Adding a SAML Application

Updated

You can add third-party identity providers (IdP), such as Okta, Azure, OneLogin, and ADFS, so that users can be authenticated. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). Metadata for the IdP and the SP is defined in XML files:

  • The IdP metadata XML file contains the IdP certificate, the entity ID, the redirect URL, and the logout URL. For an example, see saml_idp_metadata.xml.

  • The SP metadata XML file contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). For an example, see saml_sp_metadata.xml.

You can also configure multi-factor authentication (MFA) in the third-party identity providers (IdP) to authenticate the users to access the Web Console or Command Center.

Before using SAML to log on to the Web Console or Command Center, metadata from the IdP must be uploaded in SP and metadata from the SP must be generated. After the SP metadata is generated, it must be securely shared with the IdP. Contact the IdP for instructions on sharing the SP metadata.

Before You Begin

  • Create or get an Identity Provider (IdP) metadata XML file using the SAML protocol. For SAML metadata specifications, go to the Oasis website, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.

    For an example, see saml_idp_metadata.xml.

  • You can upload a key store file that you create, or you can automatically generate the key when you add the SAML application. If you want to upload a key store file, create the keystore file. For information on keystore files, see Creating Certificates for SAML Integration.

Procedure

  1. From the navigation pane, go to Manage > Security > Identity server.

    The Identity servers page appears.

  2. In the upper-right corner of the page, click Add.

    The Add domain dialog box appears.

  3. Click SAML.

  4. In the Name box, enter the domain name that you want to associate users with.

    Note

    • The SAML application is created using the domain name.

    • If you want to add a SAML application for the users of the Active Directory (AD) that is configured in the CommCell environment, then enter the AD NetBIOS name. During the SAML authentication, AD is contacted to collect the user details such as email address, UPN, Full Name, User Group, and so on.

  5. In the Email Suffix box, enter the email suffix of the users.

    For example, if the username is jpadilla@gmail.com, then the email suffix is gmail.com.

    Note

    • You can enter multiple email suffixes separated by a comma.

    • Only users that have specified email suffix can log on using this app.

  6. In the Upload IDP metadata box, browse to the XML file that contains the IdP metadata, and then click Open.

  7. Review the value in the Webconsole url box.

    This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

  8. If you are an MSP administrator creating the SAML app for a company, in the Created for company box, select the company.

    If you are creating the SAML app for the entire CommCell environment or if you are a tenant administrator, a company is not needed.

  9. To digitally sign the SAML message, automatically generate the key or upload a key store file:

    • To automatically generate the key, move the Auto generate key for digital signing of SAML messages toggle key to the right.

    • If you manually created a key store file, do the following:

      1. Next to the Upload key store file box, click Browse.

      2. Browse to the location of the keystore file, for example, C:\security\mykeystore.jks, select the file, and then click Open.

      3. In the Alias name, Key Store Password, and Key Password boxes, enter the keystore file values.

  10. Click Save.

    The SP metadata file is generated, the IdP metadata is saved, and the identity server properties page appears.

  11. In the upper-right corner of the page, click Download SP metadata.

    The name of the file that is downloaded begins with SPMetadata.

What to Do Next

After you add the identity server, create redirect rules to automatically add users from the SAML response to a specific domain. For more information, see Automatically Creating Users.