Create a SAML App in the Command Center

Updated

After retrieving the IdP metadata, create a SAML app in the Command Center using the IdP metadata file that you saved.

Before You Begin

If you need to create a SAML app for a specific company, in the upper-right corner of the page, from the Select a company list, select the company that you want to create the SAML app for.

Procedure

  1. Log on to the Command Center.

  2. From the navigation pane, go to Manage > Security.

    The Security page appears.

  3. Click the Identity servers tile.

    The Identity servers page appears.

  4. In the upper-right corner of the page, click Add > SAML.

    The Add SAML app page appears.

  5. On the General tab, in the Name box, enter the domain name that you want to associate users with.

    Note

    • The SAML application is created using the domain name.

    • For SAML user groups mapping to function correctly, the name that you enter here must be the same as your Metallic Tenant Name.

  6. Click Next.

  7. On the Identity provider metadata tab, in the Upload IDP metadata box, browse to the XML file that contains the IdP metadata, and then click Open.

    The Entity ID and the Redirect URL from the file are displayed.

  8. Click Next.

  9. On the Service provider metadata tab, review the value in the Service provider endpoint box.

    This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

  10. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.

  11. Click Next.

  12. On the Associations tab, identify the users who can log on using SAML:

    • To identify users by their email addresses, in the Email suffixes box enter an email suffix, and then click Add.

      Note: You must use an email suffix as specified in the SAML integration settings to avoid integration issues.

      If you face SAML integration issues, use a break glass account. The break glass account must be on different domain than that of the current domain.

    • To identify users by the companies they are associated with, from the Companies list, select a company, and then click Add.

    • To identify users by the domains they are associated with, from the Domains list, select a domain, and then click Add.

    • To identify users by the user groups they are in, from the User groups list, select a user group, and then click Add.

      Note:

      • If you migrate from an Exchange On-premises server to an Exchange Online server, you must add the appropriate domain and user group.

      • You can add any combination of associations, and you can add multiple associations in each category.

  13. Click Submit.

    The SP metadata file is generated, the IdP metadata is saved, and the SAML app properties page appears.

  14. In the upper-right corner of the page, click Download SP metadata.

    The name of the file that is downloaded begins with SPMetadata.

  15. On the General tab, in the General section, next to NameID attribute, click the Edit button .

  16. From the NameID attribute list, based on what is in the IdP response, select either Email or User Principal Name.

  17. Click Submit.

  18. After the SP (service provider) metadata is downloaded, place the SP metadata on the Active Directory Federated Service (AD FS) machine.