Configure the System as a SSO Service Provider
----------------------------------------------

The configuration below is available to high level administrators *above*
the provider administrator from a menu called **SSO SP Settings**.

#. On the **Base** tab, enter the Entity ID is required and is used to identify
   |VOSS-4-UC| as service provider. The URL points to the metadata, for example
   ``http://mydomain/sso/metadata/``.
#. Choose the Public key and Private key that were uploaded using the data/File
   model and that will be used to communicate with identity providers. Alternatively,
   if you want to use a system generated certificate, select the check box and
   choose the required certificate from the drop-down list. These certificates
   were added typically using **System Configuration > Certificates** or a
   similar menu that creates data/certificate instances. 
#. Enter the Validity period (in hours) that the metadata is valid for.
#. Enter the number of seconds of the permitted clock drift between |VOSS-4-UC|
   and the Indentity Provider. The number of seconds for tolerance is customizable, 
   and this value must be set in accordance with the deployment's security policy.
   By default, |VOSS-4-UC|  will use a value of 0 for the clock drift, in other
   words, assume clocks are exactly in sync.
#. Enter the details of the Contact Person responsible for the metadata.
#. If required, select the **Block unencrypted assertions** check box to raise
   an error if SAML assertions are not encrypted. If the check box is
   selected, and there is no encryption in the assertion, then an error message:
   "Unencrypted assertions are not allowed" is shown.
#. On the **Service Provider Settings** tab, enter a friendly name that will
   be the ServiceName of the AttributeConsumingService in the metadata.
#. If the **Sign Authn Requests** check box is selected, outgoing messages
   are signed and the specified private key is used. Drop-down lists
   are also displayed to select the SignatureMethod (default is ``rsa-sha1``)
   and DigestMethod (default is ``sha1``) corresponding with those used by
   the Identity Provider.
#. If an Identity Provider has WantAuthnRequestsSigned set in its metadata,
   select the check box. The check box is cleared by default.
#. The **Want Assertions Signed** check box determines if assertions should be 
   signed. Do not clear this check box unless the integrity check of assertions
   is not needed in your environment.
#. The **End Points** section provides an external interface to the service 
   provider in |VOSS-4-UC|. The binding determines how SAML requests and 
   responses map onto standard messaging or communications protocols.
   The Assertion Consumer Service (ACS) receives assertions, while the 
   Single Logout Service is used to log out a user when instructed by 
   an Identity Provider.

   a. Choose Binding and URL for the Assertion Consumer Service.
   #. Choose the Binding and URL for the Single Logout Service.

The Saved SSO settings are published by the |VOSS-4-UC| service provider and
are available from metadata URL, for example: ``http://mydomain/sso/metadata/``.
SSO service provider configuration requests to this URL automatically trigger
an xml file download of the specified SSO service provider configuration.

.. |VOSS-4-UC| replace:: VOSS-4-UC
.. |Unified CM| replace:: Unified CM