Adding a SAML Application

You can add third-party identity providers (IdP), such as Okta, Azure, OneLogin, and ADFS, so that users can be authenticated. SAML metadata is used to share configuration information between the IdP and the Service Provider (SP). Metadata for the IdP and the SP is defined in XML files as follows:

• The IdP metadata XML file contains the IdP certificate, the entity ID, the redirect URL, and the logout URL. For an example, see saml_idp_metadata.xml.

• The SP metadata XML file contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). For an example, see saml_sp_metadata.xml.

You can also configure multi-factor authentication (MFA) in the IdPs to authenticate the users to access the Web Console or Command Center.

Before using SAML to log on to the Web Console , Command Center, or CommCell Console, metadata from the IdP must be uploaded in SP and metadata from the SP must be generated. After the SP metadata is generated, it must be securely shared with the IdP. Contact the IdP for instructions on sharing the SP metadata.

Before You Begin

• Create or get an IdP metadata XML file using the SAML protocol. For SAML metadata specifications, go to the Oasis website, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.

  For an example, see saml_idp_metadata.xml.

• You can upload a key store file that you create, or you can automatically generate the key when you add the SAML application. If you want to upload a key store file, create the keystore file. For information on keystore files, see Creating Certificates for SAML Integration.

• Review the IdP response to determine the value sent in the NameID element. The expected value is either an email address or a user principal name (UPN).

• If you need to create a SAML app for a specific company, in the upper-right corner of the page, from the Select a company list, select the company that you want to create the SAML app for.

Procedure

1. From the navigation pane, go to Manage > Security.

   The Security page appears.

2. Click the Identity servers tile.

   The Identity servers page appears.

3. In the upper-right corner of the page, click Add > SAML.

   The Add SAML app page appears.

4. On the General tab, in the Name box, enter the domain name that you want to associate users with.

   Note

   • The SAML application is created using the domain name.

   • For SAML user groups mapping to function correctly, the name that you enter here must be the same as your Command Center Tenant Name.

5. Click Next.

6. On the Identity provider metadata tab, in the Upload IDP metadata box, browse to the XML file that contains the IdP metadata, and then click Open.

   The Entity ID and the Redirect URL from the file are displayed.

7. Click Next.

8. On the Service provider metadata tab, review the value in the Service provider endpoint box.

   This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/webconsole.

9. To digitally sign the SAML message, either automatically generate the key or upload a key store file:

   • To automatically generate the key, move the Auto generate key for digital signing of SAML messages toggle key to the right.

   • If you manually created a key store file, do the following:

     1. Move the Auto generate key for digital signing of SAML messages toggle key to the left.

     2. Next to the Select key store file box, click Browse.

     3. Browse to the location of the keystore file, for example, C:\security\mykeystore.jks, select the file, and then click Open.

     4. In the Alias name, Key Store Password, and Key Password boxes, enter the keystore file values.

10. Click Next.

11. On the Associations tab, identify the users who can log on using SAML:

    • To identify users by their email addresses, in the Email suffixes box enter an email suffix, and then click Add.

      Note

      You must use an email suffix as specified in the SAML integration settings to avoid integration issues.

      If you face SAML integration issues, use a break glass account. The break glass account must be on different domain than that of the current domain.

    • To identify users by the companies they are associated with, from the Companies list, select a company, and then click Add.

    • To identify users by the domains they are associated with, from the Domains list, select a domain, and then click Add.

    • To identify users by the user groups they are in, from the User groups list, select a user group, and then click Add.

      Note

      • If you migrate from an Exchange On-premises server to an Exchange Online server, you must add the appropriate domain and user group.

      • You can add any combination of associations, and you can add multiple associations in each category.

12. Click Next.

    The Connectivity Test screen appears.

13. To add the SAML app in the IdP and test the connection:

    Note

    You can skip this step and click Finish to add the SAML app in the IdP, later. Further, you can test the connection on the SAML app page in the General section.

    1. On the Connectivity Test screen copy the (Single Sign-On) SSO URL or download the SP metadata.

    2. In a separate browser window:

       1. Using the SSO URL and the SP metadata, create a SAML app in the IdP website.

       2. In the SAML app that is created in the IdP, update the SSO URL or upload the SP metadata.

          Note

          Some IdPs such as OKTA require you to update the SSO URL, while other IdPs such as Azure require you to upload the SP metadata.

       3. Sign out of any existing IdP sessions in your browser window.

    3. On the Connectivity Test screen:

       1. Click Test login.

          A browser window appears.

       2. Enter the email and password for a user to test the SAML login.

       3. Close the browser window.

          After the test login is successful, the SAML app will be enabled in the Command Center.

14. Click Finish.

    The SAML app screen appears.

15. On the General tab, in the General section, next to the NameID attribute, click the Edit button .

16. From the NameID attribute list, based on the attributes in the IdP response, select either Email or User Principal Name.

17. Click Submit.

What to Do Next

If you did not create the SAML application in your IdP, then create a SAML application using the downloaded SP metadata or the copied SSO URL.