This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

What is SAML

1: Setting up SAML SSO

1.1: Workflow of SAML SSO on an Appliance
1.2: Logging on to the Appliance
1.3: Implementing SAML SSO on Azure IdP - An Example
1.4: Implementing SSO with a Load Balancer Setup
1.5: Viewing Logs
1.6: Feature Limitations
1.7: Troubleshooting

About SAML

Security Assertion Markup Language (SAML) is an open standard for communication between an identity provider (IdP) and an application. It is a way to authenticate users in an IdP to access the service provider (SP)..

SAML SSO leverages SAML for seamless user authentication. It uses XML format to transfer authentication data between the IdP and the application. Once users log in to the IdP, they can access multiple applications without providing their user credentials every time. For SAML SSO to be functioning, the IdP and the application must support the SAML standard.

Key Entities in SAML

There are few key entities involved in a Kerberos communication:

Identity Provider (IdP): A service that manages user identities.
Service Provider (SP): An entity connecting to the IdP for authenticating users.
Metadata: A file containing information for connecting an SP to an IdP.
Unique User Identifier (Name ID): Unique identifier used for user authentication to login to the appliance.

Implementing SAML SSO for Protegrity Appliances

In Protegrity appliances, such as, ESA or DSG, you can utilize the SAML SSO mechanism to login to the appliance. To use this feature, you log in to an IdP, such as, AWS, Azure, or GCP. After you are logged in to the IdP, you can access appliances such as, the ESA or the DSG. The appliance validates the user and on successful validation, allows the user access to the appliance. The following sections describe a step-by-step approach for setting up SAML SSO.

1 - Setting up SAML SSO

Prerequisites

For implementing SAML SSO, ensure that the following prerequisites are met:

The Service Providers (SPs), such as, the ESA or the DSG are up and running.
The users are available in the Identity Providers (IdPs), such as, AWS, Azure, or GCP.
The IdP contains a SAML application for your appliance, such as, ESA or DSG.
The users that will leverage the SAML SSO feature are added from the User Management screen.
The IP addresses of the appliances are resolved to a Fully Qualified Domain Name (FQDN).

Setting up SAML SSO

This section describes different tasks that an administrative user must perform for enabling the SAML SSO feature on the Protegrity appliances.

As part of this process, changes may be required to be performed on a user’s roles and settings for LDAP. For more information, refer to section Adding Users to Internal LDAP and Managing Roles.

Table 1. Setting up SSO

Order	Platform	Step	Reference
1	Appliance Web UI	Add the users that require SAML SSO. Assign SSO Login permissions to the required user role. Ensure that the password for the users are changed after the first login to the appliance.	Adding Users Adding Roles
2	Appliance Web UI	Provide the FQDN and entity ID. This is retrieved from the IdP in which a SAML enterprise application is created for the appliance.	Configuring Service Provider (SP) Settings
3	Appliance Web UI	Provide the metadata information that is generated on the IdP. Select the Unique User Identifier (Name ID) for user authentication.	Configuring IdP Settings

Configuring Service Provider (SP) Settings

Before enabling SAML SSO on the appliance, such as, ESA or DSG, you must provide the following values that are required to connect the appliance with the IdP.

Fully Qualified Domain Name (FQDN)

The Web UI must have a FQDN so it can be accessed from the web browser of the appliance, such as, ESA or ESA. While configuring SSO on the IdP, you are required to provide a URL that maps your application on the IdP. Ensure that the URL specified in the IdP matches the FQDN specified on the appliance Web UI. Also, ensure that the IP address of your appliance is resolved to a reachable domain name.

Entity ID

The entity ID is a unique value that identifies your SAML application on the IdP. This value is assigned/generated on the IdP after registering your SAML enterprise application on it.

The nomenclature of the entity ID might vary between IdPs.

To enter the SP settings:

On the Web UI, navigate to Settings > Users > Single Sign-On > SAML SSO.
Under the SP Settings section, enter the FQDN that is resolved to the IP address of the appliance in the FQDN text box.
Enter the unique value that is assigned to the SAML enterprise application on the IdP in the Entity ID text box.
If you want to allow access to User Management screen, enable the Access User Management screen option.
- User Management screens require users to provide local user password while performing any operation on it.
- Enabling this option will require users to remember and provide the password created for the user on the appliance.
Click Save.
The SP settings are configured.

