SMA 1000: SAML Identity Provider Service Configuration Guide

07/14/2020 15 9131

DESCRIPTION:

This document gives the steps to configure SMA 1000 series appliance as SAML Identity Provider and how to add SAML supported applications to do single-sign on and control access. Below are steps in general:

1) Enable SAML Identity Provider service

2) Configure SAML Application

3) Add SAML Application as SMA Resource

RESOLUTION:

Prerequisite:

SAML is time-sensitive protocol and will require your appliance clock to be accurate. You can also enable NTP service to sync appliance clock with NTP server. To do so, go to Services - Network Services - NTP and enable. Provide NTP server details and click Save.

Enable SAML Identity Provider Service:

1. Go to Services - SAML Identity Provider - Configure                                                                                                                                                                                               
   
2. Enable the service
3. Provide the Entity ID of IdP, which in general will be in URL format. Ex.: https://workplace.company.com
4. Choose a Workplace site for Endpoint FQDN option, on which service providers (SAML applications) should send SAML requests to IdP.

   NOTE: You can either create a dedicated workplace site to act as IdP site or use existing Workplace site.

5. Certificate to sign IdP messages are chosen automatically.
6. Click Save.
7. Now, you can export SAML metadata of this Identity Provider by clicking Export button. This metadata contains endpoints and signing certificate of SMA IdP. This can be imported on your SAML Applications to configure IdP endpoints and certificates.

Configure SAML Application:

This section explains what you need to configure at external web applications. Assuming your Endpoint FQDN of SMA SAML IdP service as workplace.company.com:

1. The appliance endpoint receiving SAML login request from SAML Applications is https://workplace.company.com/samlserver/sso/spinit
   
2. The certificate used by SMA to sign SAML Assertions can be downloaded by clicking Download button across Signing certificate option on SAML Identity Provider service configuration page.
3. Alternatively, you can also import the IdP metadata XML file exported from above page, if your SAML Application has such option.

Add SAML Application as SAML Resource:

Each web application that trusts SMA SAML IdP should be added to SMA as SAML service provider resource. Below steps describes how to add the SAML service provider resource:

1. Go to Resources - New - SAML service provider.                                                                                                           
2. Provide a friendly name and description.
3. Provide the entity ID of this SAML application under Entity ID field. Ex.: https://example.company.com
   
4. Provide the login/SSO/Assertion Consumer service URL of this SAML application.
5. Select "Create shortcut on workplace" to place a shortcut to this application on workplace home page. Start page URL should be provided under SP initiated SSO mode. (refer Step 10.b)
6. Expand Advanced section if you want to change default values.                                                                                                                       
7. Choose Name ID format as needed by this SAML application. Ex.: Email address.
8. Compose the subject Name ID required by this SAML application. You can also use {Variable} button. Ex.: {Session.userName}@company.com
9. If this SAML Application signs the SAML requests,
   1. Enable Verify Service Provider messages option.
   2. Select the certificate to be used to verify this SAML application messages.

      NOTE: This certificate must be imported already under SSL Settings - CA certificates.

10. SMA SAML IdP supports both service-provider initiated and IdP-initiated login (SSO).
    1. If this application supports only IdP-initiated SSO, select Identity Provider initiated option under "SSO Initiation Mode". This will place a shortcut on Workplace home page which a user can click to login to this application. You can optionally provide a Relay state value if this application needs one.
    2. If this application supports Service provider initiated login, you can also provide a start page for this application which will be shown on Workplace home page. If "Create shortcut on workplace" option is enabled, this field is mandatory. This URL is stored as start-page of the shortcut; to modify this URL after resource creation, go to shortcut page -> this shortcut -> Advanced.
11. If this application needs extra attributes other than NameID, you can configure them under SAML Attributes section.                                                                                                                                      
12. Click New (+) to provide attribute names and values. You can also use {Variable} to send any session variable.
13. To send an AD attribute you can go to Resources page and select Resource Variable tab to create a variable with value as any AD attribute. You can do post-processing on this value too before sending to this SAML Application, like search/replace a string in value, refer Admin guide for more details. Then, select this variable as value under SAML attributes. 
14. When you add multiple values with same attribute Name, they will be sent as multi-valued attribute.
15. Click Save.

You can add this SAML service provider to a resource group like any other internal resources and create Access rules. When users log into Workplace, they should see a shortcut to this SAML application, if they have access permissions.

When user reaches SMA for authentication, SMA will evaluate access-rules before sending SAML Assertion to application. When allowed, they should be able to successfully log in to SAML applications. Otherwise, they will see Access Denied page.