SAML FAQs
How many IDP manager roles can I assign?
You may assign multiple IdP manager roles. However, HERE strongly recommends assigning only one. This helps ensure clear ownership of identity provider configurations. Assign the role only to someone who is fully knowledgeable about your IdP and authorized to manage its integration with the HERE platform. To prevent access disruption, it is essential that at least one user always holds the IdP Manager role.
How many times can I change my platform SSO login policy?
There is no limit to the number of times you can change your platform policy. However, any existing users within the organization must create a new password each time the configuration switches to the Username/Password combination. Consider this before changing your sign-in policy to minimize disruptions for your platform account users.
Where can I get support for set-up issues?
For any issues you encounter, please contact your account manager or go to the Support Portal for assistance.
What are the technical requirements for the SAML Response to be compatible with HERE platform?
In the SAML 2.0 Core Specification, the elements in the must be signed if you are using the HTTP POST binding, using one of the algorithms defined in the SAML 2.0 specification. For example, RSA with SHA-256, ECDSA with SHA-256. The SAML Response must contain at least the following assertions:
- first name
- last name
- country code
Can I activate more than one IdP at a time?
You can only activate one IdP at a time for an organization.
I own several organizations in the HERE platform. Can I use the same IdP for all of them?
Yes, you can configure the same IdP configuration in each of your organizations.
Which common SAML IdPs are compatible with the HERE platform?
The HERE platform has full compatibility with OKTA and Keycloak, and configurations for each SAML 2.0 compatible providers.
Does the HERE platform support OIDC, apart from SAML?
The HERE platform only supports SAML 2.0.
My company’s security policies require an encrypted SAML Response. Does the HERE platform support SAML Encryption?
Yes. During the IdP configuration, an individual X509 Certificate is generated. This certificate can be uploaded to an IdP and used to encrypt the SAML Response content.
Is it required to sign the assertions even with an encrypted SAML Response?
Yes, as per the SAML 2.0 Core defined standard:
[RFC2246] The < Assertion > elements in the < Response > must be signed if you are using the HTTP POST binding.Is it possible to switch from one IdP to another?
If more than one IdP has been configured successfully for your organization, you may choose the IdP to be active by selecting Select login type and select that IdP from the list. It may take up to five minutes for the authentication systems to sync globally. You may experience a slight delay, or an error message if a user attempts a sign-in during this period.
Can I control the session length from the IdP settings?
Yes, to control the session length for users within your HERE organization, use the SessionNotOnOrAfter attribute of the AuthnStatement element in the Assertion of SAML Response. For example, if a user signs in using an IdP from Jan 1st 2025 at 10:00 and the session lasts for two hours, then the SAML Response should follow this pattern:
<samlp:Response ...>
<saml:Assertion ...>
<saml:AuthnStatement AuthnInstant="2025-01-01T10:00:00.000Z"
SessionNotOnOrAfter="2025-01-01T12:00:00.000Z"
>
...
</saml:AuthnStatement>
</saml:Assertion ...>
</samlp:Response>Can an external IdP enforce Multi-Factor Authentication (MFA) recognized by the HERE platform?
Yes, the HERE Platform grants access based on the SAML Response, which the IdP sends to a dedicated HERE account endpoint. Previous authorization and authentication from the IdP side doesn’t affect this process.
Does the HERE platform support individual user roles sent in the SAML Response?
No. An Org Admin assigns user roles during the invitation process, and can change them in the User Management panel, but only on the HERE platform.
Does the HERE platform support IdP-initiated SSO, as well as SP-initiated?
The HERE platform only supports IdP-initiated flow. Once a user enters the HERE platform sign-in page and triggers the SSO sign-in, it redirects to the IdP sign-in page defined during IdP configuration process, and starts an IdP-initiated flow.
Can User Interface and User Experience be configured on HERE Platform’s login page?
No, the only customizable component is the SSO login button label.
What happens to all active user sessions when an IdP is enabled for an organization?
Sessions continue to be active until they expire. The next user sign-in requires authentication using an IdP instead of HERE platform password.
Are organization users previous passwords preserved after disabling the external IdP?
No. Once an organization switches to using an IdP sign-in method, this removes all existing passwords. You can reset them using the ‘Forgot password’ feature, and then the organization must be manually changed back to password sign-in.
Does the HERE platform expose metadata URL or XML for SP configuration?
Yes, it's provided once an IDP is created. It has the following format:
https://account.api.here.com/identityProviders//metadata.What happens when the SSO subscription is no longer available in my realm?
All users will default to password based login. Users will be prompted to reset their password and choose a new password upon the next login.
What happens when SSO is enabled for my realm?
All users will have their HERE platform passwords removed, and upon next login, users will be required to log in via their defined IdP credentials.
What is the recovery process if I lose my credentials to log into my realm?
A: OrgAdmins can request a one time log in token, sent to the email address on file with HERE.
Updated 10 hours ago