26.1 Integrating Advanced Authentication with SAML 2.0

To integrate Advanced Authentication with the third-party solutions using SAML 2.0, perform the following steps

  1. Click Events > Add.

  2. Specify a name for the new event.

  3. Change the Event type to SAML2.

  4. Select the required chains for the event.

  5. Copy and paste your Service Provider's SAML 2.0 metadata to SP SAML 2.0 metadata.

    OR

    Click Browse and select a Service Provider's SAML 2.0 metadata XML file to upload it.

  6. Click Policies > Web Authentication.

  7. (Conditional) Specify the Identity Provider’s URL in Identity provider URL.

    NOTE:To use multiple Advanced Authentication servers with SAML 2.0, you must do the following:

    1. Configure an external load balancer.

    2. Specify the address in Identity provider URL instead of specifying an address of a single Advanced Authentication server.

  8. Click Server Options > Signing Certificate and save the certificate content in a notepad file for further use.

    NOTE:Use the Identity Provider Signing certificate in your Service Provider.

  9. Change used hash to SHA-1 in your Service Provider, if the option is presented.

  10. Select the required option from NameID formatting options based on the SAML response requirement of service provider. The available options are:

    • Use default: To send NameID in SAML response without any customization.

    • Send E-Mail as NameID (suitable for G-Suite): To send email address in the NameID attribute and is required for integrating with the G-suite.

    • Send SAMAccount as NameID: To send SAMAccountName in the NameID attribute of SAML response from the Advanced Authentication server.

    • Send CN as NameID: To send UID of user in the NameID attribute of SAML response from the Advanced Authentication server. This is required, when eDirectory is used as the repository and service providers want nameid format as unspecified however need Common Name (UID by default) in the SAML response. This is required for integrating with Cyberark.

    • Send ImmutableId (User objectId) as NameID (required for Microsoft Office 365): To send User objectId in the NameID attribute as a SAML response from the Advanced Authentication server. This is required for integrating with Microsoft Office 365.

  11. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

NOTE:The logout URL must follow the below format:

https://<AAServer>/osp/a/TOP/auth/app/logout

where TOP is the name of the tenant.

However, it is possible to perform the logout from both Identity Provider and Service Provider using the following URL:

https://<AAServer>/osp/a/TOP/auth/app/logout?target=https://<Service Provider>/app/logout

For example: https://<AAServer>/osp/a/TOP/auth/app/logout?target=https://<NAMServer>/nidp/app/logout

The following are the examples of integration with SAML 2.0.