Setting up SAML SSO

Prerequisites

For implementing SAML SSO, ensure that the following prerequisites are met:

  • The Service Providers (SPs), such as, the ESA or the DSG are up and running.
  • The users are available in the Identity Providers (IdPs), such as, AWS, Azure, or GCP.
  • The IdP contains a SAML application for your appliance, such as, ESA or DSG.
  • The users that will leverage the SAML SSO feature are added from the User Management screen.
  • The IP addresses of the appliances are resolved to a Fully Qualified Domain Name (FQDN).

Setting up SAML SSO

This section describes different tasks that an administrative user must perform for enabling the SAML SSO feature on the Protegrity appliances.

As part of this process, changes may be required to be performed on a user’s roles and settings for LDAP. For more information, refer to section Adding Users to Internal LDAP and Managing Roles.

Table 1. Setting up SSO

OrderPlatformStepReference
1Appliance Web UIAdd the users that require SAML SSO. Assign SSO Login permissions to the required user role. Ensure that the password for the users are changed after the first login to the appliance.
2Appliance Web UIProvide the FQDN and entity ID. This is retrieved from the IdP in which a SAML enterprise application is created for the appliance.Configuring Service Provider (SP) Settings
3Appliance Web UI
  • Provide the metadata information that is generated on the IdP.
  • Select the Unique User Identifier (Name ID) for user authentication.
Configuring IdP Settings

Configuring Service Provider (SP) Settings

Before enabling SAML SSO on the appliance, such as, ESA or DSG, you must provide the following values that are required to connect the appliance with the IdP.

Fully Qualified Domain Name (FQDN)

The Web UI must have a FQDN so it can be accessed from the web browser of the appliance, such as, ESA or ESA. While configuring SSO on the IdP, you are required to provide a URL that maps your application on the IdP. Ensure that the URL specified in the IdP matches the FQDN specified on the appliance Web UI. Also, ensure that the IP address of your appliance is resolved to a reachable domain name.

Entity ID

The entity ID is a unique value that identifies your SAML application on the IdP. This value is assigned/generated on the IdP after registering your SAML enterprise application on it.

The nomenclature of the entity ID might vary between IdPs.

To enter the SP settings:

  1. On the Web UI, navigate to Settings > Users > Single Sign-On > SAML SSO.

  2. Under the SP Settings section, enter the FQDN that is resolved to the IP address of the appliance in the FQDN text box.

  3. Enter the unique value that is assigned to the SAML enterprise application on the IdP in the Entity ID text box.

  4. If you want to allow access to User Management screen, enable the Access User Management screen option.

    • User Management screens require users to provide local user password while performing any operation on it.
    • Enabling this option will require users to remember and provide the password created for the user on the appliance.

  5. Click Save.

    The SP settings are configured.

Configuring IdP Settings

After configuring the the Service Provider (SP) settings, provide the Metadata and select the Unique User Identifier (Name ID).

The metadata acts as an important parameter in SAML SSO. The metadata is the chain that links the appliance to the IdP. It is an XML structure that contains information, such as, keys, certificates, and entity ID URL. This information is required for communication between the appliance and IdP.

The metadata can be provided in either of the following ways:

  • Metadata URL: Provide the URL of the metadata that is retrieved from the IdP.
  • Metadata File: Provide the metadata file that is downloaded from the IdP and stored on your system. If you edit the metadata file, then ensure that the information in the metadata is correct before uploading it on the appliance.

The Unique User Identifier (Name ID) provides two options.

  • Firstname.Lastname: Authentication using the firstname.lastname.
  • UserPrincipleName: Authentication using the email as username@domain.

To enter the metadata settings:

  1. On the Web UI, navigate to Settings > Users > Single Sign-On > SAML SSO.

  2. Click Enable to enable SAML SSO.

  3. If the metadata URL is available, then under the IdP Settings section, select Metadata URL from the Metadata Settings drop-down list. Enter the URL of the metadata.

  4. If the metadata file is downloaded, then under the IdP Settings section, select Metadata File from the Metadata Settings drop-down list. Upload the metadata file.

  5. From the Unique User Identifier (Name ID) drop-down, select Firstname.Lastname or UserPrincipleName as the unique identifier.

  6. If you want to allow access to the User Management screen, enable the Access User Management screen option.

    • User Management screens require users to provide local user password while performing any operation on it.
    • Enabling this option will require users to remember and provide the password created for the user on the appliance.

  7. Click Save.

    The metadata settings are configured.

    • If you upload a new metadata file over the existing file, the changes are overridden by the new file.
    • If you edit the metadata file, then ensure that the information in the metadata is correct before uploading it on the appliance.
Workflow of SAML SSO on an Appliance

Logging on to the Appliance

Implementing SAML SSO on Azure IdP - An Example

Implementing SSO with a Load Balancer Setup

Viewing Logs

Feature Limitations

Troubleshooting


Last modified : January 12, 2026