SAML User Authentication
Authenticating Users with SAML
Rosetta (v5.2+) supports the SAML 2.0 Web Browser SSO profile. This enables Rosetta to exchange authentication and authorization information with your institutional identity provider (IdP), allowing a single sign on for the institution’s users. When the user attempts to log in to Rosetta, Rosetta redirects to the IdP and sends an authentication request. The IdP performs a single-sign-on check, and if the user is not logged in to the IdP, a login page is displayed (this is not the Rosetta login page, but the IdP login screen). After the user logs in, the IdP redirects back to Rosetta with a SAML response, including an assertion. Rosetta retrieves the user based on the SAML response and logs the user in.
Note: If you are also using Alma with SAML, please pay attention to the differences bewteen SAML integrations in each system.
The SAML authentication workflow is illustrated in the following diagrams
Staff user authentication:
End user (delivery) authentication:
In addition to a single-sign-on, Rosetta can be configured for SAML single sign out with an external system. This enables a user to log out of the external system and be automatically logged out of Rosetta, or vice versa.
Note: Users must log out of Rosetta in order to end a Rosetta session (single sign-out is not supported).
Setting up a SAML Integration Profile
To authenticate users using SAML, an external profile of ‘SAML’ type must be defined. If Rosetta institutions use separate IdPs, an integration profile should be defined for each IdP. In such cases it is recommended to indicate the institution code in the profile name, e.g. SAML-INS00, SAML-INS01 etc..
A profile can be set as the default authentication method by setting the default_authentication_mode general parameter to the profile name.
Note: Only one SAML profile can be defined as the default authentication preference.
IdP Metadata File
The IdP metadata file can be provided as a link or as an uploaded. This xml file should include the following information:
|IDP metadata file field||Rosetta SAML integration profile field|
|entityID attribute||IDP issuer|
|SingleSignOnService field (of HTTP redirect type), Location attribute||IDP login URL|
|singleLogoutService (of HTTP redirect type)||IdP logout URL|
|X509Certificate (first occurrence)||Certificate|
Certificate upload method: If you received a *.cer or *.crt file from the IdP, choose “Certificate file” and upload it.
Note: The MD5withRSA encryption algorithm is not supported. For more information, see here.
Users that are authenticated by the IdP should exist as ‘external’ type users in Rosetta. The user ID should be in either the NameID element or in one of the user attributes. If SAML returns an ID that is not the same as the Rosetta userId, the additional identifier should be defined in the user’s details – Additional identifiers section. Refer to the Rosetta Configuration Guide – User Management for further information.
Providing Information to Your Identity Provider
You will be required to provide a Rosetta metadata file to the IdP. Click the ‘Generate Metadata File’ button in the SAML Integration Profile UI to generate the file.
Note: Rosetta uses a signed certificate (expiration date: 02 October 2019, Signed by: DigiCert, signature algorithm: sha256RSA).