Invitation Options
      Back to home
      1. General Knowledge Base
      2. Individual Account Support
      3. Invitation Options

      Using RapidIdentity as an IdP

      Step 1: Add CharacterStrong to RapidIdentity

      • Access the SAML SSO Advanced Settings from the Configuration menu and select Federation Partners from the left-hand menu items.
      • Click "Edit" on an existing federation partner or create a new one.
      • Click on the "Create SAML Relaying Party" button and enter the following information:
        • Name: CharacterStrong
        • Metadata: Download the metadata from the CS SAML Metadata Step 1 section of the CharacterStrong SAML configuration guide.
      • Modify the metadata to add the following sections right after <md:SPSSODescriptor line. 
        This is a temporary workaround for RapidIdentity - we are working to have this added automatically into the CS-generated SP metadata.
              <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:X509Data>
                    <ds:X509Certificate>MIIDSDCCAjCgAwIBAgIEIfL7EjANBgkqhkiG9w0BAQsFADBVMSIwIAYDVQQDExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMSIwIAYDVQQKExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMQswCQYDVQQGEwJVUzAeFw0yNDAxMjYwMzIxMThaFw0yOTAxMjQwMzIxMThaMFUxIjAgBgNVBAMTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExIjAgBgNVBAoTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiCUNy4j8/KyDW3jwmB9bfUxNqtcnuU+C9DPrPLETtngzfofTvS7LA1My+fxtELVn3yxMRleOvmaFUuP0QUDdsZkbj0ztE7qg7e2DCByErx8Gk9EwTYIzAAiI2W5xlJ0/JcB2KtKbJVFo7ldF6NKWbobXQgpfDh5ut8MwwIBO4/wwrRhmeu+HvJmNyvOErjYXWnLSZKBKte1qAMMuiuYd0U3UXHjFDiAns41n0OW1JSYeG5zXSG7OSorcwAEIOHQb1o6PqUL4nnc5U5H2RRGzKYaDuyd6AOoZAobeNHWvVHhj0FmZQQjgHbpxSbPKdMQo5NaYC2OkxDyXEwvl1dCrbQIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAcfez2cFzwOj1DSB6fJHtyiF/cOdTWW2BWC3Wu5rcCL5AqIrkgTe+Ug6m5MRc5Al7A0+E7CnJlIe3TiG+aNyXErp43qsxJShMAoLSBFzrtV/b1v7mjQlbpqhChhzJkGuOD2I4X3pPx/JyA5FCQ8M2Qlxc2jaOiX7iX02Q6RhgFP7W/bxQxs3alcLNVFUhIyLnD+w3MXIUpPkXAdbL3J7ddEENHNIB9k2TfNPWhA+GqzXlbQlTDuNy34xPUTe/0OJuGF6fFMQkqnokFul8OsKJU+mX/ZGCOZGwJifZ2sitMUqRiJxzXZ/IJN36uC/OLhmUz2Pps6Fz/cZLQbhW1YtdMw==</ds:X509Certificate>
                  </ds:X509Data>
                </ds:KeyInfo>
              </md:KeyDescriptor>
              <md:KeyDescriptor use="encryption">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:X509Data>
                    <ds:X509Certificate>MIIDSDCCAjCgAwIBAgIEIfL7EjANBgkqhkiG9w0BAQsFADBVMSIwIAYDVQQDExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMSIwIAYDVQQKExljaGFyYWN0ZXJzdHJvbmctY3VycmljdWxhMQswCQYDVQQGEwJVUzAeFw0yNDAxMjYwMzIxMThaFw0yOTAxMjQwMzIxMThaMFUxIjAgBgNVBAMTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExIjAgBgNVBAoTGWNoYXJhY3RlcnN0cm9uZy1jdXJyaWN1bGExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiCUNy4j8/KyDW3jwmB9bfUxNqtcnuU+C9DPrPLETtngzfofTvS7LA1My+fxtELVn3yxMRleOvmaFUuP0QUDdsZkbj0ztE7qg7e2DCByErx8Gk9EwTYIzAAiI2W5xlJ0/JcB2KtKbJVFo7ldF6NKWbobXQgpfDh5ut8MwwIBO4/wwrRhmeu+HvJmNyvOErjYXWnLSZKBKte1qAMMuiuYd0U3UXHjFDiAns41n0OW1JSYeG5zXSG7OSorcwAEIOHQb1o6PqUL4nnc5U5H2RRGzKYaDuyd6AOoZAobeNHWvVHhj0FmZQQjgHbpxSbPKdMQo5NaYC2OkxDyXEwvl1dCrbQIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAcfez2cFzwOj1DSB6fJHtyiF/cOdTWW2BWC3Wu5rcCL5AqIrkgTe+Ug6m5MRc5Al7A0+E7CnJlIe3TiG+aNyXErp43qsxJShMAoLSBFzrtV/b1v7mjQlbpqhChhzJkGuOD2I4X3pPx/JyA5FCQ8M2Qlxc2jaOiX7iX02Q6RhgFP7W/bxQxs3alcLNVFUhIyLnD+w3MXIUpPkXAdbL3J7ddEENHNIB9k2TfNPWhA+GqzXlbQlTDuNy34xPUTe/0OJuGF6fFMQkqnokFul8OsKJU+mX/ZGCOZGwJifZ2sitMUqRiJxzXZ/IJN36uC/OLhmUz2Pps6Fz/cZLQbhW1YtdMw==</ds:X509Certificate>
                  </ds:X509Data>
                </ds:KeyInfo>
              </md:KeyDescriptor>
      • From the Federation Partners configuration screen, click on SSO Settings. Enter the following settings:
        • SAML2 Assertion Lifetime: 5 minutes
        • NotBefore Skew: 0s
        • Sign SAML2 SSO Response: Always
        • Sign SAML2 SSO Assertions: Never
        • Encrypt SAML2 SSO Assertions: Never
        • Encrypt SAML2 SSO Name IDs: Never
        • Signature Algorithm: RSA SHA-1
      • Update the configuration to send the following attributes. Details about how to add attributes can be found on RapidIdentity's documentation
        • First Name (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
          • firstname
        • Last Name (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
          • lastname
        • Email Address (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
          • mail
        • Role (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
          • role
        • Organization (urn:oasis:names:tc:SAML:2.0:attrname-format:basic)
          • organization
      • Add a NameID attribute and set it to be the user's email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
        • nameid
      • Trigger a service reload.
      • Continue the CharacterStrong SAML setup.

      More details can be found on RapidIdentity's documentation.