> Security
> Identity Providers. The Identity Providers
List page appears.
Before you begin, you need to obtain the following from your Identity Provider:
● SP Entity ID
● SSO endpoint
● Identity Provider verification certificate (one or two)
● Optional values:
– Issuer, for example the Entity ID of the Identity Provider.
– Assertion Consumer Service URL if you are using a proxy server.
1. Click
> Security
> Identity Providers. The Identity Providers
List page appears.
2. Click Add and then select Generic (SAML) from the drop-down list. The Add Identity Provider page appears.
3. Configure the Identity Provider Settings, as follows:
a. In the SP Entity ID field, enter the main name of your SAML service provider.
Example: https://mycompany.<locale>.trustedauthcom/api/saml
b. Optional. In the Issuer URL field, enter the Entity ID of the Issuer to require the SAML assertion issuer response to be verified using this value. You can also leave this field blank if you do not want the valued to be verified.
c. Optional. In the Assertion Consumer Service URL field, enter the redirect ID if you are using a proxy server. Otherwise, keep the default value.
d. Optional. In the Name ID Policy Format, enter the Name ID format if the SAML value to be request requires this value to be requested.
e. Optional. In the Requested Information from the Identity Provider, add the following:
– Add a User Name (Login Hint) Parameter to append a parameter (Login Hint) to be used as part of the SAML assertion request to identify the user. Specifying a value of NameID will include this value in the SAML request in contrast to an HTTP request parameter.
– Add a User Name (Login Name) Format to include a specific format when a NameID username parameter is used.
f. Select Force Authentication to require a user to reauthenticate at each login attempt.
g. Optional. In the Auth Context Request field, enter the auth context request if the SAML request requires this value to be requested.
4. Enter the SSO Endpoint that receives the SAML request.
5. Configure Signature Verification. At least one signature (SAML Request or SAML Assertion) is always required and verified.
a. Select SAML Response to always require signature verification for the SAML response.
b. Select SAML Assertion to always require signature verification for the SAML response..
c. Click
and
browse to upload the SAML Verification
Certificate.
Note: Expired certificates are not supported and cannot be used to validate SAML signatures.
d. Optional. Clickand browse
to upload the SAML Verification Certificate2.
6. Configure User Management by mapping the users using one of the following options:
a. Select Create User (Authentication) to create the user whose information is returned from the Identity Provider if it does not already exist.
Attention: Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP will be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large user base. Analyze the risks before enabling this option.
b. Select Update User (Authentication) to update the IDaaS user to match the Identity Provider during authentication.
If you select Update User (Authentication), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on SAML attribute mappings.
After user authentication, if the user exists in IDaaS, IDaaS compares the attributes of the existing user to the SAML attribute returned from the Identity Provider If they are different, the IDaaS user attributes are updated with the SAML attribute values.
c. Select Update User (Verification) to update the IDaaS user to match the Identity Provider during verification.
If you select Update User (Verification), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on SAML attribute mappings. After user verification, the IDaaS user attributes are updated with the SAML attribute values.
7. Select the System User Attributes used to identify the user.
8. Configure Groups, Organizations, and role mapping.
a. Select applicable groups from the Select Group drop-down list to assign created users to groups.
b. Select applicable organizations from the Select Organization drop-down list to assign created users to organizations.
c. In the Group Mapping field, enter the claim containing the group membership for users.
Only existing groups are mapped. If a group is not found, it is not mapped. The mapping does not remove any existing groups. If group mapping is not configured, existing groups remain.
Attention: Group Mapping allows anyone with access to this Identity Provider to have their IDaaS groups include the groups defined by the Identity Provider. Groups set the policies applied to users. Enabling this setting could result in users having access to unexpected policies, especially if the Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
d. In the Role Mapping field, enter the SAML attribute containing the role membership for users.
Only existing roles are mapped. If the role is not found, it is not mapped. The mapping does not remove an existing role. If a role is mapped and is different from the existing role, the existing role is replaced. If role mapping is not configured and if there is an existing role exist, the existing role remains.
Attention: Role Mapping allows anyone with access to this Identity Provider to have their IDaaS account role defined by the Identity Provider, including the super administrator role that has access to all the resources controlled by your IDaaS account. Enabling this setting could result in unexpected access, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
9. Configure Branding as follows:
a. Enter the Login Button Text. This is the text that appears on the IDaaS log in page.
b. If your Identity Provider has a login button image, enter the URL in the Login Button Image field. The login button appears on the IDaaS log in page.
10. Configure User Authentication as follows:
a. Select Enabled for User Authentication.
During authentication, the Identity Provider returns either a SAML NameID value or a SAML attribute that is used to find the IDaaS user based on a user attribute. The attribute mappings in the SAML NameID value or the SAML attribute must uniquely identify the IDaaS user for mapping to be successful. If mapped successfully, the Identity Provider can be used as an alternative authentication method.
b. In the Domains field, enter the domains returned from the SAML Identity Provider after authentication. When set, any user ID ending with the domain (for example user@mycompany.com), or one of the domains is linked to the Identity Provider. Separate each domain with a space.
c. From the User Attribute used to identity the user drop-down list, select the user attribute from the Identity Provider that is used to map to the IDaaS user. The default is User ID/Alias.
d. From the drop-down list, select the User Attribute used to identity the user to map a SAML NameID or SAML attribute returned from the Identity Provider to the IDaaS user (for example, User ID/Alias).
e. In the Attribute (or NameID) used to identity the user field, enter the attribute in the SAML assertion that stores the identity of the user.
f. Optional. Configure System User Match Attributes to require a match of both the system user attribute and additional user attributes to identity the user.
11. Optional. Under User Verification, do the following:
a. Select Enable for User Verification if you want the Identity Provider to be used for verification. For example, you want do this to allow SAML Identity Provider to validate a user's photo or private identification information and return corresponding the SAML attribute that is mapped to the IDaaS user attribute.
b. Configure at least one System User Match Attribute.
– You must configure at least one matching attribute.
– Every configured attribute must match the corresponding Identity Provider SAML attribute and the IDaaS user attribute, which must match.
– User matching is case insensitive.
– You can map both system and custom user attributes.
Note: See Manage user policies for more information on the verification process.
12. Click Save.