SAML Authentication Scheme (saml-SAMLAuthenticationScheme)
This component extends the SSO authentication scheme. A SAMLAuthenticationScheme component enables SAML SSO in the station. The scheme must be configured with a number of IdP configuration values. Typically
these are obtained from the IdP SAML Server administrator. In
Most SAML IdPs require you to provide an XML file with metadata about the service provider to add it to the SAML network.
In
https://host.domain.com/saml/samlrp/metadata?scheme=<schemeName> (where you replace <schemeName> with the name of the station’s SAMLAuthenticationScheme).
Since SAML is an open standard, a number of third-party SAML servers are available (for example, OpenAM, Salesforce, etc.). This example configures the authentication scheme for the OpenAm Identity Provider.
Figure 20. SAML Authentication Scheme properties
To access these properties, expand , right-click SAMLAuthenticationScheme and click .
| Property | Value | Description |
|---|---|---|
| Login Button Text | text string, “Log in with SSO” (default) | Defines the preferred text label for the SSO login button that appears on the Login window. This button always displays if the corresponding scheme is in the authentication schemes folder. |
| IdP Host URL | text string, https://idp.domain.com (default) | Configures the URL for the host of your Identity Provider that provides the IdP data. |
| IdP Host Port | 443 | Configures the port number of your Identity Provider that provides IdP data. |
| IdP Host Login Path | /path/to/login | Configures the location of the Identity Provider that you must navigate to trigger SAML authentication for the IdP provided data. |
| IdP Cert | drop-down list | Identifies the certificate required to encrypt messages sent to the IdP, and validate messages sent from the IdP for the IdP provided data. |
| SAML Server Cert | drop-down list | Identifies the certificate used by the station to sign messages that are sent back to the IdP. This certificate is also provided to the IdP SAML Server admin so that the IdP can read and validate the messages. It also decrypts messages sent from the IdP to the station. |
| Time Skew | 0000h 03m 00s (default) | Sets the number of minutes to extend the validity period of the SAML request from the subordinate station. This allows the SAML message to be accepted when the Supervisor and subordinate stations cannot synchronize their time values. Use positive values. |
| Requested Authentication Type | Config authentication scheme | Specifies the type of authentication requested to configure the station. For example, when the controller station requests
the authentication to enforce the particular authentication type, it informs the Identity Provider (IdP) which authentication
types is allowed with the controller during SAML authentication. By default the property value is set to Unspecified (accepts any authentication type). Click the  to change and select multiple values. The following Enum lists are:
|
| Requested Authentication Comparison Mode | drop-down list (defaults to exact)
|
The comparison mode options are as follow:
NOTE:
Maximum is not supported by the
|