SAML User Authentication

Authenticating Users with SAML

Rosetta (v5.2+) supports the SAML 2.0 Web Browser SSO profile. This enables Rosetta to exchange authentication and authorization information with your institutional identity provider (IdP), allowing a single sign on for the institution’s users. When the user attempts to log in to Rosetta, Rosetta redirects to the IdP and sends an authentication request. The IdP performs a single-sign-on check, and if the user is not logged in to the IdP, a login page is displayed (this is not the Rosetta login page, but the IdP login screen). After the user logs in, the IdP redirects back to Rosetta with a SAML response, including an assertion. Rosetta retrieves the user based on the SAML response and logs the user in.

Note: If you are also using Alma with SAML, please pay attention to the differences bewteen SAML integrations in each system.

The SAML authentication workflow is illustrated in the following diagrams

Staff user authentication:

End user (delivery) authentication:

In addition to a single-sign-on, Rosetta can be configured for SAML single sign out with an external system. This enables a user to log out of the external system and be automatically logged out of Rosetta, or vice versa.

Note: Users must log out of Rosetta in order to end a Rosetta session (single sign-out is not supported).

Setting up a SAML Integration Profile

To authenticate users using SAML, an external profile of ‘SAML’ type must be defined. If Rosetta institutions use separate IdPs, an integration profile should be defined for each IdP. In such cases it is recommended to indicate the institution code in the profile name, e.g. SAML-INS00, SAML-INS01 etc..
A profile can be set as the default authentication method by setting the default_authentication_mode general parameter to the profile name.

Note: Only one SAML profile can be defined as the default authentication preference.

IdP Metadata File

The IdP metadata file can be provided as a link or as an uploaded. This xml file should include the following information:

IDP metadata file fieldRosetta SAML integration profile field
entityID attributeIDP issuer
SingleSignOnService field (of HTTP redirect type), Location attributeIDP login URL
singleLogoutService (of HTTP redirect type)IdP logout URL
X509Certificate (first occurrence)Certificate

Certificate upload method: If you received a *.cer or *.crt file from the IdP, choose “Certificate file” and upload it.

Note: The MD5withRSA encryption algorithm is not supported. For more information, see here.

User Data

Users that are authenticated by the IdP should exist as ‘external’ type users in Rosetta. The user ID should be in either the NameID element or in one of the user attributes. If SAML returns an ID that is not the same as the Rosetta userId, the additional identifier should be defined in the user’s details – Additional identifiers section. Refer to the Rosetta Configuration Guide – User Management for further information.

Providing Information to Your Identity Provider

You will be required to provide a Rosetta metadata file to the IdP. Click the ‘Generate Metadata File’ button in the SAML Integration Profile UI to generate the file.

Note: Rosetta offers the following options:

o Signed certificate (January 2021)
o Self-signed certificate (January 2026)

XML Samples