SAML Configuration

After installing a Service Provider package, a trust relationship needs to be set up using XML meta-data from both parties. The flexmls metadata will come from a URL, in the format of, where mls is the short abbreviation of the MLS name. Most SP software will accept a URL instead of a plain XML file for metadata. (If the flexmls metadata data changes, the SP will automatically grab a fresh copy)

Next, the SP software will usually require an entity ID to form a trust relationship with the IdP. The entity ID for the flexmls IdP is the same as the metadata URL.

The SP software will also have metadata for its own SAML endpoints. Most packages have the capability of generating this dynamically with a URL like the flexmls IdP does. On the flexmls side, we will have to add the SP metadata and entity ID to our configuration in order to trust the SP.

This is the general procedure, as each SP package might have a different setup method.

A few extra details about the IdP:

  • The IdP uses Shibboleth IdP, v2.1.5 with SLO support
  • The principal name (A.K.A username, agent ID, etc) is in the SAML Subject tag, encoded in the Name ID format
    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • and the SAML attribute flexmls_user_name (This is also the pseudo user)
  • More information about the user is provided in SAML Attributes
  • The public certificate is in the IdP metadata. Look for the XML tag <ds:X509Certificate>
  • Sessions have a 24 hour lifetime on the IdP.
    • If an SP session expires and redirects over to the IdP, that user will still have an active session. They will automatically redirect back to the SP without requiring authentication
    • To do an IdP initiated log out, direct the browser to (Note this is plain HTTP) This URL is handy if your SP package does not support logouts. Simply change your "Log Out" button to this URL and the IdP handles the rest
  • For most setups, assertions are signed with the SSL certification, but not encrypted

Comments on this entry are closed.