Skip to main content

Configuration Option and Best Practices

Overview

This guide is a crucial resource, offering comprehensive security best practices and essential configuration details for integrating LoginRadius as an Identity Provider (IdP). It covers key settings and emphasizes recommended security measures to establish a secure and reliable SAML-based Single Sign-On (SSO) integration between LoginRadius and the Service Provider (SP).

SAML Configuration Key Points

Identity Provider Login URL

  • SSO Login URL: The Service Provider (SP) uses this URL to send login requests to the Identity Provider (LoginRadius) and initiate the authentication process.

    https://<LoginRadius Site Name>/service/saml/idp/login?appname=<SAMLAppName>

Logout Settings

  • After Logout URL: This URL is an endpoint that accepts SAML authentication requests. It redirects users after they log out of the application.

    https://<LoginRadius Site Name>.hub.loginradius.com/auth.aspx?action=logout

  • Service Provider Logout URL: It allows users to log out from all connected applications simultaneously. If SLO is configured, logging out from one application triggers logout across all linked services.

LoginRadius Certificate for Service Provider

  • After completing the SAML configuration in the LoginRadius Admin Console, download the metadata file to obtain the LoginRadius certificate.
  • The certificate ensures secure communication between the Service Provider (SP) and Identity Provider (IdP) by validating signed requests and responses.

👉 To learn more about how to generate the certificate, refer to LoginRadius SAML Certificate Guide

Name ID Format

The Name ID Format defines the type of identifier used to represent the user in SAML assertions. It specifies how the user's identity is conveyed between the Identity Provider (IdP) and the Service Provider (SP). The available options in LoginRadius are:

  • Unspecified :
    • No specific format is defined for the Name ID.
    • This flexible option relies on the SP to interpret the Name ID.
  • Email :
    • Uses the user's email address as the identifier.
    • It is commonly used when email is the primary unique identifier for users.
  • Persistent :
    • Provides a persistent, unique identifier for the user that remains the same across sessions.
    • It is recommended when a consistent user identity is required across applications.
  • Transient :
    • Provides a temporary, one-time identifier for the user.
    • Typically used for short-lived sessions or when no permanent user record is needed.

Request & Response Binding

Binding defines how SAML authentication requests and responses are transmitted between the SP and LoginRadius (IdP).

Supported Bindings:

  • HTTP-Redirect: Sends SAML requests via URL redirection (suitable for lightweight requests).
  • HTTP-POST (Recommended): Transmits SAML requests using an HTML form post (preferred for security and handling larger payloads).

RelayState & Expiry

  • RelayState Parameter: Used to direct users to a specific resource after authentication.
  • The SAML Assertion Expiration, set to 1-70 minutes (Default: 5 minutes), defines how long the assertion remains valid before expiration. This is a crucial security measure that enhances security by preventing assertion reuse.

Security & App Audience

  • App Audiences (EntityID):
    • Defines the intended recipient of the SAML assertion.
    • Ensures that the SAML response is only accepted by the authorized SP.

Security Best Practices

1. Use Strong Certificates

  • Ensure both the SP and IdP certificates are secure and current.
  • Renew certificates before expiration to avoid authentication failures.

2. Enforce Strong Session Expiry Policies

  • Set appropriate session expiration times to minimize security risks.
  • Configure SAML Assertion NotOnOrAfter to define the assertion’s validity period, preventing assertion reuse.

3. Use HTTP-POST Binding Over HTTP-Redirect

HTTP-POST is recommended for:

  • Better security (prevents URL-based data exposure).
  • Handling larger SAML responses efficiently.

4. Optimize Attribute Mapping

Send only necessary SAML attributes to:

  • Reduce response size.
  • Improve authentication speed.

5. Use Metadata Files for SP Configuration

Instead of manual entry, use metadata files to:

  • Minimize configuration errors.
  • Simplify updates to SP settings.