IDP Configuration
Two things are needed to configure an identity provider:
The nation slug - the slug is the subdomain seen before ".nationbuilder.com" when you access a nation's control panel.
The slug for the authentication method from your nation, referenced as {am_slug} below. When an identity provider is added to a nation, this slug is created. It can be viewed and edited from Settings > Auth > [provider name].
The following parameters need to be followed when configuring your own identity provider solution.
NationBuilder supports IDP-initiated flow, SP-initiated flow, and Just In Time (JIT) provisioning.
SSO post-back URL (also known as the Assertion Consumer Service URL): https://{nation_slug}.nationbuilder.com/saml/{am_slug}/acs
Entity ID: https://{nation_slug}.nationbuilder.com/saml/{am_slug}/metadata
SAML Logout Endpoint: https://{nation_slug}.nationbuilder.com/saml/{am_slug}/signout
Information to include
NameID (required)
NationBuilder assumes that the NameID is an email that will uniquely and permanently identify a person in your database. If this is not the case, you will need to include either:
1. A permanent unique email as an email attribute.
or
2. A unique identifier as either the NameID or in an attribute.
In either of these cases, we will need to configure your nation to accept these attributes.
First name and last name attributed (recommended)
Profiles can be created in NationBuilder without this information, but it is better if it is included.
x.509 certificate (required)
It is required that the SAML response be signed. Please generate a valid x.509.pem certficate and add it to the authentication settings in your nation.