Skip to content

Authentication Types - SAML

Warning

With the SAML authentication type enabled, all deep-links will attempt to validate against SAML service, potentially redirecting the user to a SAML identity provider log in page. All users should log into the top-level Web FQDN and only use deep-links after logging in.

Form Fields

  • Name - The name of the authentication profile.

  • Status - The status of the authentication profile.

  • Settings (Identity Provider)

    • Entity ID - A unique identifier for your SAML enabled IDP.

    • Single SignOn Service - An endpoint on your IDP used to receive incoming authentication requests, process and return the user authenticated.

    • Single Logout Service - An endpoint on your IDP to receive incoming logout requests and send logout responses.

    • Certificate - Certificate data.

    • NameID Format - The expected format of the name id element of the SAML response. This must match the username in Assure1.

  • Settings (Service Provider) - These fields are read-only in Assure1 and will be added to your Identity Provider

    • Entity ID - A unique identifier for your SAML enabled SP.

    • Assertion Consumer Service - An endpoint for the IDP to send an authenticated user.

    • Single Logout Service - An endpoint on the SP to send logout requests.

    • Certificate - Certificate data.

Best Practices

To setup SAML external authentication:

  1. The values in the "Settings (Service Provider)" section should be given to your organizations SAML administrators for the back-end configuration.

    Note

    When a shared Web FQDN is used in an environment, the IdP settings advertised in this UI will always point to the Web FQDN alias. Users must then use the Web FQDN for logging in. If a user enters the Host FQDN in the browser, SAML authentication will not work properly because the IdP server does not have the Host FQDN service provider entry. Other authentication types will work when the Host FQDN is used to access the environment.

  2. The values in the "Settings (Identity Provider)" section should be provided from your organizations SAML administrators, including:

    Note

    In other IdP configurations, it is possible that "Single SignOn Service" and "Single Logout Service" may have multiple entries, with each entry being a different link for different connection methods (or binding), like HTTP-SOAP, HTTP-POST, etc. Assure1 SAML only supports using the "HTTP-Redirect" method.

    • Entity ID

    • Single SignOn Service

    • Single Logout Service

    • Certificate

    • (Optional): NameID Format

  3. Enter the values provided into the form, then click on the "Submit" button.

  4. Restart the Assure1 web service:

    systemctl restart assure1-web

  5. Go to the "Users" UI and create new users or update existing ones to use the SAML authentication type:

    Configuration -> AAA -> Users

  6. Test authentication using the SAML user(s).

Default Settings

  • Status

  • Settings (Identity Provider)

    • Entity ID

    • Single SignOn Service

    • Single Logout Service

    • Certificate

    • NameID Format

  • Settings (Service Provider)

    • Entity ID

    • Assertion Consumer Service

    • Single Logout Service

    • Certificate

Back