HCL Marketing Platform | Security | Login method details | SAML 2.0

Properties in this category configure single sign-on through a SAML 2.0 IdP server.

IdP server URL for single sign-in

Description
The URL of the page that appears when users open the single sign-on URL to HCL® Marketing Software.
Default value
[CHANGE ME]

IdP server URL for single sign-out

Description
Optional. When users log out, they can be redirected to the page you set here so that their logout also logs them out of the IdP server. Your IdP server is likely to provide a URL for this purpose.
Default value
[CHANGE ME]

Error page URL for SSO error

Description
If an error occurs during single sign-on due to a configuration or integration issue, users can be redirected to the page specified here. This setting overrides the default error page provided by Marketing Platform.
Default value
[CHANGE ME]

Destination URL

Description
The URL of the service provider (application) to which the user is redirected after successful authentication through the IdP server. This URL appears in every SAML request under the <AuthnRequest Destination> tag.
Default value
[CHANGE ME]

Consumer service URL

Description
The assertion consumer service URL that the service provider (application) consumes and parses for SAML assertions. This URL appears in every SAML request under the <AuthnRequest AssertionConsumerServiceURL> tag. This value can be the same as the value of the Destination URL property.
Default value
[CHANGE ME]

Application ID

Description
The application ID assigned to Marketing Platform in the IdP server. This ID is included in every SAML request to the IdP server. This ID appears in every SAML request under the <Issuer> tag.
Default value
[CHANGE ME]

Service provider name qualifier

Description
The service provider's name qualifier. This name qualifier appears in every SAML request under the <NameIDPolicy SPNameQualifier> tag.
Default value
[CHANGE ME]

Metadata path

Description
The location of the metadata file on the Marketing Platform server.
Default value
[CHANGE ME]

Entity ID

Description
The entity ID of the IdP server. Set this property to the value of entityID in the XML declaration at the top of the metadata file produced by the IdP server.

Marketing Platform uses this ID during assertion validation to load the IdP configurations and digital certificate.

Default value
[CHANGE ME]

Attributes NVP for response parsing

Description
User account attributes are sent to Marketing Platform by the IdP server. You can use this configuration property to capture attributes for users created in Marketing Platform automatically, when the Add authenticated users to Marketing Platform property is enabled.

The IdP server might use a different name for an attribute compared to the name that Marketing Platform uses. You can use this property to map the IdP attribute to the corresponding attribute in Marketing Platform. This eliminates the need for code changes.

For example, the IdP server might use emailAddress as the name for an attribute that is named Email in Marketing Platform. You would enter Email=emailAddress as a value in this property to map the attribute.

Use the following values for the user attributes in Marketing Platform.

  • FirstName
  • LastName
  • Department
  • Organization
  • Country
  • Email
  • Address1
  • Address2
  • Phone1

    Use for work phone.

  • Phone2

    Use for mobile phone.

  • Phone3

    Use for home phone.

  • AltLogin
  • ExternalUsersGroup

    If you enable the Add authenticated users to Marketing Platform property, a user authenticated from the IdP server is created in Marketing Platform if that user does not already have a Marketing Platform account. These users are automatically added to a default user group, ExternalUsersGroup. However, you can also specify a custom group to which users are added. If you implement this option, set the value of the ExternalUsersGroup attribute to the name of the custom user group. For example, if you want a user to be added to a group named MyGroup, you would set this value to ExternalUserGroup=MyGroup.

Separate multiple name-value pairs with a semi-colon.

Default value
omit-xml-declaration=yes;

Process encrypted IdP response

Description
If your IdP server is configured to send encrypted responses, enable this property to indicate that the SAML response from the IdP server must be decrypted using the configured shared key before Marketing Platform processes it.

If you enable this property, you must also set the value of Shared secret key to the secret key that is used to decrypt the response.

Default value
Disabled

Shared secret key

Description
When the Process encrypted IdP response option is enabled, set this property value to the path of the keystore file.
Default value
[CHANGE ME]

Key store credential holder

Description
Set this value to the login name of the HCL Marketing Software user account that holds the SAML shared secret in a data source.
Default value
[CHANGE ME]

Key store credential data source

Description
Set this value to the name of the data source created to hold the shared secret used for decryption. The password in the data source is the password for the key store file.
Default value
[CHANGE ME]

Certificate alias

Description
When the Process encrypted IdP response option is enabled, set this property value to the certificate alias of the private key stored in the keystore file. This is used in decrypting the encrypted SAML response sent by the IDP server.
Default value
[CHANGE ME]

Add authenticated users to Marketing Platform

Description
When this option is enabled, a user authenticated from the IdP server is created in Marketing Platform if that user does not already have a Marketing Platform account.

Newly created users are automatically added to a default group, ExternalUsersGroup.

The ExternalUsersGroup has only the Marketing Platform UserRole. An administrator must grant additional permissions for the newly created users to access and use HCL Marketing Software products. An administrator can grant additional permissions by making users members of groups with different application access levels.

Alternatively, the SAML response can contain a custom user group name, and newly created users are added to this group.

When this option is disabled, a user authenticated from the IdP server can not access Marketing Platform, if that user does not have an account in Marketing Platform.

Default value

Disabled

Redirect to SSO

Description
When this value is True:
  • Users who log in to HCL Marketing Software are redirected to the IdP single sign on page
  • After users log in, they go to the standard Marketing Platform landing page.
  • The standard Marketing Platform login screen is never available