You can add third-party identity providers (IdP), such as Okta, Azure, OneLogin, and ADFS, so that users can be authenticated. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). Metadata for the IdP and the SP is defined in XML files:
-
The IdP metadata XML file contains the IdP certificate, the entity ID, the redirect URL, and the logout URL. For an example, see saml_idp_metadata.xml.
-
The SP metadata XML file contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). For an example, see saml_sp_metadata.xml.
You can also configure multi-factor authentication (MFA) in the third-party identity providers (IdP) to authenticate the users to access the Web Console or Command Center.
Before using SAML to log on to the Web Console or Command Center, metadata from the IdP must be uploaded in SP and metadata from the SP must be generated. After the SP metadata is generated, it must be securely shared with the IdP. Contact the IdP for instructions on sharing the SP metadata.
Before You Begin
-
Create or get an Identity Provider (IdP) metadata XML file using the SAML protocol. For SAML metadata specifications, go to the Oasis website, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.
For an example, see saml_idp_metadata.xml.
-
You can upload a key store file that you create, or you can automatically generate the key when you add the SAML application. If you want to upload a key store file, create the keystore file. For information on keystore files, see Creating Certificates for SAML Integration.
Procedure
-
From the navigation pane, go to Manage > Security > Identity server.
The Identity servers page appears.
-
In the upper-right corner of the page, click Add.
The Add domain dialog box appears.
-
Click SAML.
-
In the Domain name box, enter the domain name that you want to associate users with.
Note
SAML application is created using the domain name.
-
In the SMTP address box, enter the SMTP address of the users.
For example, if the username is jdoe@gmail.com, enter gmail.com as the SMTP address.
Note
-
You can enter multiple SMTP addresses separated by a comma.
-
Only users with specified SMTP addresses will be able to log in using this app.
-
-
Upload the IdP metadata:
-
Next to the Upload IDP metadata box, click Browse.
-
Browse to the location of the XML file that contains the IdP metadata, select the file, and then click Open.
-
-
Review the value in the Webconsole url box.
This value is automatically generated and is used in the SP metadata file. The format of the value is
https://mycompany:443/webconsole. -
If you are an MSP administrator creating the SAML app for a company, in the Created for company box, select the company.
If you are creating the SAML app for the entire CommCell environment or if you are a tenant administrator, a company is not needed.
-
To digitally sign the SAML message, automatically generate the key or upload a key store file:
-
To automatically generate the key, move the Auto generate key for digital signing of SAML messages toggle key to the right.
-
If you manually created a key store file, do the following:
-
Next to the Upload key store file box, click Browse.
-
Browse to the location of the keystore file, for example, C:\security\mykeystore.jks, select the file, and then click Open.
-
In the Alias name, Key Store Password, and Key Password boxes, enter the keystore file values.
-
-
-
Click Save.
The SP metadata file is generated, the IdP metadata is saved, and the identity server properties page appears.
-
In the upper-right corner of the page, click Download SP metadata.
The name of the file that is downloaded begins with SPMetadata.
What to Do Next
After you add the identity server, create redirect rules to automatically add users from the SAML response to a specific domain. For more information, see Automatically Creating Users.