Common Configuration: When setting up SAML authentication for Community Portal or SynWeb you currently have to set in the configuration XML as following. First we have to enable SAML mode for the application.
| Info |
|---|
| icon | false |
|---|
| title | Community Portal |
|---|
| AuthenticationMode = 14 |
| Info |
|---|
| AuthenticationMode = SAML OverrideUserName = zSynWeb zSynergetic_main_dbo (user used to assume a login for the authenticated user) OverridePassword = encrypted password | Warning |
|---|
zSynWeb user will require "db_accessadmin" role on the database. zSynWeb user will require the role of "Synergetic_main_dbo_ReservedDBRole" |
Login PropertiesSAMLLoginBinding - The binding method used to send the login request to the IDP. Methods include REDIRECT or POST (Default: REDIRECT) SAMLLoginDestination - The IDP URL of which the Authentication request can be sent to from the SP. SAMLLoginX509CertificatePath - The path of the SAML signing certificate used to authenticate the messages from the IDP, normally per example (including tilde prefix): ~/Site/Certificates/yourcertname.crt 1 SAMLSPIssuer - Issuer uri which is sent with every request for the IDP to verify. e.g https://synportal.schools.edu.au/login.aspx SAMLComparisonMode - The setting which determines the RequestedAuthnContext label in the request to the IDP. Values can be (minimum or exact). (Default: Minimum) SAMLClaimAttributeName - Set this to override NameId to another user attribute to be used to login. Azure Active Directory uses a GUID for NameId which can be inconvenient. To use email address to authenticate user, change this value to the attribute name. E.g. "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" (Default uses NameId).
Logout PropertiesSAMLLogoutBinding - The binding method used to send the LogoutRequest to the IDP. Methods include REDIRECT or POST. (Default: REDIRECT) SAMLLogoutDestination - The logout URL of the IDP used to send the SAML logout request and terminate the session from the SP. The endpoint must support Single Sign Out. SAMLLogoutX509CertificatePath2 - The path of the certificate used to sign the logout request being sent out to the IDP. This is most likely a private key (.pfx file). SAMLLogoutX509CertificatePrivateKeyPassword2 - The private key used to utilise the certificate to the sign the request. The key must be encoded using the Portal/SynWeb Configuration tool. SAMLIDPUserHomePageUrl - The URL of the login page of the IDP which is to be used only if there is a logout failure. The link will be used to redirect the user so a manual logout can be performed.
Legacy Support PropertiesUseSAMLLegacyFlag2 - Set this to true to use legacy implementation of SAML. (Default: false) <UseSAMLLegacyFlag>true</UseSAMLLegacyFlag> Following Properties are only in use when UseSAMLLegacyFlag is true
- SAMLLoginDestination
- SAMLLogoutDestination
- SAMLLoginX509CertificatePath
- SAMLSPIssuer
- SAMLRequestFormat2 - Base64/Base64Deflate
- SAMLClaimAttributeName2 - Set SAML response claim attribute name linked to the IDP response. Supported values are (case sensitive - use same naming as generated in saml response - e.g. iDAMGuid):
NameID (Default) Value maps to any of (Network Login, Config User Login Name, IdamLogin or CommunityGUID) IdamGUID Value from claims/IdamGUID mapped to Synergetic Community.IdamGUID. This is custom claim attribute. NetworkLogin Name
| Info |
|---|
1 The SAML signing certificate needs to be in Base-64 encoded X.509 (.CER) format. If required, the supplied certificate format can be adjusted by importing to Windows Certificate Manager console then exporting the file. 2 Optional Parameters |
Performance PropertiesThe following are advanced settings and should not be adjusted unless fully aware of the implications. The settings affect memory usage, the number of concurrent queries and therefore overall performance of SynWeb and Community Portal. Using connection pooling is best practice from Microsoft, allows shared use of SQL server connections and reduces overheads required to establish and remove connections to the SQL Server for every query. Defaults/recommendations for a standard size environment are as follows: - Database Pool Enabled Flag
- Utilises a pool of reusable SQL Server connections rather than having overheads of creating a new connection for every query performed and closing off the connection.
- Recommended Setting: true
- Database Pool Size Max
- The maximum number of connections allowed in the pool for concurrent SQL queries. The default setting of 100 should be ample for a standard healthy environment however if queries are slower running due to SQL Server or query performance issues, then pool size may need to be increased to allow for more queries however the SQL Server could become a bottleneck. Inefficient queries and SQL Server health issues should be investigated if the pool size if seen as insufficient.
- Default Setting: 100
- Database Pool Size Min
- When the web application starts, this number of connections will be established to SQL Server from the outset so they are ready to use from when the first set of SQL queries are processed.
- Recommended Setting: 20
- Multi Subnet Fallover Enabled Flag
- Significantly improves initial connection performance when SQL Server Availability Group is used across two IP subnets
- true if SQL Availability Group used with multi-subnet failover, false if no SQL Availability group is used or all of the SQL AG nodes are in the same subnet.
Reference documents: Database Connection Pooling: https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql-server-connection-pooling https://www.progress.com/tutorials/net/net-connection-pooling Multi-subnet Failover: https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/sqlclient-support-for-high-availability-disaster-recovery
| 
