Help Center/ OneAccess/ Best Practices/ Authentication Provider Integration/ Standard Protocol Authentication Providers/ SAML Authentication/ Configuring a SAML Authentication Provider
Updated on 2024-12-30 GMT+08:00
View PDF
Share

Configuring a SAML Authentication Provider

Introduction

OneAccess allows you to configure the SAML protocol as the authentication provider to log in to each application system for better user experience.

This section describes how to configure a SAML authentication provider.

Basic Concepts

  • An identity provider (IdP) collects and stores user identity information (such as usernames and passwords), and authenticates users when they log in. For identity authentication between your enterprise and OneAccess, IdP refers to the identity provider of your enterprise.
  • An service provider (SP) uses the user information provided by a trusted IdP to provide services for users. For identity authentication between your enterprise and OneAccess, SP refers to OneAccess.
  • Single sign-on (SSO) is an access type that allows users to access a trusted SP system after logging in to the enterprise IdP. For example, after a trust relationship is established between an IdP and OneAccess, users in the IdP can use their existing accounts and passwords to access OneAccess through the login link in the IdP.
  • Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based protocol that uses security tokens containing assertions to pass information about an end user between an IdP and SP. It is an open standard ratified by the Organization for the Advancement of Structured Information Standards (OASIS) and is being used by many IdPs. For more information about this standard, see SAML 2.0 Technical Overview. OneAccess supports SAML 2.0-based identity authentication. Enterprise IdPs used for identity authentication in OneAccess must also support SAML 2.0.

This section describes how to integrate a third-party authentication provider with OneAccess through SAML.

Prerequisites

  • You have permissions to access the administrator portal.
  • You have the application system permission of the third-party identity provider (IDP) supporting SAML authentication.

Establishing a Trust Between an IdP and OneAccess

Configure the metadata file of OneAccess in the IdP to establish a trust on OneAccess.

  1. Download the metadata file of OneAccess.

    1. Log in to the administrator portal.
    2. In the top navigation pane, choose Authentication > Authentication Providers > Enterprise Authentication Providers. Then click SAML.
    3. On the SAML Authentication Providers page, click Download SP Metadata in the upper right corner. The metadata is automatically downloaded to the local PC.

  2. Upload the metadata file in 1.c to the enterprise IdP server. For details, see the documentation of the enterprise IdP.
  3. Obtain the metadata file of the enterprise IdP. For details, see the documentation of the enterprise IdP.

Adding a SAML Authentication Provider

Add a SAML authentication provider and configure its metadata file in OneAccess to establish a trust on the IdP.

  1. Log in to the administrator portal.
  2. In the top navigation pane, choose Authentication > Authentication Providers > Enterprise Authentication Providers. Then click SAML.
  3. On the SAML Authentication Providers page, click Add Authentication Provider in the upper right corner and set the parameters required.

    Figure 1 Configuring parameters
    Table 1 Configuring parameters

    Parameter

    Mandatory

    Description

    Icon

    No

    Upload a PNG, JPG, or GIF image whose size does not exceed 50 KB. The recommended size is 32 x 32 pixels.

    Display Name

    Yes

    Display name of the authentication provider, for example, SAML.

    entityId

    Yes

    Enter the value of EntityID displayed in the IdP's metadata file.

    Signing Certificate

    Yes

    Obtain the signing certificate from the IdP's metadata file.

    A signing certificate is a public key certificate used for signature verification. It is used during identity authentication to ensure that assertions are credible and complete.

    Binding

    Yes

    Enter the value of SingleSignOnService displayed in the IdP's metadata file.

    This parameter specifies how SAML requests are sent during user login. The SingleSignOnService parameter in the metadata file must support HTTP Redirect or HTTP POST.

    SSO URL

    Yes

    Enter the value of SingleSignOnService displayed in the IdP's metadata file.

    Logout URL

    No

    Enter the value of SingleLogoutService displayed in the IdP's metadata file.

    This parameter indicates the URL to which users will be redirected after logging out of their sessions.

    Source Attribute

    Yes

    Keep unique user attribute the same as the system attribute configured in the application mappings. For example, NameId.

    Related User Attribute

    Yes

    OneAccess user attribute that maps the user attribute of the SAML authentication provider. For example, ID.

    No User Associated

    Yes

    Operation that will be performed if a user successfully logs in through SAML authentication but fails to be associated with a system user. For example, Automatically create users.

    To map other attributes, such as username, set No User Associated to Automatically create users, and add the desired mappings to update existing attributes or not. For details, see Table 2.

    Table 2 Mapping parameters

    Parameter

    Description

    User Attribute

    Attribute (such as username) in OneAccess that maps to the SAML.

    Mapping Type

    Mode of user attribute mapping between OneAccess and the SAML application.

    NOTE:
    • If Mapping Type is set to Authentication Provider Attribute, Source Attribute is required.
    • If Mapping Type is set to Fixed Attribute Value, Fixed Attribute Value is required.
    • If Mapping Type is set to Script-based, Script is required.

Parent topic: SAML Authentication