Configuring IdP Settings

After configuring the the Service Provider (SP) settings, provide the Metadata and select the Unique User Identifier (Name ID).

The metadata acts as an important parameter in SAML SSO. The metadata is the chain that links the appliance to the IdP. It is an XML structure that contains information, such as, keys, certificates, and entity ID URL. This information is required for communication between the appliance and IdP.

The metadata can be provided in either of the following ways:

Metadata URL: Provide the URL of the metadata that is retrieved from the IdP.
Metadata File: Provide the metadata file that is downloaded from the IdP and stored on your system. If you edit the metadata file, then ensure that the information in the metadata is correct before uploading it on the appliance.

The Unique User Identifier (Name ID) provides two options.

Firstname.Lastname: Authentication using the firstname.lastname.
UserPrincipleName: Authentication using the email as username@domain.

To enter the metadata settings:

On the Web UI, navigate to Settings > Users > Single Sign-On > SAML SSO.
Click Enable to enable SAML SSO.
If the metadata URL is available, then under the IdP Settings section, select Metadata URL from the Metadata Settings drop-down list. Enter the URL of the metadata.
If the metadata file is downloaded, then under the IdP Settings section, select Metadata File from the Metadata Settings drop-down list. Upload the metadata file.
From the Unique User Identifier (Name ID) drop-down, select Firstname.Lastname or UserPrincipleName as the unique identifier.
If you want to allow access to the User Management screen, enable the Access User Management screen option.
- User Management screens require users to provide local user password while performing any operation on it.
- Enabling this option will require users to remember and provide the password created for the user on the appliance.
Click Save.
The metadata settings are configured.
- If you upload a new metadata file over the existing file, the changes are overridden by the new file.
- If you edit the metadata file, then ensure that the information in the metadata is correct before uploading it on the appliance.

1.1 - Workflow of SAML SSO on an Appliance

After entering all the required data, you are ready to log in with SAML SSO. Before explaining the procedure to log in, the general flow of information is illustrated in the following figure.

SAML SSO Workflow

Follow the below process to login to the appliance. Additionally, you can login to the appliance without SSO by providing valid user credentials.

Process

Follow these steps to login with SSO:

The user provides the FQDN of the appliance on the Web browser.
For example, the user enters esa.protegrity.com and clicks SAML Single Sign-On.
- Ensure that the user session on the IdP is active.
- If the session is idle or inactive, then a screen to enter the IdP credentials will appear.
The browser generates an authorization request and sends it to the IdP for verification.
If the user is authorized, then the IdP generates a SAML token and returns it to the Web browser.
This SAML token is then provided to the appliance to authenticate the user.
The appliance receives the token. If the token is valid, then the permissions of the user are checked.
Once these are validated, the Web UI of the appliance appears.

1.2 - Logging on to the Appliance

After configuring the required SSO settings, you can login to the appliance using SSO. Ensure that the user session on the IdP is active. If the session is idle or inactive, then a screen to enter the IdP credentials will appear.

To login to the appliance using SSO:

Open the Web browser and enter the FQDN of the ESA or the DSG in the URL.
The following screen appears.
Click Sign in with SAML SSO.
The Dashboard of the ESA/DSG appliance appears.

1.3 - Implementing SAML SSO on Azure IdP - An Example

This section provides a step-by-step sample scenario for implementing SAML SSO on the ESA with the Azure IdP.

Prerequisites

An ESA is up and running.
Ensure that the IP address of ESA is resolved to a reachable FQDN.
For example, resolve the IP address of ESA to esa.protegrity.com.
On the Azure IdP, perform the following steps to retrieve the entity ID and metadata.
1. Log in to the Azure Portal.
2. Navigate to Azure Active Directory.
3. Select the tenant for your organization.
4. Add the enterprise application in the Azure IdP.
  Note the value of Application Id for your enterprise application.
  For more information about creating an enterprise application, refer to https://docs.microsoft.com/.
5. Select Single sign-on > SAML.
6. Edit the Basic SAML configuration and enter Reply URL (Assertion Consumer Service URL). The format for this text box is https://</FQDN of the appliance>/Management/Login/SSO/SAML/ACS.
  For example, the value in the Reply URL (Assertion Consumer Service URL) is, https://esa.protegrity.com/Management/Login/SSO/SAML/ACS
7. Under the SAML Signing Certificate section, copy the Metadata URL or download the Metadata XML file.
Users leveraging the SAML SSO feature are available in the Azure IdP tenant.

