-
Title
FAQ: SAML Configuration -
Description
1. I am looking for a way to export the SAML XML. I see where I can import the XML from the IdP, but I need to export the SP XML to give to the IdP.
What I am looking for is an XML that encompasses all of the metadata. Most Service Providers and Identity Providers provide a way to export an XML so it can be exchanged. in that XML, the certificate is provided as well as the other pertinent information. I see an option to import an XML from the Identity provider, but not a way to export an XML from Quest. I also have other questions that you may be able to assist with.
2. Does using SAML authentication preclude other types of sign-on (i.e. LDAP, local accounts)?
3. Are multiple SAML providers supported in the same ORG?
4. Are multiple SAML providers supported on the same appliance?
5. After looking into the metadata I found that AuthnRequestsSigned and WantAssertionsSigned both are false. For security reasons SP should check the signature of assertion sent by IdP and IdP should also check the signature on SP request.
Can you explain why the AuthnRequestsSigned and WantAssertionsSigned are false and if there is a way to change it to true?
-
Cause
These are just a few answers to some common questions asked about SAML configuration.
-
Resolution
1. To obtain the SMA SAML XML metadata URL, please navigate to Settings > Control Panel > SAML Configuration.
This will be the base URL for the SMA followed by “/adminui/saml/metadata/1” where “1” is the ORG number.
2. You can use SAML with all the other login options. Depending on the SAML IdP, it may “lock” you into an active login if it doesn’t support passive. If that is the case, you can reload the SMA login page to be presented with the option to do a local login. In this case, the normal login procedures will work.
3. Currently, you can only configure one IdP per ORG. KACE may expand that in the future if needed.
4. You can have one IdP per Organization on one appliance. They can be different for each ORG. If any of the ORGs have an IdP that does not support passive authentication, the user will have to choose an ORG on the SMA login screen in order to use SAML login since the SMA cannot test for SSO without redirecting to the IdP login page.
5. When expanding the “Local Service Provider (SP) Settings" > "View Metadata” and scrolling down, you will find a set of settings than can be checked or unchecked. They will want to check the "Sign AuthnRequest messages” and "Require IdP to Sign Assertion Elements”, then click the “Save” button. After clicking on the Save button, please recheck the metadata url. See screenshot below:
