Skip to content

Authentication Types - SAML

Use this subform to configure the SAML authentication type.

Note

With the SAML authentication type enabled, all deep-links will attempt to validate against SAML service, potentially redirecting the user to a SAML identity provider (IdP) login screen. All users should log in to the top-level Web FQDN and only use deep-links after logging in.

Form Fields

  • Name: The name of the authentication profile.

  • Status: The status of the authentication profile.

  • Settings (Identity Provider):

    • Entity ID: A unique identifier for your SAML-enabled IdP.

    • Single SignOn Service: An endpoint on your IdP used to receive incoming authentication requests, process and return the user authenticated.

    • Single Logout Service: An endpoint on your IdP to receive incoming logout requests and send logout responses.

    • Certificate: Certificate data.

    • NameID Format: The expected format of the name ID element of the SAML response. This must match the username in Unified Assurance.

  • Settings (Service Provider for Internal Presentation): These fields are read-only in Unified Assurance and will be added to your IdP.

    • Entity ID: A unique identifier for your SAML-enabled service provider (SP).

    • Assertion Consumer Service: An endpoint for the IdP to send an authenticated user.

    • Single Logout Service: An endpoint on the SP to send logout requests.

    • Certificate: Certificate data.

  • Settings (Service Provider for External Presentation): These fields are read-only in Unified Assurance and will be added to your Identity Provider. They will only be filled in if you are using an external presentation server, otherwise, they will be blank.

    • Entity ID: A unique identifier for your SAML-enabled SP.

    • Assertion Consumer Service: An endpoint for the IdP to send an authenticated user.

    • Single Logout Service: An endpoint on the SP to send logout requests.

    • Certificate: Certificate data.

Setting up SAML External Authentication

  1. Provide the values for the fields in the Settings (Service Provider for (Internal/External) Presentation) sections to your organization's SAML administrators for the back-end configuration.

    Note

    When you are using a shared Web FQDN in an environment, the IdP settings shown in this UI will always point to the Web FQDN alias. Users must use the Web FQDN to log in. If a user enters the Host FQDN in the browser, SAML authentication will not work properly because the IdP server does not have the Host FQDN service provider entry. Other authentication types will work when the Host FQDN is used to access the environment.

  2. Get the values for the following fields in the Settings (Identity Provider) section from your organization's SAML administrators:

    Note

    Although other IdP configurations support multiple entries in Single SignOn Service and Single Logout Service, with each entry being a different link for a different connection method or binding, such as HTTP-SOAP or HTTP-POST, Unified Assurance SAML only supports the HTTP-Redirect method.

    • Entity ID

    • Single SignOn Service

    • Single Logout Service

    • Certificate

    • NameID Format (optional)

  3. Enter the values provided into the form and click Submit.

  4. Restart the Unified Assurance web service:

    systemctl restart assure1-web

  5. Go to the Users UI and create new users or update existing ones to use the SAML authentication type:

    Configuration -> AAA -> Users

  6. Test authentication using the SAML users.