IdP Instructions 
Content
IdP Connector is a generic federated identity provider (IdP) connector. It allows your OutSystems applications to integrate with  single sign-on (SSO) provided by most of the commercial IdP companies.

With this integration when the users access an OutSystems application, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise user name and password. Upon verification of the user’s login, the enterprise identity provider informs OutSystems application of the verified identity for the user who is logging in, and the user is redirected back to the portal website.
This image illustrates the following steps:
1.
The user attempts to reach a hosted OutSystems application
2.
OutSystems generates a SAML authentication request
3.
OutSystems sends a redirect to the user's browser
4.
SSO decodes the SAML request and  authenticates the user
5.
SSO generates a SAML response that contains the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner's public and private DSA/RSA keys
6.
SSO encodes the SAML response and the RelayState parameter and returns that information to the user's browser.
7.
OutSystems Idp Connector verifies the SAML response using the partner's public key
8.
The user has been redirected to the destination URL
9.
The user is logged in to OutSystems application
Configure your application to use IdP Connector.
1.
Change NoPermission screen on Common Flow
In a standard OutSystems application there is a Common Flow responsible for handling authentication and exception.
One of the scenarios is when a user tries to access a resource that require the user is authenticated, and the user is not authenticated yet.
In that case the application raises a Security exception that will be handled in Common flow and then redirects the user to the login screen.
So, the first step to integrate an OutSystems application to change this behaviour and  instead of redirect the user to the Login screen redirect it to the Identity Provider.


a) Create a site property to activate/deactivate IdP
b) Change NoPermission -> Preparation to redirect the user to the URL provided by IdP_SSO_URL action 
2.
Configure IdP Connector accordingly to your Identity Provider
What you will need to configure SAML SSO are:
   -  the URL of the SAML Identity Provider (IdP) handling user sign-in requests
   -  the fingerprint of the SAML certificate that the IdP uses to sign the SAML assertions sent to IdP Connector
    - the isssuer sent by IdP send in SAML assertions
(In order to access the confguration screen the user need to have IdP_Administrator privileges. Managed in Users Application
Okta example
1.
Create a free Okta account (Okta for Developers)
2.
Log in to the admin console
3.
Access Admin Dashboard by cliking on 'Admin' button
4.
Click on 'Applications' tab then click on 'Add Application' button
5.
Click on 'Create New App' button then select 'SAML 2.0' option
6.
Define App name and click 'Next'
7.
Configure the following SAML settings
 - Single sign on URL: URL of the outsystems environement to handle the SAML response (http://YOUR_SERVER/IdP/SSO.aspx)
 - Audience URI (SP Entity ID): URL of the outsystems environement to handle the SAML response (http://YOUR_SERVER/IdP/SSO.aspx)
 - Assertion Signature: Unsigned
 - Signature Algorithm: RSA-SHA1
 - Digest Algorithm: SHA1
8.
Click on 'Next' button and then 'Finish'
9.
Finally click on 'View Setup Instructions' and configure IdP connector
OneLogin example
2.
Log in to the admin console
3.
Click on 'APPS' tab then click on 'Add App' button
4.
Search for 'SAML' and select 'SAML Test Connector (IdP)' option
5.
Configure Display Name of your application and then click on 'Save' button
6.
Click on 'Configuration' tab and configure the following properties
 - ACS (Consumer) URL Validator: URL of the outsystems environement to handle the SAML response (http://YOUR_SERVER/IdP/SSO.aspx)
 - ACS (Consumer) URL: URL of the outsystems environement to handle the SAML response (http://YOUR_SERVER/IdP/SSO.aspx)
7.
Click on 'SSO' tab and configure the following properties
 - SAML Signature Algorithm: SHA-1
8.
Finally configure IdP connector with the provided information
PingOne example
2.
Log in to the admin console
3.
Click on 'Applications' tab then click on 'Add App'lication button
4.
Select 'New SAML Application' option
5.
Configure application name, description, category and click on 'Continue to Next Step'
6.
On 'Application Configuration' configure the following properties
 - Assertion Consumer Service (ACS): URL of the outsystems environement to handle the SAML response (http://YOUR_SERVER/IdP/SSO.aspx)
 - Entity ID: URL of the outsystems environement to handle the SAML response (http://YOUR_SERVER/IdP/SSO.aspx)
 - Signing Algorithm: RSA_SHA1
7.
Click on 'Continue to Next Step' and then 'Save & Publish'
8.
Finally configure IdP connector with the provided information
Click here to see your activities