persistent (permanent anonymous ID), transient (temporary ID per session), X509SubjectName, WindowsDomainQualifiedName, kerberos, entity or unspecified. |
| Flexible signing of response or assertion permitted? | Activate this option if you require the identity provider to sign either the assertion or the entire SAML response. This flexible setting allows both types of signing and is less restrictive than specifying a specific signing. This allows you to remain compatible with different identity provider configurations. |
Requirement guidelines (2)
| Property | Description |
| Signed logout request expected? | Activate this option if your identity provider requires logout requests to be digitally signed by the service provider. This prevents unauthorized third parties from logging users out of the system and ensures the integrity of the logout process. |
| Do you expect signed logout responses? | Activate this option if you require the identity provider to digitally sign its logout responses. Signing ensures that the logout confirmation actually comes from the identity provider and is not faked by an attacker. This protects against session hijacking during logout. |
| Signed SAML response expected? | Activate this option if you require the identity provider to digitally sign the entire SAML response (not just the assertion). Signing the complete response message increases security as it ensures the integrity and authenticity of all transmitted data - including all technical parameters. |
| Signed assertions expected? | Activate this option if you require the identity provider to digitally sign the assertions. An assertion is the security statement with the authentication information (user ID, attributes, authentication status). Signing ensures that the assertion has not been manipulated and actually originates from the identity provider. This is an important security requirement. |
Cryptography parameters
Cryptography parameters are the technical settings that determine which algorithms are used for hashing, signing and encryption in a SAML or XML security process| Property | Description |
| Key Encryption method | Algorithm used to encrypt the symmetric key. |
| Signature method | The algorithm with which the hash value (digest) is cryptographically signed (signature algorithm). |
| Hash method | Hash algorithm used to hash the content of a SAML message or assertion before it is signed. |
| Data encryption method | Type of encryption algorithm used to encrypt the actual SAML data (e.g. assertions). |
ID attribute
Mapping between the user identification feature in eTASK (e.g. e-mail, personnel number) and the corresponding attribute provided by the identity provider in the SAML assertion. This mapping is crucial for the system to correctly identify and assign the logged-in user.| Property | Description |
| Provider Attribute Name | Enter the name of the attribute that the identity provider uses for user identification (e.g. "mail", "email", "employeeID", "userPrincipalName"). The email address is usually used. Check the documentation of your identity provider for the available attributes. |
| Personal field name | Select the personnel characteristic from eTASK against which the identity provider ID is to be checked (e.g. e-mail, personnel number, user name). This field must be filled in the personnel master record to enable the assignment. |
Login graphic
Login graphicIn this section you can manage images and display an image gallery.
Attributes -> Personnel
Attributes -> PersonnelSee also: Identity Provider Mapping
Documents
DocumentsIn this section you can upload, download and manage files.
Notes
NotesIn this section you can add and edit comments and annotations.