SAML 2.0 authentication

Complete the following steps to configure a SAML 2.0 integration as an external authentication source. This procedure involves configuring both the Security Console (the Service Provider) and your chosen Single sign-on application (the Identity Provider) concurrently.

Step 1: Open the SAML source configuration window

1. Open your Security Console.
2. Click the Administration tab.
3. Under“Authentication” window, click Manage console authentication: 2FA and SSO.
4. On the “Security Console Configuration” screen, click the Authentication tab.
5. If desired, specify a Base Entity URL in the provided field.

• When used, this URL will override the SP URL that is automatically generated by the initial Security Console request.
• Changing this setting requires a console restart.

6. Under “SAML Authentication Source”, click the Configure SAML Source button.

The “SAML Configuration” window will provide a template version of the SSO URL and a complete Entity ID. 7. Copy both of these values at this time, as they are required to complete your IdP configuration.

Step 2: Create an IdP application

In a separate browser window, navigate to your desired IdP that you intend to use. Instructions are available for the following providers:

• Okta
• Centrify
• Active Directory Federation Services 3.0

Okta

1. Navigate to your Okta administrator dashboard and click the Applications tab.
2. Click Add Application.
3. Click Create New App.
4. Specify the “Sign on method” as “SAML 2.0”. Click Create.
5. Name the application and provide a logo if desired. Click Next.
6. In the “Single sign on URL” field, paste the template SSO URL that you copied from the Security Console.

7. In the “Audience URI (SP Entity ID)” field, paste the entity ID that you copied from the Security Console.
8. Set “Name ID format” to EmailAddress.
9. Set “Application username” to Email.
10. Click Next.
11. Click Finish.
12. Navigate to the Sign On tab of your newly configured Okta application.
13. Under “Settings”, click View Setup Instructions.
14. Scroll to the “Optional” section. Copy the contents of the “IDP metadata” field.

Assign your application to users

Newly configured Okta applications must be assigned to users before they can access them:

1. Navigate to the Assignments tab of your Okta application.
2. Click Assign.
3. Click Assign to People or Assign to Groups.
4. Specify who will have access to the application.

Centrify

1. Navigate to your Centrify Admin Portal menu and click the Apps tab.
2. Click Add Web Apps.
3. Click the Custom tab.
4. Scroll to the “SAML” app and click Add. Click Yes to confirm.

"Settings" page

1. Name and describe the app.
2. Provide a logo if desired.

"Trust" page

1. Set “Identity Provider Configuration” to Metadata.
2. Set “Service Provider Configuration” to Manual Configuration. This action will produce additional fields.
3. In the “Assertion Consumer Service (ACS) URL” field, paste the template SSO URL that you copied from the Security Console.

4. In the “SP Entity ID / Issuer / Audience” field, paste the entity ID that you copied from the Security Console.
5. Leave the “Recipient” field blank, but make sure the “Same as ACS URL” box is checked.
6. Set “NameID Format” to emailAddress.
7. Click Save.
8. Return to the “Identity Provider Configuration” metadata section and click Copy XML.

• You can also click Download Metadata File as an alternate method for Security Console upload later.

"User Access" page

1. Click Add.
2. Specify any individuals or groups that will have access to the app.

"Account Mapping" page

1. Click Directory Service Field.
2. In the “Directory Service field name” field, enter mail.
3. Click Save.

Your app should now display a status of “Deployed”.

Active Directory Federation Services 3.0

1. In your AD FS directory view, expand the Trust Relationships folder. Click Relying Party Trusts.
2. Under “Actions”, click Add Relying Party Trust.
3. Click Start.
4. “Select Data Source”

• Select Enter data about the relying party manually. Click Next.

5. “Specify Display Name”

• Provide the Relying Party Trust with a display name. Add a description in the “Notes” field if desired. Click Next.

6. “Choose Profile”

• Select AD FS profile. This option will explicitly list the SAML 2.0 protocol in its description. Click Next.

7. “Configure Certificate”

• No configuration is required here. Click Next.

8. “Configure URL”

• Check the Enable support for the SAML 2.0 WebSSO protocol box.
• In the “Relying party SAML 2.0 SSO service URL” field, paste the template SSO URL that you copied from the Security Console. Click Next.

9. “Configure Identifiers”

• In the “Relying party trust identifier” field, paste the entity ID that you copied from the Security Console. Click Add.
• Click Next.

10. “Configure Multi-factor Authentication Now?”

• Do not enable at this time. Click Next.

11. “Choose Issuance Authorization Rules”

• Select Permit all users to access this relying party. Click Next.

12. “Ready to Add Trust”

• You can review all your configuration steps at this point in the wizard. Click Next when ready.

13. "Finish"

• Ensure that the Open the Edit Claim Rules box is checked. Click Close.

Configure Claim Rules

The “Edit Claim Rules” configuration window should display automatically after finishing the Relying Party Trust process. If it doesn’t, select (or right-click) your new Relying Party Trust and click Edit Claim Rules.

You will need to create two Claim Rules to properly configure your Relying Party Trust:

First rule: LDAP claims

1. On the “Issuance Transform Rules” tab, click Add Rule.
2. “Choose Rule Type”

• Select Send LDAP Attributes as Claims. Click Next.

3. “Configure Claim Rule”

• Name the rule.
• Set “Attribute store” to Active Directory.
• Set “LDAP Attribute” to E-Mail-Addresses.
• Set “Outgoing Claim Type” to E-Mail Address.
• Click Finish.

Second rule: Email to Name

1. Click Add Rule again.
2. "Choose Rule Type"

• Select Transform an Incoming Claim. Click Next.

3. "Configure Claim Rule"

• Name the rule.
• Set “Incoming claim type” to E-Mail Address.
• Set “Outgoing claim type” to Name ID.
• Set “Outgoing name ID format” to Email.
• Make sure Pass through all claim values is selected.
• Click Finish.

Click Apply when you’ve finished configuring the Claim Rules.

Download metadata

Metadata for Active Directory Federation Services must be downloaded in an XML file from a direct link. Use the following template:

 
1
https://<adfs-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

1. Substitute <adfs-hostname> with the appropriate value.
2. Open a new browser window and search the complete metadata link.
3. A successful connection will automatically trigger a metadata XML file download.

Step 3: Complete the SAML source configuration

Return to the SAML configuration window in your Security Console and perform the following steps:

1. Paste (or upload via XML) the IdP metadata you copied in the previous step in the corresponding field. Click Save.

2. Lastly, click Save again to finalize your external authentication sources.

Step 4: Create user accounts

With your external authentication source defined, you must now create accounts for your users.

1. Click the Administration tab.
2. In the “Users” window, click Manage users then click New User. All required configuration will take place on the General tab.
3. Give the user a name.

1. Select your new SAML authentication method from the dropdown list.
2. Provide a full name for your user.
3. Specify the email address of the new user.

7. Password fields will be disabled.

8. Ensure that the “Account enabled” box is checked.
9. Click Save when finished.