Configuring SAML Authentication

To use a trusted SAML identity provider, such as Okta, you must configure methods, chains, and events in Advanced Authentication. The metadata document for a trusted SAML identity provider, with which an SSO defined provider interacts, must be obtained in a provider-specific manner. While not all providers do so, many supply their metadata documents via URL.

Checklist for Configuring SAML Authentication
Configuring an External SAML Identity Provider
Integrating with an External SAML Provider

Checklist for Configuring SAML Authentication

To configure an external SAML Identify Provider and proceed to integrate with it, you must complete the following steps in the given order:

	Task	See
	Configure Single Sign-On and Single Logout with your external SAML identity provider.	Configuring an External SAML Provider
	integrate with your external SAML identity provider.	Integrating with an External SAML Provider

Configuring an External SAML Identity Provider

You can configure an external SAML identity provider to use the metadata URL of Advanced Authentication SSO to derive the specific single sign-on and single logout URLs. These URLs include the following:

Advanced Authentication single sign-on URL: https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/spassertion_consumer
Advanced Authentication Entity ID, Issuer or Audience URL: https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/metadata
Advanced Authentication single logout: https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/spslo

You can configure any external identity service provider. In the following section, Okta is used as an example of an external identity service provider. To configure Okta as an external service provider, complete the following steps:

Configure Single Sign-On with Okta
Configure Single Logout with Okta

You can access the Signing Certificate, if and when required, from the Server Options page in the left-hand menu of Advanced Authentication.

For more information on Okta configurations, see Okta SAML App Integrations.

To Configure Single Sign-On with Okta:

Log in to Okta and go to SAML Settings.
Enter https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/spassertion_consumer as the Single Sign-On URL.

You must use this for both Recipient and Destination URLs
Enter https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/metadata as the Audience URL.
For attribute statements, specify, Name as username and Value as user.email.
Use default values for all other fields and follow on screen instructions to complete the configuration.

To Configure Single Logout with Okta:

Log in to Advanced Authentication and go to Server Options in the left-hand menu.
Click Signing Certificate to launch a pop-up window.
Copy content from“-----BEGIN CERTIFICATE-----" to”-----END CERTIFICATE-----” from the text on the pop-up window.
Paste the copied content into a new text file and save. For example, you can save the file as aa_certificate.cert.
Log in to Okta, go to SAML Settings and then click Show Advanced Settings.
Under Enable Single Logout, select the Allow application to initiate Single Logout check box.

When this check box is selected, if you log out of the application, the system logs you out of Okta and applications that use Okta SSO.
Enter https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/spslo as the Single Logout URL.
Enter https://aa.cyberresprod.com/osp/a/<tenant name>/auth/saml2/metadata as the SP Issuer.
Browse to select the saved aa_certificate.cert as the Signature Certificate and upload.
Follow on screen instructions to complete the configuration.
To create and update the latest Identity Provider Metadata file, follow the instructions in step 2 of Integrating with an External SAML Identity Provider.

Any changes to Okta Single Sign-In or Single Logout configurations might require the associated Okta metadata file to be re-uploaded to the SAML Service Provider method in Advanced Authentication.

Integrating with an External SAML Identity Provider

A user present in the external SAML identity provider solution must also exist in Advanced Authentication to proceed with integration. For more information, see Creating Additional User Accounts.

To integrate an external SAML identity provider:

To create the method for SAML authentication, complete the following steps:
1. In the left menu, select Methods.
2. Select SAML Service Provider.
3. Click Add.
4. For Authentication Type, select SAML.
5. Click the save icon on the right.
6. Enter a name for the Identity Provider.
7. Enter username as the Assertion attribute.
  
  Your assertion attribute must match in Advanced Authentication and your trusted SAML provider to complete the configuration successfully.
8. Browse to select the Identity Provider Metadata File.
9. Click the save icon on the right.
10. Select Save.

To create a chain of authentication, complete the following steps:
1. From the left menu, select Chains.
2. Select New Chain.
3. For authentication Methods, select SAML Service Provider.
4. To specify the repo that uses this authentication method, select secops_localusers.
  
  You must start typing the repo name before you can select it.
5. Select Save.

To update the authentication event, complete the following steps:
1. From the left menu, select Events.
2. Select the <tenant>-FUML event to update.
3. Deselect current Chains in use.
4. Select the new chain that you created in Step 3.
5. Select Save.

To update the Identity provider URL, complete the following steps:
1. From the left menu, select Policies.
2. Select Web Authentication.
3. Select the Identity provider URL as https://aa.cyberresprod.com.
4. Select Save.