Table of Contents

MIDAS SAML 2.0 (SSO) Integration SAML 2.0 Integration Configuration

You can configure SAML 2.0 settings for MIDAS via MIDAS Admin Options → Manage Users & Permissions → Single Sign-On (SSO).

From this screen, select "SAML 2.0" from the "Single Sign-On Method" drop-down to enable SAML 2.0 integration. Change this to "Disabled" to disable single sign-on support.

Once "SAML 2.0" has been selected, you'll be provided with a number of settings. If you've previously used our SAML Test Tool some of these settings may already be populated for you.

NOTE: If these settings have been populated from our SAML Test Tool, be sure to update the ACS URL to reflect the URL of your MIDAS system, rather than the test tool

MIDAS Booking System with SAML 2.0 Integration
MIDAS SAML 2.0 Integration Settings

Identity Provider (IdP) Settings

Complete this section with data supplied by your Identity Provider.

Metadata

Paste into this field either the Metadata URL or the raw XML Metadata generated and provided by your Identity Provider.

The Metadata should include the Assertion Consumer Service (ACS) URL indicated in the "Service Provider Settings" below.

Certificate

Paste the public certificate provided by your Identity Provider into this field.

Service Provider (SP) Settings

Assertion Consumer Service (ACS) URL

This is the specific endpoint on the Service Provider (SP) where the Identity Provider (IdP) redirects the user's browser after successful authentication, along with the SAML assertion. The ACS is essentially the location where the SP processes and validates the SAML response from the IdP.

When using the SAML Test tool, this should reflect the URL at which the SAML Test tool is accessed.

When using MIDAS, the ACS url will instead be the URL of your MIDAS system.

Private Key / Certificate

You'll need to generate a Private Key and Public Certificate pair, which will be stored with your MIDAS system. This is subsequently used to encrypt and authenticate data between MIDAS (the Service Provider) and your SAML 2.0 Identity Provider.

Clicking the "Generate" button will generate a new Private Key / Public Certificate pair. This will attempt to automatically use OpenSSL on your server in the first instance. If OpenSSL isn't available on your server, the SAML Test tool will fallback to using MIDAS servers to generate a unique Private Key / Public Certificate pair for you.

If you don't wish to use the 'Generate' button and instead want to manually generate a Private Key / Public Certificate pair, you can execute the following OpenSSL command:

> openssl req -newkey rsa:2048 -nodes -keyout "sp-private-key.txt" -x509 -days 365 -out "sp-certificate.txt" -subj "/C=US/O=Organization/CN=your.midas.domain" 2>&1

Adjust the parts shown in blue in the above command to reflect your Country, Organization Name, and MIDAS domain respectively.

This command will generate two files; "sp-private-key.txt" and "sp-certificate.txt". The contents of these files can then be manually copied and pasted into the "Private Key" and "Certificate" Server Provider (SP) fields accordingly in the SAML Test tool.

MIDAS Settings

Assign user permissions from

If a new MIDAS user authenticates via your Identity Provider for the first time, you can select a user group from which to assign permissions to the new user account.

Update User Permissions upon each authentication

If enabled, then each time a user authenticates via your Identity Provider, their MIDAS user account permissions will be reset to the current permissions from the selected user group in the above setting.

If disabled, then no user permissions will be changed when users authenticate via your Identity Provider.

Enable Debug Logging

Enabling this option will write to a SAML 2.0 debug log (debug-saml.dat within your MIDAS server directory). This option should only be enabled when troubleshooting a SAML 2.0 integration issue, and should be disabled the rest of the time.