Secure Mobile Access 12.4 Administration Guide

Configuring a SAML 2.0 Identity Provider Authentication Server

For detailed information on how to configure third party SAML Identity Providers (IDPs), see Configuring External SAML Identity Providers.

SAML 2.0 Identity Provider (IDP) provides a centralized security management foundation that enables the secure use of the Web to deliver applications and cloud services to customers, partners, and employees.

SAML 2.0 Identity Provider Authentication supports all SAML 2.0-compliant IdPs, including:

  • Microsoft Azure IDP

  • Duo Access Gateway and Duo SSO server

  • Okta

  • One Identity Cloud Access Manager

  • Shibboleth IDP

  • OneLogin

  • CA Single Sign-On (CA SiteMinder)

  • PingIdentity PingOne

To ease configuring SAML endpoints, SMA supports configuration using SAML metadata files. This removes the complexity involved in manually configuring the endpoints. SAML IdP Authentication server configuration can be exported as SAML SP metadata file which then can be imported at IdP. Similarly, SAML metadata file provided by IdP can be imported to configure SAML IdP Authentication server. For more details, refer to Identifier Provider Configuration steps below.

SMA and CMS is enhanced to support SAML authentication for Administrators. Also, SMA is enhanced to support group membership details over SAML authentication and users without on-premise Active Directory can now have group-based policy level management.

Prerequisites:

  • SMA1000 build 12.4.1 version.
  • SMA1000 Standalone/CMS platforms
  • Admin account on any SAML IDP

To configure a SAML 2.0 Identity Provider authentication server

  1. In the AMC, navigate to System Configuration > Authentication Servers.

  2. Click New.

  3. Click SAML 2.0 Identity Provider.

  4. In the Name field, type a name for the authentication server.

  5. In the Appliance ID field, enter the SAML entity ID of the appliance.

    This is a URI of not more than 1024 characters in length.

  6. Select the Sign AuthnRequest message using this certificate checkbox and then select the signing certificate from the drop-down menu. The appliance uses this certificate to sign authentication request messages before sending them to the IDP server. To configure the SSL signing certificate, you can click the here link in the explanatory text at the right. The signing certificate needs to be imported into the appliance if it is not there. You can view and download the certificate by clicking on the respective buttons.
  7. To specify an FQDN to which the IdP will send SAML responses, select the Endpoint FQDN from the drop-down menu.
  8. The Assertion Consumer Service (ACS) URL and Singel Logout Service(SQL) URL fields displays the appliance endpoints. This value cannot be changed. You can click the copy icon to copy the URLs and paste in SAML IDP application.

    • ACS URL is where SAML responses should be sent after a successful authentication.

    • SLO URL is where logout requests should be redirected during IdP logout.

  9. Click Export to use this metadata XML to configure appliance details at the Identity Provider.
  10. To configure Identity Provider details underr Identity Provider Configuration section, you can either import the metadata file provided by your SAML IdP or you can fill in the details manually.

  • To import the metadata file from IdP do the following:

    1. Click on Choose file button and select the metadata file.

    2. Click Import button to import the IdP configuration details.

      Identity Provider fields are populated.

  • To fill in the configuration details manually do the following:

    1. In the Server ID field, enter the SAML Entity ID of SAML IdP. For example, https://idp.example.com/.

    2. In the Authentication service URL field, enter the SAML Single Sign-On Service URL provided by IdP.

    3. In the Logout service URL field, enter the Sign-Out URL provided by IdP. This field is optional and can be left empty.

      The Logout service URL' field is optional and can be left empty. When provided, when user is logging out of SMA, user will be redirected to the given URL with SAML logout request, effectively logging out the user from IdP. Clear this field if you dont want user to log out from IdP when logging out from SMA.

    4. From the Trust the following certificate drop-down menu, select the certificateprovided by IdP. If the certificate is not listed, use 'Import' button to import it.

    5. SMA supports group membership details over SAML authentication and users without on-premise Active Directory can now have group level management. In the SAML claim containing user groups field, specify the name of the claim that contains the group information. For example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.

  1. The SAML claim containing user groups field is configured with user group attribute name, for more information, refer to the Group Management with SAML IdP authentication server section.

  • Click Save.
  • Follow the same procedure to configure SAML IDP authentication in CMS.

    Was This Article Helpful?

    Help us to improve our support portal

    Techdocs Article Helpful form

    • Hidden
    • Hidden

    Techdocs Article NOT Helpful form

    • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
    • Hidden
    • Hidden