1. |
◦ |
If the Organization component is not enabled on the appliance, log in to the appliance Administrator Console, https://appliance_hostname/admin, then select Settings > Control Panel. |
◦ |
If the Organization component is enabled on the appliance, log in to the appliance System Administration Console, https://appliance_hostname/system, or select System in the drop-down list in the top-right corner of the page, then select Settings > Control Panel. |
2. |
3. |
NOTE: Users who are currently logged in to the User Console or Administrator Console remain logged in until their session ends. The next time they attempt to access the User Console or Administrator Console, however, they are required to enter their credentials. |
You can configure the appliance to authenticate users without providing their credentials on the Welcome page using a third-party authentication tool.
When SAML is enabled and configured on the appliance, and the user logs in using this single sign-on method, the appliance sends an authorization request to your Identity Provider (IdP). The identity provider then confirms the user's identity and sends an authentication response to the appliance. Next, the appliance logs the user in to the Administrator Console (or User Console) and establishes the user session. When a SAML user logs out of the appliance, they are logged out of their IdP account. If you want to continue to be logged into your IdP account after using the appliance, simply close the Administrator Console browser window without signing out. If a SAML user's session times out, and they are still logged into their IdP account, the appliance automatically starts a new session for that user.
2. |
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
3. |
a. |
On the left navigation bar, click Settings, then click SAML Configuration > Configure Single Sign On with SAML. |
b. |
On the SAML Settings page, under Security Assertion Markup Language (SAML), select the Enable SAML Service Provider check box. |
4. |
5. |
In the Remote Identity Provider (IdP) Settings section, specify your IdP metadata to authenticate users by completing one of the following steps. |
◦ |
Recommended. If your IdP provides an URL to the XML page containing the IdP metadata (suggested option), click Get Metadata From IdP. In the IdP Metadata URL field that appears, type that URL, and click Import IdP Metadata. |
◦ |
To use your IdP metadata XML file, click Enter XML Metadata, and in the IdP Metadata XML field that appears, copy and paste the contents of the XML file. Then click Import IdP Metadata. The appliance parses the provided XML content and populates the settings required to establish a connection with the IdP. |
NOTE: To review this information anytime during your SAML configuration, click View Metadata in this section. |
6. |
In the IdP Attribute Mappings tab, select the option that you want to use to grant the SAML user access to the appliance. |
◦ |
Use Local User Table: Relies on the user list stored locally on the appliance. |
◦ |
Use LDAP Lookup: Imports user information from an external LDAP server. For more information, see Using an LDAP server for user authentication. |
◦ |
Use SAML: Uses the values specified on this page to map to the fields used by your IdP to the appliance user records, such as name, email address, and so on. For example, if the IdP uses LDAP to authenticate users, you can set UID and Login to objectGUID and cn, respectively. For more information, see your IdP documentation. |
7. |
If you selected Use SAML, indicate if you want to create a new user on the appliance for authenticated SAML users that do not have accounts on the appliance. To do that, select Create new SMA user if authenticated SAML user does not exist on SMA. |
8. |
If you selected Use SAML, specify the roles that you want to grant to the SAML-authenticated user. Under Role Mapping, specify the conditions that you want to check when granting the roles. |
9. |
Optional. To view the appliance-specific SAML settings on the appliance, in the Local Service Provider (SP) Settings section, click View Metadata, and review the options that appear. |
10. |
c. |
a. |
b. |
c. |
d. |
In the newly created App Registration, on the Endpoints page, copy the contents of the Federation metadata document field. |
3. |
Log in to the appliance Administrator Console, https://appliance_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
4. |
a. |
On the left navigation bar, click Settings, then click SAML Configuration > Configure Single Sign On with SAML. |
b. |
On the SAML Settings page, under Security Assertion Markup Language (SAML), select the Enable SAML Service Provider check box. |
5. |
In the Remote Identity Provider (IdP) Settings section, specify your IdP metadata to authenticate users by completing the following steps. |
a. |
b. |
NOTE: To review this information anytime during your SAML configuration, click View Metadata in this section. |
6. |
In the Security Assertion Markup Language (SAML) tab, ensure the IdP Does Not Support Passive Authentication check box is selected. |
7. |
In the IdP Attribute Mappings tab, select the option that you want to use to grant the SAML user access to the appliance. |
◦ |
Use Local User Table: Relies on the user list stored locally on the appliance. |
◦ |
Use LDAP Lookup: Imports user information from an external LDAP server. For more information, see Using an LDAP server for user authentication. |
◦ |
Select Use SAML, and set the following options: |
◦ |
UID: http://schemas.microsoft.com/identity/claims/objectidentifier |
◦ |
Login: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
◦ |
Name: http://schemas.microsoft.com/identity/claims/displayname |
◦ |
Primary Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
8. |
If you selected the Use SAML option, under Role Mapping, specify the following condition for the role that you want to grant to SAML-authenticated users (for example, the Administrator role): |
9. |
Optional. To view the appliance-specific SAML settings on the appliance, in the Local Service Provider (SP) Settings section, click View Metadata, and review the options that appear. |
a. |
c. |
d. |
In the Redirect URIs section, select Web and set it to the SP Assertion Consumer Service (url) value from the SAML Settings page, under Local Service Provider (SP) Settings. |
e. |
In the Advanced settings, set the Logout URL field to the SP SLO Endpoint (url) value from the Local Service Provider (SP) Settings section. |
f. |
In Azure, click Expose an API, and click Set next to Application ID URI. Set this field to the SP Entity Identifier (uri) value from the Local Service Provider (SP) Settings section. |
g. |
In Azure, click Manifest, and in the editor that appears on the right, add or update the "groupMembershipClaims" attribute and set its value to "SecurityGroup" or "All". |
11. |
c. |
To allow the appliance to display the location associated with the logged-in user's public IP address, you must install a location database. See Install and configure the location database.
You can see all sessions on the Recent Sessions page. For a quick list of the latest sessions associated with your user account, use the My Recent Sessions pane. See View a list of user sessions.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center