Secure Mobile Access 12.4 Administration Guide

Configuring a SAML 2.0 Identity Provider Authentication Server

For detailed information on how to configure third party SAML Identity Providers (IDPs), see Configuring External SAML Identity Providers.

SAML 2.0 Identity Provider (IDP) provides a centralized security management foundation that enables the secure use of the Web to deliver applications and cloud services to customers, partners, and employees.

SAML 2.0 Identity Provider Authentication supports all SAML 2.0-compliant IdPs, including:

  • Microsoft Azure IDP

  • Okta

  • One Identity Cloud Access Manager

  • Shibboleth IDP

  • OneLogin

  • CA Single Sign-On (CA SiteMinder)

  • PingIdentity PingOne

  • CA SiteMinder

To ease configuring SAML endpoints, SMA supports configuration using SAML metadata files. This removes the complexity involved in manually configuring the endpoints. SAML IdP Authentication server configuration can be exported as SAML SP metadata file which then can be imported at IdP. Similarly, SAML metadata file provided by IdP can be imported to configure SAML IdP Authentication server. For more details, refer to Identifier Provider Configuration steps below.

Prerequisites:

  • SMA1000 build 12.4.1 version.
  • SMA1000 Standalone/CMS platforms
  • Admin account on any SAML IDP

To configure a SAML 2.0 Identity Provider authentication server

  1. In the AMC, navigate to System Configuration > Authentication Servers.

  2. Click New.

    The Add Authentication Server page displays.

  3. Under Authentication directory, select SAML 2.0 Identity Provider.

  4. Under Credential type, select Username/Password.

  5. Click Continue.

    The Edit Authentication Server page displays.

  6. In the Name field, type a name for the authentication server.

  7. In the Appliance ID field, enter the SAML entity ID of the appliance.

    This is a URI of not more than 1024 characters in length.

  8. Select the Sign AuthnRequest message using this certificate checkbox and then select the signing certificate from the drop-down menu. The appliance uses this certificate to sign authentication request messages before sending them to the IDP server. To configure the SSL signing certificate, you can click the here link in the explanatory text at the right. The signing certificate needs to be imported into the appliance if it is not there. You can view and download the certificate by clicking on the respective buttons.
  9. To specify an FQDN to which the IdP will send SAML responses, select the Endpoint FQDN from the drop-down.
  10. By default the Assertion Consumer Service (ACS) URL is displayed.

    The URL where SAML responses should be redirected after a successful authentication. This value cannot be changed.

  11. Click Export to use this metadata XML to configure appliance details at the Identity Provider.
  12. Identity Provider Configuration: Download the metadata.xml from SAML IDP.

  13. Click Choose File and select the downloaded metadata.xml.

  14. Click Import.

    All the IDP configuration fields are filled with the respective values including IDP certificate.

    When you are importing the metadata file under authentication server, the CA certificate for SAML verification is enabled by default. In addition, the imported CA certificates under SSL Settings > CA Certificate with SAML verification enabled will be displayed.

    You can also download appliance configuration as XML file and can import in Identity Provider Configuration.

  15. SMA supports group membership details over SAML authentication and users without on-premise Active Directory can now have group level management. In the SAML claim containing user groups field, specify the name of the claim that contains the group information. For example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

    Prior to SMA 12.4.1 version, group membership details of users are not available to SMA when using SAML IdP authentication.

  16. Click Save.

Follow the same procedure to configure SAML IDP authentication in CMS.

Group Management with SAML IdP authentication server

When SAML IdP is used as the authentication server for users, there are two ways to have the group level management.

By Using Group Affinity checking

If the same Active Directory used by IdP is available on-premise, you can configure it as an authentication server and use it as Group Affinity server under SAML IdP realm. In this case, SMA will use SAML IdP to authenticate users and on-premise Active Directory for group checking. For more details on how to add Group Affinity, seeEnabling Group Affinity Checking in a Realm

After enabling Group Affinity for SAML IdP realm, you can add "Mapped Accounts" by "Browse Directory" or "Dynamic Group" options and selecting SAML IdP realm.

By Using SAML Attributes during authentication

In situations where group membership details are available only with IdP (cloud-only directories) or when on-premise Active Directory server is not available, SMA can recognize user-groups sent as SAML Attribute by IdP during authentcation.

Configure SAML IdP

You will need to modify SAML IdP server to send user's group membership details as SAML Attributes to SMA. Note down the SAML Attribute/claim name that carries the user-group list.

For details on how to send User Groups, see Sending User Groups to SMA.

Update SMA SAML IdP authentication server

Under Identity Provider Configuration section, in "SAML claim containing user groups" field, add the SAML Attritbute name containing user-groups.

To configure User Group details, see Adding Users or Groups Manually.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.