Secure Mobile Access 12.4 Administration Guide

Adding SAML Applications as SAML Resources

Each web application that trusts SMA SAML IdP should be added to SMA as an SAML service provider resource.

To adding an SAML application as an SAML resource

  1. Navigate to Security Administration > Resources.

  2. On the Resources tab, click the + (New) icon.

  3. Select SAML service provider from the dropdown list.

  4. In the Name field, enter a friendly name for the name of the SAML service provider.

  5. In the Description field, enter a useful description for the name of the SAML service provider.

  6. In the Entity ID field, provide the ID of the Identity Provider (IdP). (In general, the ID will be in an URL format, such as https://idp.company.com/idp.)

  7. In the Assertion Consumer Service (ACS) URL field, enter Assertion Consumer service URL for this SAML application.

  8. Select Create shortcut on WorkPlace to create a shortcut in WorkPlace to this resource and assign it to a resource group.

  9. Click Advanced to display the advanced settings.

  10. From the Name ID format dropdown list, select the appropriate Name ID format for the SAML application.

  11. In the Name ID value field, compose the Name ID required by the SAML application. You can change or add predefined values by clicking {variable}.

  12. If the SAML application signs the SAML requests:

    1. Select Verify Service Provider messages.

    2. From the Trusted certificate authority list, select the certificate to be used to verify the SAML application messages.

      The certificate you want to use must already be imported. For information on importing certificates, refer to Importing CA Certificates.

  13. The SMA SAML IdP supports both service provider-initiated and IdP-initiated login (SSO).

    • If the SAML application supports only IdP-initiated SSO:

      1. In the SSO Initiation Mode section, select Identity Provider initiated. Choosing this option will place a shortcut on the WorkPlace home page users can click in order to log in to the application.

      2. Optionally, You can optionally provide a "Relay state" value if this application needs one.

    • If this application supports service provider-initiated login, you can also optionally provide a start page for the SAML application that will be shown on Workplace home page if you selected Create shortcut on WorkPlace.
  14. If the SAML application needs extra attributes in addition to the ones already specified in the fields previously completed, you can define them in the SAML Attributes section:

    1. Click the + (New) icon to enter attribute names and values. You can use {variable} to include any of the session variables.

    2. To send an AD attribute, you need to define it first by creating a resource variable. (Refer to Using Variables in Resource and WorkPlace Shortcut Definitions for information on creating resource variables.) You can also perform post-processing on this value before sending to the SAML application, such as searching for and replacing a string in a value. You can then select this variable as a value in the SAML Attributes section.

    If you add multiple values with same attribute Name, they will be sent to the SAML application as a multi-valued attribute.

  15. Click Save.

Now you can add this SAML service provider to a resource group like any other internal resources and create access rules to manage it. When users log into WorkPlace, they should see a shortcut to the SAML application, when they have access to SAML resources.

When user reaches SMA for authentication, SMA will evaluate the access rules before sending a SAML Assertion to the application. When allowed, they should be able to successfully log in to SAML applications. Otherwise, they will be denied access and a warning will be displayed.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.