You can configure the appliance to authenticate users without providing their credentials on the Welcome page using a third-party authentication tool.
When SAML is enabled and configured on the appliance, and the user logs in using this single sign-on method, the appliance sends an authorization request to your Identity Provider (IdP). The identity provider then confirms the user's identity and sends an authentication response to the appliance. Next, the appliance logs the user in to the Administrator Console (or User Console) and establishes the user session. When a SAML user logs out of the appliance, they are logged out of their IdP account. If you want to continue to be logged into your IdP account after using the appliance, simply close the Administrator Console browser window without signing out. If a SAML user's session times out, and they are still logged into their IdP account, the appliance automatically starts a new session for that user.
2. |
Log in to the KACE SMA Administrator Console, https://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
3. |
a. |
b. |
On the SAML Settings page, under Security Assertion Markup Language (SAML), select the SAML Service Provider Enabled check box. |
4. |
In the Remote Identity Provider (IdP) Settings section, specify your IdP metadata to authenticate users by completing one of the following steps. |
◦ |
Recommended. If your IdP provides an URL to the XML page containing the IdP metadata (suggested option), click Get Metadata From IdP. In the IdP Metadata URL field that appears, type that URL, and click Import IdP Metadata. |
◦ |
To use your IdP metadata XML file, click Enter XML Metadata, and in the IdP Metadata XML field that appears, copy and paste the contents of the XML file. Then click Import IdP Metadata. The appliance parses the provided XML content and populates the settings required to establish a connection with the IdP. |
NOTE: To review this information anytime during your SAML configuration, click View Metadata in this section. |
5. |
In the IdP Attribute Mappings section, select the option that you want to use to grant the SAML user access to the appliance. |
◦ |
Use Local User Table: Relies on the user list stored locally on the appliance. |
◦ |
Use LDAP Lookup: Imports user information from an external LDAP server. For more information, see Using an LDAP server for user authentication. |
◦ |
Use SAML: Uses the values specified on this page to map to the fields used by your IdP to the appliance user records, such as name, email address, and so on. For example, if the IdP uses LDAP to authenticate users, you can set UID and Login to objectGUID and cn, respectively. For more information, see your IdP documentation. |
6. |
If you selected the Use SAML option, specify the roles that you want to grant to the SAML-authenticated user. Under Role Mapping, specify the conditions that you want to check when granting the roles. |
7. |
Optional. To view the appliance-specific SAML settings on the appliance, in the Local Service Provider (SP) Settings section, click View Metadata, and review the options that appear. |
8. |
c. |
a. |
b. |
c. |
d. |
In the newly created App Registration, on the Endpoints page, copy the contents of the Federation metadata document field. |
3. |
Log in to the KACE SMA Administrator Console, https://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
4. |
a. |
b. |
On the SAML Settings page, under Security Assertion Markup Language (SAML), select the SAML Service Provider Enabled check box. |
5. |
In the Remote Identity Provider (IdP) Settings section, specify your IdP metadata to authenticate users by completing the following steps. |
a. |
b. |
NOTE: To review this information anytime during your SAML configuration, click View Metadata in this section. |
6. |
In the Security Assertion Markup Language (SAML) section, ensure the IdP Does Not Support Passive Authentication check box is selected. |
7. |
In the IdP Attribute Mappings section, select the option that you want to use to grant the SAML user access to the appliance. |
◦ |
Use Local User Table: Relies on the user list stored locally on the appliance. |
◦ |
Use LDAP Lookup: Imports user information from an external LDAP server. For more information, see Using an LDAP server for user authentication. |
◦ |
Select Use SAML, and set the following options: |
◦ |
UID: http://schemas.microsoft.com/identity/claims/objectidentifier |
◦ |
Login: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
◦ |
Name: http://schemas.microsoft.com/identity/claims/displayname |
◦ |
Primary Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
8. |
If you selected the Use SAML option, under Role Mapping, specify the following condition for the role that you want to grant to SAML-authenticated users (for example, the Administrator role): |
9. |
Optional. To view the appliance-specific SAML settings on the appliance, in the Local Service Provider (SP) Settings section, click View Metadata, and review the options that appear. |
a. |
c. |
d. |
In the Redirect URIs section, select Web and set it to the SP Assertion Consumer Service (url) value from the SAML Settings page, under Local Service Provider (SP) Settings. |
e. |
In the Advanced settings, set the Logout URL field to the SP SLO Endpoint (url) value from the Local Service Provider (SP) Settings section. |
f. |
In Azure, click Expose an API, and click Set next to Application ID URI. Set this field to the SP Entity Identifier (uri) value from the Local Service Provider (SP) Settings section. |
g. |
In Azure, click Manifest, and in the editor that appears on the right, add or update the "groupMembershipClaims" attribute and set its value to "SecurityGroup" or "All". |
11. |
c. |
Figure 7. Replication Share configuration
To create a Replication Share, identify one device at each remote location to act as a Replication Device. The appliance copies all the replication items to the Replication Device at the specified destination path. The replication process automatically restarts if it is stopped due to a network failure or replication schedule. If stopped, the replication process restarts at the point it was stopped.
Sneaker net share: You can create a folder and copy the contents of an existing replication folder to it. You can then specify this folder as the new replication folder in the appliance. The appliance determines whether the new folder has all the replication items present and replicates only the new ones, which conserves bandwidth. You can manually copy the contents of replication folder to a new folder. The replication folder created in a device follows following hierarchy:
\\machinename\foldername\repl2\replicationitems folder
The device name and folder name is user defined while repl2 is automatically created by appliance. The replication items folder includes the folder for patches, kbots, upgrade files, and applications.
Replication items are copied in this order:
2. |
4. |
You can create Replication Shares on managed devices.
To create a Replication Share you must:
• |
Have write permission on the destination path to write the software files. |
Replication Shares can be created only on devices that appear on the Devices list in Inventory. If the device you want to use is not on the Devices list, you need to create an inventory record for the device before you can use it as a Replication Share.
See Managing inventory information.
1. |
a. |
Log in to the KACE SMA Administrator Console, https://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information. |
b. |
c. |
2. |
3. |
4. |
◦ |
5. |
Select the Operating System and Locales of the patches to replicate. The lists are populated based on the operating systems and locales selected in the patch subscription. |
6. |
Select the Include Application Patches and Include Dell Updates check boxes to copy the patch and update files to the Replication Share. |
7. |
For a network drive, use UNC format, for example: \\kaceRep\kace_sma_share\ | |||
Local Share or UNC |
|||
The details of the service account required to connect to the device and run commands. Select existing credentials from the drop-down list, or select Add new credential to add credentials not already listed. | |||
8. |
The path used by devices in the replication label to copy items from the replication drive. \\fileservername\directory\kace_sma\ Other devices need read permission to copy replication items from this shared folder. | |
The details of the service account required to connect to the device and run commands. Select existing credentials from the drop-down list, or select Add new credential to add credentials not already listed. |
9. |
The bandwidth used for each hour of the day (24-hour clock format) and each day of the week.
| |||||||
10. |
11. |
Optional: After you have tested the Replication Share, return to 3 and enable Failover To Appliance. |
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy