Modifying the SAML configuration file

Before you begin

Make sure you have your certificate name and thumbprint from Capture certificate name and thumbprint.

Modify the SAML file

1. Open C:\Program Files(x86)\Rapid7\AppSpider Enterprise x.x\IIS.NET\samlProviders.config with a text editor. Replace "x.x" in the file path with the version of AppSpider Enterprise you are running.
2. Find the element <samlProviders enabled="false"> and change its value to true to provision users to use SAML.
3. Find the line that starts with <provider>. You must provide the information for the following options:
   • signOnUrl - The URL of the IdP handling your sign-in requests, such as http://IDP_servername/saml2/sso/1234. This information can be provided and found after you set up an Application, or whatever terminology your IDP uses when setting applications up for SAML 2.0 configurations.
   • issuer - The unique entity identifier for your IdP, such as http://saml.yourcompany.com. This information can be provided and found after you set up an Application, or whatever terminology your IDP uses when setting applications up for SAML 2.0 configurations.
   • title - The company name you'll use to log in to AppSpider Enterprise. This is the information you will enter when you log in to AppSpider Enterprise via SAML. This is important if you plan to use an SP initiated SSO login sequence. It can be any unique identifier that you like, such as ABCompany-SSO, and is case sensitive.
4. Find the line that starts with <certificate>. You must provide the information for the following options:
   • findBy - How to search for the certificate. Ex: "FindBySubjectName", "FindByThumbprint", "FindBySubjectDistinguishedName". You get to choose which option to use to find your certificate, which you installed on your AppSpider Enterprise server. We recommend using the FindByThumbprint option.
   • findValue - The value to search for based on how findBy is defined. This is the Thumbprint value copied from the certificate after installing on the AppSpider Enterprise server in the Capture certificate name and thumbprint step.
   • storeLocation - The location of the certificate on your local machine. Ex: "LocalMachine", "CurrentUser". This is normally the LocalMachine.
   • storeName - The certificate's storage name. By default, this value is "My," which means that the certificate is located in Local Machine > Personal storage. Another example is "TrustedPeople".
5. Find the line that starts with <provideConfiguration>. You must provide the information for the following options for new AppSpider Enterprise users:
   • autoAttachToClient - The enterprise client that you want to assign to SAML users. A client is a collection of users who interact with AppSpider Enterprise and sets bounds on the people can use the application.
   • autoAttachSysAdmins - The IdP username you want to assign as a system administrator. You can only specify one user name for this option.
   • autoAttachGroups - The name of the enterprise group that can log in to AppSpider Enterprise to manage access to the application.
6. If you want to send login data to your IdP, you can add the following line to the configuration file: <samlRequestParams ID="" AssertionConsumerServiceURL="" Issuer="" />, where:
   • ID - An identifier for AppSpider Enterprise. This is also known as the EntityID. As a best practice, it should be the URL/FQDN of your AppSpider Enterprise Server (https://<ipaddressofAppSpiderEnterprise>/AppSpiderEnterprise).
   • AssertionConsumerServiceURL - The URL to which the SAML response is sent. Make sure to respect the following syntax and do not change the end of the URL: <protocol>://<FQDN>/AppSpiderEnterprise/Account/SamlLogin.
   • Issuer - The server name. For example, https://<ipaddressofAppSpiderEnterprise>.
   • NameIdFormat="undefined" - This configures the <samlp:NameIDPolicy (Specifies constraints on the name identifier to be used to represent the requested subject). If omitted email is used. ( Version: 3.8.189 and above)