9.24 SAML Service Provider

Advanced Authentication facilitates you to authenticate with SAML 2.0 with the Web Authentication method.

WARNING:You must configure the SAML Service Provider method with the relevant Identity Provider details before adding it to an authentication chain.

NOTE:A chain with the SAML Service Provider method can be assigned to the OAuth 2.0 and SAML events. Ensure to meet the following points:

  • The event must contain the Support Authorization Code enabled in the Advanced Settings section.

  • The SAML Service Provider method can be single or the first method in the chain. Even if it is not the first method in the chain, it will be requested before the other methods.

  • The user who authenticates using the SAML SP method must be present in only one repository.

  • The SAML Service Provider method is not enrolled automatically when using the new Enrollment Portal. It must be enrolled for users before authentication.

To configure the SAML Service Provider method for Advanced Authentication, perform the following steps:

  1. Click Methods > SAML Service Provider.

  2. Click Add in Identity providers.

  3. Select SAML in Authentication type.

  4. Click the arrow icon.

  5. Specify the identity provider name in Identity Provider.

  6. Specify the attribute name used in the SAML assertion that identifies the user in Assertion Attribute. By default it is set as username.

  7. Click Choose File to upload the Identity Provider Metadata file.

    IMPORTANT:Ensure that you choose the Identity Provider Metadata file that is exported from a used Identity Provider. Do not use the metadata file exported from the Administrative Portal > Policies > Web Authentication.

  8. Click the save icon.

  9. Click Save.

NOTE:You can obtain Service Provider metadata from Advanced Authentication. Use the URL mentioned below to obtain the Service Provider metadata:

https://AAF_SERVER/osp/a/TENANT/auth/saml2/metadata.

In the above URL, the TENANT must be replaced by the actual tenant name. Use TOP as the TENANT name if you are not using the Advanced Authentication as SaaS version or the multi-tenancy feature is not enabled.

Sample Configuration

Lets assume an organization requires to secure an OAuth2 event with SAML Service Provider method and want to add NetIQ Access Manager as Identity Provider for validating users’ identity. To achieve this administrator must configure the following:

  1. Configure Advanced Authentication Server

  2. Configure Access Manager Server

  3. Verify the SAML Service Provider Method

Configure Advanced Authentication Server

Ensure to download the Access Manager metadata file as a prerequisite. Use the below link syntax to download the metadata:

https://<NAM IDP URL>:<Port>/nidp/saml2/metadata

NOTE:Ensure to replace <NAM IDP URL> and <Port> with the valid details.

  1. Navigate to Methods > SAML Service Provider on the Advanced Authentication Administration Portal.

  2. Click Add.

    The Authentication type is set to SAML by default.

  3. Click icon.

  4. Specify the following:

    • Identity Provider: Name of Identity Provider.

      In this example, Access Manager.

    • Assertion Attribute: Attribute name in SAML assertion.

      In this example, username.

    • Identity Provider Metadata file: Click Choose File and upload the Access Manager metadata file.

  5. Click icon and Save.

  6. Create a chain with SAML Service Provider method in Chains.

  7. Map the chain with SAML Service Provider method to OAuth2 event in Events.

Configure Access Manager Server

Ensure to obtain the Advanced Authentication metadata file from Policies > Web Authentication as a prerequisite.

  1. Navigate to Devices > Identity Provider > Edit on the Access Manager Administration Portal.

  2. Click SAML 2.0.

  3. Click New > Service Provider.

  4. Specify the following:

    • Provider Type: Select General.

    • Source: Metadata Text

    • Name: Name of the Service Provider. In this case, Advanced Authentication.

    • Text: Paste the SAML2 metadata of Advanced Authentication.

  5. Click Next and Finish.

  6. Import the Signing and encryption certificates from Advanced Authentication to Access Manager. Later add the certificate to NIDP Trust store (Optional, if the self-signed certificate is in use).

  7. Navigate to Devices > Identity Server > Shared Settings > Attribute Sets > New to create an attribute set.

  8. Specify the name of attribute set in Set Name.

  9. Click Next.

  10. Click New to add an attribute to the set.

  11. Perform the following:

    • Local attribute: Select Ldap Attribute:cn [LDAP Attribute Profile] from the list.

    • Remote attribute: Specify the attribute as username.

      This attribute must match the Assertion Attribute configured in SAML Service Provider method in Advanced Authentication.

    • Remote namespace: Select none.

    NOTE:Retain the default value for other options.

  12. Click OK and Finish.

  13. Assign the attribute set to SAML 2 service provider that you created and move the attribute from Available list to Send with Authentication.

  14. Save the changes and update Identity Server.

Verify the SAML Service Provider Method

When users access the Oauth2 event, users are redirected to Access Manager for authentication. After the authentication in Access Manager, Advanced Authentication receives the authentication response (Success or Fail). Based on the authentication response Advanced Authentication grants access to Oauth2 application.

NOTE:Advanced Authentication does not prompt for any additional authentication unless there are other methods in the chain in addition to the SAML SP method.