Configuring SAML SSO

Steps to configure SAML SSO using the CLI

SAML SSO enables users to authenticate using enterprise‑managed credentials instead of maintaining separate application passwords.

This section describes how to configure SAML Single Sign‑On (SSO) using an external Identity Provider (IdP) in cloud environments such as Entra ID, AWS, and Google Cloud Platform (GCP).

Setting up SAML SSO using the CLI

This section describes how to configure SAML SSO using the PPC CLI.

Prerequisites

Before you begin, ensure the following prerequisites are met:

  • Access to an IdP.
  • Administrative privileges to configure SAML settings in the IdP.
  • Copy the Metadata URL.
  • Users and groups already created in the IdP.
  • Administrative access to the PPC CLI.

The same setup flow applies across Entra ID, AWS, and GCP, with differences limited to the IdP administration interface.

Setting up SAML SSO on Entra ID IdP - An Example

To configure SAML SSO on PPC using Entra ID IdP, perform the following steps:

  1. Log in to the PPC CLI.

  2. Create a SAML provider using the metadata URL from the IdP using the following command.

    admin create saml-providers \
--alias <saml-provider-alias> \
--display-name "<saml-provider-display-name>" \
--config-type metadataUrl \
--service-provider-entity-id "https://<service-provider-entity-id>" \
--metadata-url "https://<idp-metadata-url>" \

    Uploading a metadata file is not supported. --metadata-url must be used.

    The key parameters are listed below.

  • --alias: Unique identifier for the SAML provider.

  • --display-name: Name shown on the login page.

  • --config-type: Must be metadataUrl.

  • --service-provider-entity-id: Entity ID expected by the IdP.

  • --metadata-url: URL from which SAML metadata is fetched.

    After successful execution, the following message displays.

    SAML provider '<saml-provider-alias>' created successfully!

  1. Verify if the SAML provider is created successfully using the following command.

    admin list saml-providers

    A list of configured SAML providers appears.

  2. After creating the SAML provider, retrieve the SAML provider details to obtain the Redirect URI using the following command.

    admin get saml-providers <saml-provider-alias>

    Note the Redirect URI from the displayed information.

  3. Update the SAML configuration in Entra ID Idp.

    To update the SAML configuration in the Idp, perform the following steps:

    1. Log in to Entra ID IdP.
    2. Navigate to Enterprise applications, and select the application.
    3. In the Basic SAML Configuration, update the Redirect URI noted in the previous step.

  4. In the PPC CLI, create the Entra ID configuration using the following command.

    admin create entra-id --tenant-id "<tenant-id>" --client-id "<client-id>" --client-secret "your-secret-here"

    After successful execution, the following message displays.

    Entra ID configuration '<tenant-id>' created successfully!

    This confirms trust is established between the IdP and the appliance.

  5. Import the user from Entra ID IdP using the following command.

    admin create entra-id-import-users --json data {
  "users": [
      {
          "userPrincipalName": "john.doe@company.com",
          "email": "john.doe@company.com",
          "firstName": "John",
          "lastName": "Doe",
          "roles": ["security_administrator"],
          "identityProviders": ["Entra ID-IDP"],
          "password": "Password@123"
      }
  ],
}'

    After successful execution, the following message displays.

    Successfully imported 1 user(s)

  6. Verify if the user is imported using the following command.

    admin list users

    A list of all available users display. The imported user appears in the list. Note the USER_ID.

  7. To get detailed information about a user, run the following command.

    admin get users USER_ID

    The user details display. The attributes display user type as external, stating that the user is imported from an external IdP.

  8. Open the Web browser and enter the FQDN of the PPC. The Login page displays.

  9. Click Sign in with SAML SSO.

  10. The screen is redirected to the IdP portal for authentication. If the user is not logged in, the login dialog appears. Provide the user credentials for login.

  11. After logging in successfully, the screen automatically redirects to the PPC Dashboard.

SAML SSO is now configured. Users can authenticate using enterprise‑managed credentials and are granted access based on the roles assigned in the PPC.

Creating users for AWS and GCP

This section describes environments where users are created locally using the Admin CLI, rather than being imported from an external IdP. This procedure is applicable to AWS and GCP deployments where SAML SSO is enabled but users are created using the CLI.

Creating local users for AWS and GCP using the CLI

In AWS and GCP environments, administrators can create users directly using the Admin CLI. These users authenticate through the configured SAML provider, while credentials, roles, and access control are managed locally.

To create the users for AWS and GCP using the CLI, perform the following steps:

  1. Configure the SAML provider using the CLI.

  2. Create a local user, set a password, assign one or more roles to define access permissions, using the following command.

    admin create users \
--username john.doe \
--email john.doe@example.com \
--first-name John \
--last-name Doe \
--password StrongPassword123! \
--roles admin

    Here,

    • The --password parameter sets the initial login password.
    • The --roles parameter assigns one or more roles that control user permissions.

  3. The user authenticates via the SAML IdP and is authorized based on locally assigned roles.

  4. To update the roles, run the following command:

    admin set users USER_ID --roles admin,operator

  5. To update an existing user password, run the following command:

    admin set update_password USER_ID \
--old-password OldPassword123! \
--new-password NewPassword123!

  6. To unlock an account, run the following command:

    admin set unlock_user USER_ID --password NewPassword123!

Note: In this process, users are not imported from AWS IAM or GCP IAM. Identity authentication is handled through the SAML provider, while user records, passwords, and role assignments are managed locally through the CLI.

Understanding SAML Mappers

SAML mappers define how attributes received from the SAML Identity Provider (IdP) are mapped to local user attributes, roles, or groups during authentication.

SAML mappers are configured per SAML provider and allow administrators to control how identity data is interpreted and applied within the system.

Why SAML Mappers Are Required

SAML assertions typically contain user attributes such as email, username, group membership, or role indicators. SAML mappers translate these attributes into:

  • Local usernames
  • User attributes
  • Role assignments
  • Group memberships

Without SAML mappers, users may authenticate successfully but will not be assigned the correct access permissions.

Note: SAML mappers are evaluated during user authentication. Ensure that the IdP sends the required attributes and that mapper definitions align with the IdP’s SAML assertion format.


Last modified : April 06, 2026