Steps

Log in to ESA as an administrative user. Add all the users for which you want to enable SAML SSO. Assign the roles to the users with the SSO Login permission.
- For example, import the user Sam from the User Management screen on the ESA Web UI. Assign a Security Administrator role with SSO Login permission to Sam.
- Ensure that the user Sam is present in the Azure AD.
Navigate to Settings > Users > Single Sign-On > SAML Single Sign-On. In the Service Provider (SP) settings section, enter esa.protegrity.com and the Appliance ID in the FQDN and Entity ID text boxes respectively. Click Save.
If the metadata URL is available, then under the IdP Settings section, select Metadata URL from the Metadata Settings drop-down list. Enter the URL of the metadata.
If the metadata file is downloaded, then under the IdP Settings section, select Metadata File from the Metadata Settings drop-down list. Upload the metadata file.
From the Unique Name Identifier (Name ID) drop-down, select one of the following two options as the unique identifier for user authentication.
- Firstname.Lastname: A local user should be manually created having first name and last name.
- UserPrincipleName: This user can be created locally or imported from Azure AD, if user exists on Azure AD.
Click Save.
Select the Enable option to enable SAML SSO.
If you want to allow access to User Management screen, enable the Access User Management screen option.
Log out from the ESA.
Open another session on the Web browser and enter the FQDN of ESA. For example, esa.protegrity.com.
Ensure that the user session on the IdP is active. If the session is idle or inactive, then a screen to enter the IdP credentials will appear.
Click Sign in with SAML SSO.
The screen is redirected to Azure portal for authentication.
If the Azure user is not logged in, the login dialog appears. Provide the Azure user credentials for login.
If the multi-factor authentication is enabled, then provide the required authentication using the Authenticator application to proceed further.

After logging in successfully, the screen is automatically redirected to the ESA Dashboard.

1.4 - Implementing SSO with a Load Balancer Setup

This section describes the process of implementing SSO with a Load Balancer that is setup between the appliances.

Steps to configure SSO in a Load Balancer setup

Consider two ESA, ESA1 and ESA2, that are configured behind a load balancer. Ensure that you perform the following steps to implement it.

Add the users to the internal LDAP and assign SSO login permissions.
Ensure that the FQDN is resolved to the IP address of the load balancer.

Logging in with SSO

After configuring the required settings, the user enters the FQDN of load balancer on the Web browser and clicks Sign in with SAML SSO to access it. On successful authentication, the appliance Dashboard appears.

1.5 - Viewing Logs

You can view the logs that are generated for when the SAML SSO mechanism is utilized. The logs are generated for the following events:

Uploading the metadata
User logging to the ESA or DSG through SAML SSO
Enabling or disabling SAML SSO
Configuring the Service Provider and IdP settings

Navigate to Logs > Appliance Logs to view the logs.

You can also navigate on the Discover screen to view the logs.

1.6 - Feature Limitations

There are some known limitations of the SAML SSO feature.

The Configuration export to Cluster Tasks and Export data configuration to remote appliance of the SAML SSO settings are not supported. The SAML SSO settings include the hostname, so importing the SAML settings on another machine will replace the hostname.
After logging in to the appliance, such as, ESA or DSG, through SAML SSO, if you have the Directory Manager permissions, you can access the User Management screen. A prompt to enter the user password appears after a user management operation is performed on it. In this case, you must enter the password that you have set on the appliance. The password that is set on the IdP is not applicable here.

1.7 - Troubleshooting

This section describes the issues and their solutions while utilizing the SAML SSO mechanism.

Issue	Reason	Solution
The following message appears while logging in with SSO. Login Failure: Unauthorized to SSO Login.	Username is not present in the internal LDAP. Username does not have roles assigned to it. SSO Login permission is not assigned for the user role Incorrect Unique User Identifier used for authentication.	Ensure that the following points are considered: The user is imported to the internal LDAP. Role assigned to the user has SSO Login permission enabled. Use the correct Unique User Identifier for user authentication. Firstname.Lastname: Authentication using the format firstname.lastname. UserPrincipleName: Authentication using the format username@domain. For more information about configuring user role, refer Importing Users and Assigning Role.