Loading...

Adding a SAML Application

You can add third-party identity providers (IdP), such as Okta, OneLogin, and ADFS, so that users can be authenticated. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). Metadata for the IdP and the SP is defined in XML files:

  • The IdP metadata XML file contains the IdP certificate, the entity ID, the redirect URL, and the logout URL. For an example, see Sample SAML IdP Metadata XML.
  • The SP metadata XML file contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). For an example, see Sample SAML SP Metadata XML.

Before using SAML to log on to the Web Console or Command Center, metadata from the IdP must be uploaded and metadata from the SP must be generated. After the SP metadata is generated, it must be securely shared with the IdP. Contact the IdP for instructions on sharing the SP metadata.

Before You Begin

  1. Create or get an Identity Provider (IdP) metadata XML file using the SAML protocol. For SAML metadata specifications, go to the Oasis website, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.

    For an example, see Sample SAML IdP Metadata XML.

  2. You can upload a key store file that you create, or you can automatically generate the key when you add the SAML application. If you want to upload a key store file, create the keystore file. For information on keystore files, see Creating Certificates for SAML Integration.

Procedure

  1. From the navigation pane, go to Manage > Security > Identity server.

    The Identity servers page appears.

  2. To create an identity server, click Add.

    The Add domain dialog box appears.

  3. Click SAML.
  4. In the Domain name box, enter an application name.
  5. Upload the IdP metadata:
    1. Next to the Upload IDP metadata box, click Browse.
    2. Browse to the location of the XML file that contains the IdP metadata, select the file, and then click Open.
  6. If you are an MSP administrator creating the SAML app for a company, in the Created for company box, select the company.

    If you are creating the SAML app for the entire CommCell environment or if you are a tenant administrator, a company is not needed.

  7. To digitally sign the SAML message, automatically generate the key or upload a key store file:
    • To automatically generate the key, move the Auto generate key for digital signing of SAML messages toggle key to the right.
    • If you manually created a key store file, do the following:
      1. Next to the Upload key store file box, click Browse.
      2. Browse to the location of the keystore file, for example, C:\security\mykeystore.jks, select the file, and click Open.
      3. Enter the keystore file values for Alias name, Key Store Password, and Key Password.
  8. To generate the SP metadata and to save the IdP metadata, click Save.

    After the SP metadata is generated, it must be securely shared with the IdP. Contact the IdP for instructions on sharing the SP metadata.

What to Do Next

After you add the identity server, create redirect rules to automatically add users from the SAML response to a specific domain. For more information, see Automatically Creating Users.

Last modified: 1/6/2020 10:50:07 PM