SAML
To add a remote SAML Server:
- Go to Authentication > Remote Auth. Servers > SAML and select Create New.
- Enter the following information:
Name Enter a name for the remote SAML server. Description Enter a description for the remote SAML server. Device FQDN The FQDN of the configured device from the system dashboard. Type
Select FSSO or Proxy as the remote SAML server type.
URL Nomenclature Select the method to determine the URL path of the SAML service provider.
- Individualize:Enable to include the name of the SAML service provider in the URL path.
- Legacy: Enable to set the URL to a predetermined URL path. Note that Legacy can only be enabled for an existing configured SAML identity providers.
Portal URL The SAML service provider login URL.
Entity ID The SAML service provider Entity ID.
ACS (login) URL The SAML service provider Assertion Consumer Service (ACS) login URL.
Import IDP metadata/certificate Select to import the SAML IdP metadata or certificate file.
IDP entity ID Also known as the entity descriptor. Enter the unique name of the SAML identity provider, typically an absolute URL:
https://idp_name.example.edu/idp
IDP single sign-on URL Enter the identity provider portal URL you want to use for SSO. IDP certificate fingerprint Enter the fingerprint of the certificate file. To calculate the fingerprint, you can use OpenSSL.
Use the following OpenSSL command:
$ openssl x509 -noout -fingerprint -in "server.crt"
Example result, showing the fingerprint:
SHA1 Fingerprint=AF:E7:1C:28:EF:74:0B:C8:74:25:BE:13:A2:26:3D:37:97:1D:A1:F9
Fingerprint algorithm The SAML portal by default uses SHA-256. Authentication context
Select the authentication context value for the "RequestedAuthnContext" assertion.
- Default: The default value uses "PasswordProtectedTransport" authentication, which indicates that the IdP requires users to be authenticated using a password-based method.
- None: Omits the "RequestedAuthnContext" assertion when an alternative to password-based authentication is used.
Enable IdP-initiated assertion response Allows IdP to send an assertion response to the SP without a prior request from the SP. Enabling this setting allows the SP to participate in IdP initiated login. Sign SAML requests with a local certificate Select to choose a local SAML certificate. Single Logout Enable SAML single logout Select to enable SLS (logout) URL and set IDP single logout URL. Username Obtain username from Select the method to extract usernames:
- Subject NameID SAML assertion: Enable to obtain usernames from the subject NameID assertion returned by the SAML IdP.
- Text SAML assertion: Enable and enter the text-based SAML assertion that usernames are obtained from. For example:
email
Group Membership Obtain group membership from Most SAML IdP services will return the username in the Subject NameID assertion, however not all IdP services are consistent. FSSO requires group membership of each user with an active SSO session while different SAML IDP services require different methods of retrieving the group information. Before now, group information could only be obtained from very specific (hardcoded) SAML assertions. You can choose to configure SAML assertions used in group membership retrieval, retrieve group membership from an LDAP service, or retrieve group membership from an OAuth server.
Select the method to extract usernames:
- SAML assertions: Enable and choose whether usernames are pulled in from boolean assertions or text-based attributes.
- LDAP lookup: Enable and select the LDAP server to obtain group memberships.
- Cloud: Enable and select the OAuth server and group field to obtain group memberships.
Implicit group membership Select to choose a local group the retrieved SAML users are placed into. - Select OK to add the remote SAML server.
The Create New Remote SAML Server window appears.