How to use SAML authentication on the Kace SMA with Azure as the IdP (4326873)

Regresar

Comentarios enviados

¿Este artículo solucionó su problema?

Seleccionar calificación

Título

How to use SAML authentication on the Kace SMA with Azure as the IdP
Descripción

This article describes the process of setting up SAML on the Kace SMA to use Azure as the identity provider.
Resolución
The steps listed below will allow you to enable SAML on the Kace SMA and configure it to work with Azure as the IdP. We need to do some changes on the SMA and on Azure.

Steps on the Kace SMA
- Enable SSL
  - SSL configuration guide for KACE SMA (111348)
- Enable SAML
  1. Go to Settings | SAML Settings.
  2. Select “Enable SAML Service Provider”.
  3. Scroll Down to “Local Service (SP) Settings” and select “View Metadata”.
  4. Copy the link below “SP Assertion Consumer Service (url)” and “SP Entity Identifier (uri)” you will need these links on the Next steps on Azure. Make sure that all the links are "secure" shown as “https”. Add the “s” manually if link shown as “http”.
  5. For now, do not save the changes, proceed to "Steps on Azure".
Steps on Azure
1. Go to Microsoft Azure portal and login with your account.
2. Select “Sign in” above.
3. On Azure portal, open "Azure Active Directory".
4. Select “App registrations” on the left panel.
5. Select “New registration”.
6. Assign the name of your preference to the app.
7. Select who can us the application or access to the API.
8. On “Redirect URI (optional)”, paste the “SP Assertion Consumer Service (url)” that you got from the SMA and select “Register” below.
9. Select the app created and then Select “Expose an API” on the left panel.
10. Select “Application ID URI – Set”.
11. Paste the “SP Entity Identifier (uri)” that you got from the Kace SMA, select “Save”.
12. Go back to the app overview. Select “Overview” above on the left panel.
13. Select “Endpoints”.
14. Copy the link under “Federation metadata document”.
15. Go back to the Kace SMA | SAML Settings.
Back on the Kace SMA | SAML Settings.
1. Select “Get Metadata From IdP”, paste “Federation metadata document” link from Azure on the field below "IdP Metadata URL" and select “Import IdP Metadata”.
  1. This will generate all the info from the IdP by itself below.
1. Go to “IdP Attribute Mappings” Select “Use SAML”.
Note: On version 10.0 and 10.1 of the Kace SMA, the “Login” attribute is the primary key for any user that logs in to the Kace SMA using SAML. The login id from Azure should match the login id from LDAP authentication if we want to keep using the same users that are already on the SMA and just allow them to login using SAML too. If these values are different, a new user is going to be created on the Kace SMA when someone logs in using SAML.
1. Paste the attributes as shown on the Kace SMA Admin guide.
- Example: Using Microsoft Active Directory in Azure as a SAML Identity Provider
- If a different attribute is required, there is a SAML add-on available for Google Chrome (SAML Chrome Panel) to confirm what attributes are been sent from Azure to the SMA.
  - SAML Chrome Panel
1. Under "Role Mapping" since this is just for testing, keep everything in blank and set “Default Role for Unmatched Users” to “Administrator”. Not recommended for a production environment, (This is a basic configuration just to confirm that SAML is working properly) proper roles must be assigned according to your needs once we confirm that SAML is working.
2. Save the changes. Logout from the SMA and try to login again with a Microsoft account.
“Role Mapping” to limit access to other users to your Kace SMA.
1. In your Kace SMA go to Settings | SAML Settings.
2. Scroll down to “Role Mapping”.
3. The SAML attributes from Azure go on the fields to the left, assign them accordingly to match to the role required. (groups, displayname, objectidenfitier, etc.)
1. The fields on the right will have the value for that attribute.
Example: Using “displayname” as the attribute for “Role Mapping” to map a user as an Administrator on the Kace SMA.
1. We can see what attributes are been sent to the Kace SMA from Azure using Google Chrome with "SAML Chrome Panel extension". This allows access to a new section called "SAML" on developer tools. Hit (F12) to access to Google Chrome developer tools.
1. Now that we have the attributes and their values in place, save the changes and try to login again to confirm that the Role Mapping is working fine.
Troubleshooting
If you followed the instructions above, and you are still unable to login to the Kace SMA with your IdP using SAML.
1. Go to Settings | SAML Settings.
2. Scroll down to Local Service Provider (SP) Settings.
3. Select “View Metadata”.
4. Make sure that SP Entity Identifier (uri), SP Assertion Consumer Service (url) and SP SLO Endpoint (url) are "secure" (https://). You can modify the links on the SMA, just add the “s” manually and save the changes.
  - Apply the same change on these links on Azure if they are not "secure" and test again. .
  - All these URLs must be in lower case (On the Kace SMA and Azure). Any upper case on the link could cause issues.
5. Verify what attributes are been sent from de IdP to the Kace SMA.
  - You can see what attributes SAML is sending to the SMA if you are using chrome with the SAML Chrome Panel extension. This allows you to go to developer tools (F12) and get a SAML section.
SAML Chrome Panel