Setting up SAML SSO

Prerequisites

For implementing SAML SSO, ensure that the following prerequisites are met:

  • The SPs, such as, the ESA or the DSG are up and running.
  • The users are available in IdPs, such as, AWS, Azure, or GCP.
  • The IdP contains a SAML application for your appliance.
  • The users that will leverage the SAML SSO feature are added to the appliance from the User Management screen.
  • The IP addresses of the appliances are resolved to a Fully Qualified Domain Name (FQDN).

Setting up SAML SSO

This section describes the different tasks that an administrative user must perform for enabling the SAML SSO feature on the Protegrity appliances.

As part of this process changes may be required to be performed on a user’s roles and settings for LDAP. For more information, refer to section Adding Users to Internal LDAP and Managing Roles in the Protegrity Appliances Overview Guide.

Table 1. Setting up SSO

OrderPlatformStepReference
1Appliance Web UIAdd the users that require SAML SSO. Assign SSO Login permissions to the required user role. Ensure that the password of the users are changed after the first login to the appliance.
  • Adding Users
  • Adding Roles
2Appliance Web UIProvide the FQDN and entity ID. This is retrieved from the IdP in which a SAML enterprise application is created for your appliance.Configuring Service Provider (SP) Settings
3Appliance Web UIProvide the metadata information that is generated on the IdP.Configuring IdP Settings

Configuring Service Provider (SP) Settings

Before enabling SAML SSO on the appliance, you must provide the following values that are required to connect the appliance with the IdP.

Fully Qualified Domain Name (FQDN)

The Web UI must have a FQDN so it can be accessed from the web browser of the appliance. While configuring SSO on the IdP, you are required to provide a URL that maps your application on the IdP. Ensure that the URL specified in the IdP matches the FQDN specified on the appliance Web UI. Also, ensure that the IP address of your appliance is resolved to a reachable domain name.

Entity ID

The entity ID is a unique value that identifies your SAML application on the IdP. This value is assigned/generated on the IdP after registering your SAML enterprise application on it.

The nomenclature of the entity ID might vary between IdPs.

To enter the SP settings:

  1. On the appliance Web UI, navigate to Settings > Users > Single Sign-On > SAML SSO.

  2. Under the SP Settings section, enter the FQDN that is resolved to the IP address of the appliance in the FQDN text box.

  3. Enter the unique value that is assigned to the SAML enterprise application on the IdP in the Entity ID text box.

  4. If you want to allow access to User Management screen, enable the Access User Management screen option.

    • User Management screens require users to provide local user password while performing any operation on it.
    • Enabling this option will require users to remember and provide the password created for the user on the appliance.
  5. Click Save.

    The SP settings are configured.

Configuring IdP Settings

After configuring the the SP settings, you provide the metadata that acts as an important parameter in SAML SSO. The metadata is the chain that links the appliance to the IdP. It is an XML structure that contains information, such as, keys, certificates, and entity ID URL. This information is required for communication between the appliance and IdP. The metadata can be provided in either of the following ways:

  • Metadata URL: Provide the URL of the metadata that is retrieved from the IdP.
  • Metadata File: Provide the metadata file that is downloaded from the IdP and stored on your system. If you edit the metadata file, then ensure that the information in the metadata is correct before uploading it on the appliance.

To enter the metadata settings:

  1. On the appliance Web UI, navigate to Settings > Users > Single Sign-On > SAML SSO.

  2. Click Enable to enable SAML SSO.

  3. If the metadata URL is available, under the IdP Settings section, then select Metadata URL from the Metadata Settings drop-down list. Enter the URL of the metadata.

  4. If the metadata file is downloaded, under the IdP Settings section, then select Metadata File from the Metadata Settings drop-down list. Upload the metadata file.

  5. If you want to allow access to the User Management screen, enable the Access User Management screen option.

    • User Management screens require users to provide local user password while performing any operation on it.
    • Enabling this option will require users to remember and provide the password created for the user on the appliance.
  6. Click Save.

    The metadata settings are configured.

    • If you upload a new metadata file over the existing file, the changes are overridden by the new file.
    • If you edit the metadata file, then ensure that the information in the metadata is correct before uploading it on the appliance.