Skip to main content

Generic SAML Integration Guide

Use this guide as a reference to configuring a SAML application integration to enable Multi-Factor Authentication and Single Sign-on (SSO).

SecureAuth IdP enables both IdP- and SP-initiated SAML integrations. In IdP-initiated integrations, end-users start the login process at SecureAuth IdP and are then asserted to the application once successfully authenticated, never seeing the application's login screen. In SP-initiated integrations, end-users start the login process at the Service Provider (SP) / application, are redirected to SecureAuth IdP for authentication, and then are asserted back to the application once successfully authenticated.

This is a general SAML integration guide to assist in configuring actual application integrations. Refer to the specific application integration guide for applicable steps.

Note

For SAML integrations that require the use of AssertionConsumerServiceIndex instead of AssertionConsumerServiceURL, there is a hotfix that includes support for AssertionConsumerServiceIndex.

For more information, see SAML integrations using AssertionConsumerServiceIndex hotfix .

Prerequisites

  1. Have a SAML application and access to administrative console

  2. Create a New Realm in the SecureAuth IdP Web Admin for the SAML integration

  3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

    • Overview – the description of the realm and SMTP connections must be defined

    • Data – an enterprise directory must be integrated with SecureAuth IdP

    • Workflow – the way in which users will access this application must be defined

    • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

SecureAuth IdP configurations

Complete the steps on the Data tab only for LDAP directory integrations. The Data tab configuration is necessary have the user ID mapped to the SecureAuth IdP in order to assert the end user to the application.

Tip

If the application ID of the user is the same as the user ID provided to authenticate with SecureAuth IdP, then you do not need to complete the configurations on the Data tab.

In the Membership Connection Settings section, the user ID provided to SecureAuth IdP is the directory field that equals %v in the Search Filter field.

For example, (&(sAMAccountName=%v)(objectclass=*)) indicates the ID value stored in the sAMAccountName directory attribute is provided by the user to authenticate, and when this is the same user ID value required by the application, then no further mapping is required.

  1. For LDAP directory integrations only, go to the Data tab.

    To use a SQL-type data store, the mapping must be completed appropriately in the stored procedures.

  2. In the Profile Fields section, map the the directory Field containing the user's application ID to a SecureAuth IdP Property.

    For example, add the application ID field to the Email 2 property.

    44832913.png
  3. Save your configurations.

  4. Go to the Post Authentication tab and make the following configurations for an IdP-initiated or SP-initiated integration.

Other SSO configuration options

To configure this realm for SSO, see SecureAuth IdP Single Sign-on (SSO) Configuration Guide.

To configure this realm for Windows Desktop SSO, see the Windows desktop SSO configuration topic.