<< Click here to display Table of Contents >>

Configuring SSO Authentication

Contents

1.Log in to the System Management page.

2.In the System Management page, click User Accounts > External Authentication.

3.Click the icon and select Add SSO Authentication from the drop-down list.

1)Enter a unique name to identify the SSO server and a brief description.

2)Enter the credentials to connect to the SSO server. See SSO Settings for more details.

3)Assign domain access permissions and more privileges to the users on the SSO server.

▪Tenant Access — select one or more tenants to assign access permissions to all users on the SSO server.

Tip: The accessible tenants can be modified on the Users tab after the users are synchronized.

▪Domain Access — select one or more domains under an accessible tenant to assign the access permissions to all users on the SSO server.

▪Domain Privileges — click Assign Privileges to assign more domain privileges to all users by role on the SSO server. See Share Policy for more details.

Tip: If all the built-in cannot satisfy your needs, click Add Role to create one. See Adding a role for more details.

4)To apply the privilege settings to all existing users on the SSO server, click Apply this setting to existing users. Click Yes in the Confirmation dialog box.

5)Click Save to commit the settings. By default, the authentication configuration is enabled.

Tip: You can click Download metadata to download the SAML metadata of NetworkBrain Service Provider, which contains entityID, endpoints (Attribute Consume Service Endpoint, Single Logout Service Endpoint), public X.509 certificate, nameID format, organization information, and so on.

After the connection is successfully verified, the user accounts on the SSO server can directly log in to the system with the assigned roles and privileges by logging in to the corresponding Identity Provider first. They will be automatically synchronized under the Users tab after the login. And when the users log out of the Identity Provider, they will also log out of the system.

SSO Server Settings

The following table lists the credentials that are required when connecting to an SSO server.

Note: To ensure the X.509 certificates can be deployed on IIS, go to IIS Manager > Application Pool > Advanced Settings > Process Model and set Load User Profile to True.

Field	Description
SAML Version	The version of SAML used by your Identity Provider. Currently, SAML 2.0 is supported.
Entity Id	The unique identifier of the Identity Provider.
Identity Provider Certificate	The X.509 certificate containing the public key to verify the SAML 2.0 messages signed by the Identity Provider, such as the Assertion and LogoutRequest/LogoutResponse. Click Browse to upload the certificate. Note: Only the .crt format is allowed.
Request Signing Certificate	The X.509 certificate containing the public key and private key to sign outgoing SAML 2.0 messages and decrypt incoming SAML 2.0 messages encrypted by the Identity Provider, such as the Assertion/NameID/Attribute elements inside an SSO Response. The certificate with password is supported. Click Browse to upload the certificate. Note: Only the .pfx format is allowed.
Certificate Password	The password of the certificate (pfx).
Want AuthnRequests Signed	Set whether to sign the SAML authentication request with NetworkBrain certificate. Note: Select the check box if your Identify Provider enables the certificate signature for received messages through the security settings.
Request Signature Method	The signing algorithm to encrypt the messages sent to the Identity Provider. The available options include: ▪rsa-sha1 ▪rsa-sha256 ▪rsa-sha384 ▪rsa-sha512
NameID Format	The name identifier formats supported by the Identity Provider. Name identifiers are a way for providers to communicate with each other regarding a user. SSO interactions support the following types of identifiers: ▪urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ▪urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified ▪urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Service Binding	The binding used to send the login request to the Identity Provider. The available options include: ▪HTTP-Redirect ▪HTTP-POST
Identity Provider Login URL	The Login Service URL where the Identity Provider will redirect the user during the login exchange.
ArtifactResolve URL	The Artifact Resolution Service (ARS) URL to send back-channel requests to resolve artifacts received from NetBrain.
Logout Service Binding	The binding used to send the logout request to the Identity Provider. The available options include: ▪HTTP-Redirect ▪HTTP-POST
Identity Provider Logout URL	The Logout Service URL where the identity Provider will redirect the user during the Logout exchange.