Index | Prev | Next

About the SAML IdP Service

As of Niagara 4.9, there is added support for the SAML IdP Service. Setting up this service on your Supervisor station allows you to take advantage of SAML functionality without having to set up an external Identity Provider (IdP). Installing and configuring the service allows you to set up an internal IdP that works with the SAML Authentication Scheme.

The samlDP feature license is required to run the SAMLIdPService.

Within the service is the Circle of Trust (COT) component. Once configuration is complete, the COT lists the collection of subordinate stations and the collection of users that are allowed to log in to those stations. For example, if a Supervisor that is connected to 100+ stations is using SAML authentication for just a few of them, you can group those few stations together within a Circle of Trust.

You can configure the service with multiple Circle of Trust components.

Additionally, you can add a remote station that is not in the NiagaraNetwork to any Circle of Trust, or specify other authentication schemes or other user prototypes that may be used when logging in.

Users not included in a Circle of Trust cannot log in to the station(s) specified in that COT. Such attempts to log in are rejected by the IdP.

 CAUTION: Any user that has admin access to the SAMLIdPService can see the following sensitive information for all stations in the NiagaraNetwork:
  • A list of all users (usernames only) in the stations
  • A list of all stations (station names and hostname only)
  • A list of all authentication schemes (scheme name only)
This is true regardless of the permissions that user has on those components. For security purposes, when adding the SAMLIdPService to a station take special care to place it in appropriate categories. Additionally, any user with admin write permissions on the SAMLIdPService can effectively control who logs in to all stations in the NiagaraNetwork, and with what permissions (to the extent allowed by the remote station for remote users). The recommended security best practice is that you treat this as a very sensitive role, assigning it only to highly trusted users who manage authentication. 

A provisoning job that is run on the Supervisor simplifies configuring subordinate stations to use SAML IdP as well.

Related Links

  • Preliminary steps
  • Basic workflow for setting up the service
  • Setting up the SAML IdP Service
  • Configuring subordinate stations for SAML IdP Service and Scheme
  • Single Sign On (Parent Topic)

    • Related References

  • SAML Authentication Scheme (saml-SAMLAuthenticationScheme)
  • S A M L Attribute Mapper (saml-SAMLAttributeMapper)
  • SecurityService (nss-SecurityService)
  • Security Dashboard View (nss-SecurityDashboardView)

    • Index | Prev | Next