Configure your SAML client

SAML client settings
Configure your SAML client to meet the needs of your organization. SAML client settings lists the basic client configuration settings:
SAML client settings
Setting
Description
Value
Assertion Consumer Service URL
URL to the service provider ACS of VIP Login. This URL is where VIP receives your SAML response containing out-of-band options.
Use this URL if you have configured VIP Login as a service provider to obtain out-of-band credentials for your enterprise IDP.
https://login.vip.symantec.com/viplogin/saml2/post/assertionconsumerservice
First and Second Factor SSO URL
The SAML endpoint if you have configured VIP Login for first and second factor authentication.
Do not use this URL if you use the Second Factor Only SSO URL.
https://login.vip.symantec.com/viplogin/saml2/post/requestconfirmidentity
Second Factor Only SSO URL
The SAML endpoint if you have configured VIP Login for second-factor authentication only.
Do not use this URL if you use the First and Second Factor SSO URL.
https://login.vip.symantec.com/viplogin/saml2/post/requeststrongauth
Entity ID
The unique entity ID for this Service Provider. Use the same value in the Issuer SAML attribute in your AuthnRequest that you entered for EntityID in VIP Manager.
Varies. For example, you can use one of the following entity IDs:
  • sp1.login.vip.symantec.com
  • sp2.login.vip.symantec.com
Certificate
VIP SAML certificate
Download the appropriate version of this certificate from VIP Manager:
  • VIP Login IdP (Second Factor Only):
  • VIP Login IdP (First and Second Factor)
Authentication Context Class URN
(Optional) The URN that identifies what authentication level to enforce for this web resource. If no Authentication Level URN is provided, no authentication level is applied to the request. VIP Login uses the default authentication settings for the account.
To apply an authentication level to the request, include the URN in the AuthnContextClassRef element. The URN must be in the format:
urn:symantec:authentication: level:<n>
Where <n> is the authentication level number as defined in VIP Manager.
<saml:AuthnContextClassRef>urn:symantec:authentication:level:1 </saml:AuthnContextClassRef>
You can directly import these settings into your client using the VIP Login metadata files.

Passive Authentication

VIP Login also supports passive authentication in the SAML request. By default, a user is prompted to enter a second factor for authentication during initial access requests, as well as every time that the resource sends an authentication request. If your client's SAML request includes the
isPassive='true'
attribute, VIP Login uses device fingerprint, IA, or both to silently verify the user's remembered device after the initial authentication. As a result, the user is not prompted to enter a second factor for authentication in subsequent authentication requests. The following conditions must be true for passive authentication to succeed:
  • The
    isPassive='true'
    attribute must be sent in the
    samlp:AuthnRequest
    element of the SAML request
  • The user has remembered the device
Once you have configured your SAML client, continue by testing your SAML client.