This page details how to enable logins using SAML.
There are two places that this needs to be enabled. Either in System for both Busby Admin / Config Editor (which share a config), or in each Selector service to allow each Selector to have a different provider.
A third party authenticator is also required to validate the responses and provide the user information to the authentication service.
¶ Selector
Selector has the same configutation options as Busby Admin/Config Editor but has an additional check box to allow usage of the system config or can have its own separate config. See below for all the options.
¶ Busby Admin / Config Editor
To allow SAML logins for Config Editor and Busby Admin the configuration is under System -> System
Check the Enabled checkbox and fill in the reevant details.
- Third Party Authenticator Service: Provide the service that will validate the user.
- Login Text: The text displayed on the login button in the user interface.
- Automatic Login Seconds: If you want the login page to automatically begin a login attempt after this amount of time.
-1= disabled. - Identifier (SP Issuer) - A unique identifier for the SAML client. This will need to be supplied to your SAML IdP.
- Issuer (IdP Issuer) - The entity issuer ID from the SAML Provider.
- IdP Certificate - This is the certificate from the Identity Provider.
- Login URL (IdP Entrypoint) - The URL to send the user to for authorisation.
- Logout URL (IdP Entrypoint) - The URL to send the user to for logouts. (This is currently unused but added for completeness).
There are then several options available
- Append Service ID to Issuer - If your provider doesn't allow multiple ACS URLs multiple applications will be required. This will make the issuer the issuer string
<issuer>/<service>. Examples:http://saml.demo.busby.local/configEditorhttp://saml.demo.busby.local/busbyAdminhttp://saml.demo.busby.local/selector
- Disable Response Signature Verification - If your provider does not sign the SAMLResponse then check this.
- Disable Assertion Signature Verification - If your provider does not sign the SAMLAssertion then check this.
- Disable Authn Context in Request - If the provider allows other authorisation methods than password check this (Such as Entra which allows Passkey sign in).
You can also add additional parameters which are added to the requests. In the above example it adds the param whr which for Entra ID (and likely other WS-Federation SAML servers) sets the home realm which allows to auto pick an account if logged in to multiple accounts at a provider. login_hint or domain_hint may also work for certain providers.
¶ Identiy Provider (IdP) Config
Most if not all the information the provider will need can be obtained from the metadata xml which once the above is set up on a service can be obtained by going to /saml/metadata at the relevant server for Config Editor / Busby Admin / Selector. This will include the certificate if signing needs to be verified at the Provider end. You can also retireve the certificate from /saml/cert to get the certificate as a separte file.
The provider will need to add all the required Assertion Consumer Service URLs. Not all providers allow multiple to be specified so you may need to set up multiple SAML applications in your server to allow multiple applications to be consumed, assuming they use the same IdP certificate then you should enable the append service id option.