Complete these steps in preparation for setting up the SAML IdP Service.
The following steps can be completed in any order.
Generate a server certificate in the Supervisor’s Certificate Management. The certificate does not need to be signed since SAML IdP uses certificate pinning. It just needs to be present in the User Key Store.
Determine how many Circles of Trust you intend to create. For each one, identify which stations to include and which users
to include as user prototypes.
Add all of the subordinate stations to the Supervisor’s NiagaraNetwork and make sure that the stations ping. This connection is necessary because later you will run a provisioning job on the subordinate
stations.
Create user prototypes in each remote station. You need all of the user prototypes for all of the users in any Circles of
Trust that a station is a part of. The user prototypes do not need to exist in the Supervisor station. When an attempt to log in to a subordinate station as a SAML user is made, the user is created in the subordinate
station according to a user prototype. For this reason, the prototypes must exist in the remote station beforehand.
NOTE: The SAML Authentication Scheme only supports the baja-UserPrototype. While LDAP and Kerberos support this user prototype as
well as the default user prototype.
In the Supervisor’s UserService, create all of the users that you need for any Circle of Trust or subordinate station.