Documentation

 

Introduction

Use this guide to enable Single Sign-on (SSO) access via SAML to Gem Madison.

 


Prerequisites

1. Have a Gem Madison Instance and a SecureAuth Appliance.
2. Have administrative access to Gem Madison.
3. Create a New Realm for the Gem Madison integration.
4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

A) Overview — the description of the realm and SMTP connections must be defined.
B) Data — an enterprise directory must be integrated with SecureAuth IdP.
C) Workflow — the way in which users will access this application must be defined.
D) Multi-Factor Methods — the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined.

SecureAuth IdP configuration steps

1. Log in to the SecureAuth IdP Admin Console.

Post Authentication

2. Navigate to the Post Authentication tab.
3. Select SAML 2.0 (SP Initiated) Assertion from the Authenticated User Redirect dropdown.

User ID mapping

4. Select Email 1 from the User ID Mapping dropdown after ensuring that Email 1 is mapped on the Data tab. The user can also choose to map other parameters. Authenticated User ID is also a valid choice.
5. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown.
6. Select False from the Encode to Base64 dropdown.

SAML Assertion / WS Federation

Note: Gem Madison will perform configuration changes on the back end. There is no metadata on that end.

7. Type/paste the URL provided by Gem Madison into the SAML Consumer URL text field (e.g., https://<app.domain.com>/trust/Saml2/Auth/xxxxxxxxxxxx).
8. Type/paste the URL that matches the Gem Madison end into the WSFed/SAML Issuer text field; typically, this is the Fully Qualified Domain Name (FQDN) of the SecureAuth Appliance (e.g., https://<FQDN-SA-IdP>).
9. Type/paste the SP Entity ID provided by Gem Madison into the SAML Audience text field.
10. Type/paste the login URL of Gem Madison into the SP Start URL text field (e.g., https://<app.domain.com>).

11. Select SHA1 from the WS-Fed Signing Algorithm dropdown.
12. Select SHA1 from the SAML Signing Algorithm dropdown.



13. Select False from the Sign SAML Assertion dropdown.
14. Select True from the Sign SAML Message dropdown.

15. Leave the Signing Cert Serial Number as the default value unless there is a third-party certificate being used for SAML Assertion.
Note: If using a third-party certificate, click Select Certificate and choose the appropriate certificate.

16. Click the Save button.

SAML Attributes / WS Federation


Note: The SAML Attributes are optional, but can be made mandatory depending upon use case. Below is an example of how to set up a SAML Attribute.

1. Type/paste http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name into the Name text field.
2. Select Basic from the Format dropdown.
Note: Ensure that these attributes are also mapped on the Data tab. Refer to this document: https://docs.secureauth.com/pages/viewpage.action?pageId=44833369 if unsure about LDAP attributes.


Gem Madison configuration steps


Ask the Gem Madison Support Resource to make the appropriate back-end change.

  • No labels