Setting up SSO using SAML
You can implement SSO into your environment using Security Assertion Markup Language (SAML). The process is different for Kubernetes and Docker.
About this task
One user access URL for the Sametime server is needed for the identity provider (IdP). An IdP is a service that stores and verifies the identity of users. In previous Sametime releases, the community services for rich clients was separate from the web chat and meeting services. In Sametime 12, all services are under the Sametime server. Because there is only one server, only one host name is required for all three types of user access: rich clients, web chat, and meetings.
To use SAML, the IdP administrator must create a federated partnership or relying party trust for the Sametime server. Additionally, the user access URL for the Sametime configuration and a certificate to be trusted by the Sametime server must be provided.
- Scenario 1
- If one host name is used for accessing rich clients, web chat clients, and meeting clients, then only one SAML partnership or relying party trust is needed.
- Scenario 2
- If using a different host name for rich clients and web chat clients,
then include the following SAML partnerships or relying party trusts:
- One for the chat host name that is exposed to the Sametime Mux service
- One for the web chat host name defined for ingress
- Scenario 3
- If using a different host name for rich client, web chat clients, and
meeting clients, then include the following SAML partnerships or relying
party trusts:
- One for the chat host name that is exposed to the Sametime Mux service
- One for the web chat host name defined for ingress
Note: Meeting authentication is processed through the web chat proxy and no specific SAML partnership is required for the meeting host name.
- SAML assertion consumer service URL
- The fully-qualified URL of the Sametime server, add /stwebapi/user/connect. For example, https://sametime.example.com/stwebapi/user/connect at the end of the URL.
- Relay State
- Specify the same value as the what is specified for the SAML assertion consumer service URL.
- Log out URL
- Do not specify a value for this property. The SAML logout specification is not supported in Sametime.
- Name ID
- Specify the attribute from the IdP that contains the user's email address.
- Certificate for TLS
- A secure connection to the IdP is required and the IdP administrator must provide the certificate for Sametime to trust. If you have multiple relying party trusts, the IdP might have separate certificates for each host name trusted or a single certificate. Such as in the case of separated host names. If there are more than one certificate, each certificate and its full chain must be added to the trust store.