Configuring the SAML Authentication Scheme
SAML SSO is enabled by adding a SAML Authentication Scheme to the station. The scheme must be configured for a particular
IdP (Identity Provider). You will need to obtain several configuration metadata from your IdP and use them in configuring
the scheme. You will also need to provide the IdP with your station’s SP metadata. These SAML metadata are used to share configuration
information between the IdP and the SP (for more details refer to the Prerequisites section in this topic.). XML files define
the metadata. Once the SAML authentication scheme is properly configured, the station is able to exchange SAML authentication
messages with the IdP.
Prerequisites:
- You have the saml palette open.
- You have already obtained the necessary IdP configuration metadata that the IdP requires for authentication. Typically, the
IdP SAML Server administrator provides these values. The configuration metadata, which may be provided in an XML file, are
as follows:
Since SAML is an open standard, a number of third-party SAML Servers are available (i.e. OpenAM, Salesforce, etc.).
- HTTP-Redirect URL (corresponds to IdP Host URL, IdP Host Port, and IdP Login Path properties)
- IdP Cert
- You have provided the IdP SAML server administrator with an XML file containing your station’s SP metadata and SAML public
certificate. The SP metadata typically include the SP “Entity ID” and the “Assertion Consumer Service”. The IdP needs these
metadata to uniquely identify the SP and validate the messages sent by the station. The Entity ID is a unique name that you choose as an SP, usually a URL. For example, the Entity ID typically is something
like this:
https://controller.domain.com:portNumber/saml, where you would use your controller’s hostname. A port number is required. The “Assertion Consumer Service” would be another URL, for example:https://controller.domain.com:portNumber/saml/assertionConsumerService, again using your controller’s hostname. Once you have generated your SP metadata, save it in XML format and share the file with the IdP SAML server administrator. - You have already created an Alternate Default Prototype for SAML authentication using the UserPrototype component in the baja palette. This UserPrototype is required for SAML authentication.
Perform the following steps:
- In the Nav tree, expand the station’s node and drag the SAMLAuthenticationScheme component from the saml palette onto the AuthenticationSchemes folder.
- In the Name window, enter a name (or use the default text) and click OK.
- Expand AuthenticationSchemes and double-click on the SAMLAuthenticationScheme to open a Property Sheet view.
Shown here is an example of the SAML Authentication Scheme configured for the third-party OpenAM Idp.
- Enter values for the following properties:
- On completion, click Save.
- For
Login Button Textenter the preferred text label for the SSO login button that appears on theLogin window. - For
IdP Host URLenter the host of your Identity Provider (obtained from IdP admin). - For
IdP Host Portenter the port number of your Identity Provider (obtained from IdP admin). - For
IdP Login Pathenter the location on the Identity Provider to which you must navigate to trigger the SAML authentication (obtained from IdP admin). - For
IdP Certenter the certificate used to encrypt messages sent to the IdP, and to validate messages signed by the IdP (obtained from IdP admin). - For
SAML Server Certenter the certificate used by the station to sign the messages being sent back to the IdP, and decrypt messages sent by the IdP.NOTE: For the IdP to read and validate the messages sent by the station, the certificate with its public key must be provided to the IdP SAML server administrator as well.
- For