SSO identity provider

Tip

Use the Action search to navigate Automate

Integrating with an SSO identity provider

This procedure configures integration with a SSO identity provider (IdP).

1. Log in as Provider, Reseller, or Customer administrator (depending on your IdP configuration level).

2. Go to File Management and upload the IdP metadata.

3. Go to SSO Identity Provider, then click the Plus (+) icon to add the SSO identity provider configuration.

   Note

   Only one instance of an SSO identity provider can be configured for a hierarchy node.

   While an IdP may exist at more than one hierarchy in Automate, a user will only be permitted to log in if the user exists at or below the hierarchy of a single IdP.

4. On the SSO Identity Provider configuration page, complete at least the mandatory settings:

   • Entity ID

   • Login URI

   • Local Metadata File

   • User lookup field

5. At UID Attribute Name, if a custom attribute is used as the UID from the identity provider (IdP), then use this attribute as the UID attribute name.

   Automate evaluates the value in UID Attribute Name first as the UID to identify the user and is for example used as an alternative user identifier when the default UID record is not present.

   If this value is not present, the default UID record is used to identify the user. For example, if the UID attribute is not mapped on the identity provider (IdP) and an attribute ElectronicMail is mapped to mail on the (IdP), the User lookup field on the SSO identity provider should be the value from the email field in Automate, and the value for UID Attribute Name should be ElectronicMail (the attribute returned by the IdP).

   The full URL of a claim in the assertion may be used as the UID attribute name together with the mapped field on User.

   The SAML response may include claims attributes configured on the IdP as follows:

   'http:\/\/schemas.microsoft.com\/identity\/claims\/objectidentifier': ['e333df87-4321-4889-852e-45c291234a2b'],
   'http:\/\/schemas.microsoft.com\/identity\/claims\/displayname': ['Users_Display_Name'],
   ...
   'http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/name': ['User@some_domain.com']
   

   If ‘User@some_domain.com’ maps to username in Automate, the SSO may be configured as follows:

   • User lookup field = username

   • UID Attribute Name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

6. At Service Provider Domain Name, if a customer is using a custom domain, the value for service provider domain name is filled out at the hierarchy level and the login and metadata URLs used will be tied to the IdP as follows:

   SSO Login URL:         ``https://<Service Provider Domain Name>/sso/<Login URI>/login``
   Admin Portal:          ``https://<Service Provider Domain Name>/admin/sso/<Login URI>/login``
   

   The metadata is obtained from: https://<Service Provider Domain Name>/sso/<Login URI>/metadata

   If the service provider domain name is specified, the metadata XML file from Automate then contains Service.Provider.Domain.Name in the assertion consumer service URL as shown in the example below:

   <md:AssertionConsumerService
       Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       Location="https://Service.Provider.Domain.Name/sso/acs/"
       index="1"/>
   

   This metadata needs to be uploaded to the IdP (not the generic metadata obtained from SSO Service Provider Configuration).

   Important

   If you have previously uploaded metadata to the IDP and you subsequently complete this Service Provider Domain Name field, you need to remove the previous record from the IdP and re-upload the metadata so that it contains this field.

   If the service provider domain name is not specified for a given IdP, the following URLs formats are used for SSO login:

   SSO login URL:         ``https://<FQDN of the Service Provider>/sso/<login_URI>/login``
   Admin Portal:          ``https://<FQDN of the Service Provider>/admin/sso/<Login URI>/login``
   

   The IdP redirects to this FQDN on login.

7. Click Save to save the SSO IdP configuration and enable SSO if selected.

8. Go to User Management > Users and filter on Auth Method equals SSO to display enabled SSO users.

Related topics

• See SAML SP Settings FQDN in SSO SP Settings

SSO identity provider (IdP) settings

The table describes the configuration settings on the SSO Identity Provider page:

Field	Description
Entity Id	Mandatory. Entity ID of the IDP. This field must exactly match the entity ID in the IdP metadata file.
Login URI	Mandatory. Login URI for the IDP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes.
Service Provider Domain Name	The FQDN that will be embedded in the SP metadata for this IdP for URLs that refer back to the service provider.
Local Metadata File	Mandatory. Choose the IdP metadata file. This field must be unique across the system.
Note	A reminder to upload the IdP metadata file.
SSO Enabled	Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IDP.
SSO Login URL	Read-only field displays the SSO Login URL to use. Users with selfservice role and no Authorized Admin Hierarchy will be redirected to Self-service.
Admin SSO Login URL	Read-only. Displays the new Admin Portal SSO Login URL to use.
Business Admin SSO Login URL	Read-only. Displays the new Business Admin Login URL to use. From release 21.4, this will always redirect to the new Admin Portal.
User lookup field	Mandatory. Select the field to bind the VOSS and SSO user - typically username.
UID Attribute Name	An optional attribute name string value configured on the Identity Provider to be used as UID for authentication. If present, this value is evaluated first by Automate as the UID and used as an alternative user identifier when the default UID record is not present. If this value is not present, the default UID record is used to identify the user.
Authentication Scope	Hierarchical scope this server applies to. Full tree authentication (default): All nodes at and below this node in its tree can authenticate against this server. Local authentication: Only users at this node can authenticate against this server.
User Sync Type	Type of users that can authenticate against this server. Synced users only: Only users synced in from LDAP can authenticate against this server. All users

Related topics

• For further details on authentication scope, see also User login options by auth method and server auth scope

SSO Scenarios for User Roles

The table maps user roles to the log in URLs - single role or multiple role (includes Authorized Admin Hierarchy):

User Role	Auth Admin?	URL used	UI (Session Limiting)	Expected Behavior
selfservice	Yes	https://<hostname>/sso/<login-uri>/login	administrator	Redirect to Self-service
selfservice	Yes	https://<hostname>/admin/sso/<login-uri>/login	administrator	Redirect to Admin Portal
selfservice	No	https://<hostname>/sso/<login-uri>/login	selfservice	Redirect to Self-service
administration	Yes	https://<hostname>/sso/<login-uri>/login	administrator	Redirect to Admin Portal
administration	Yes	https://<hostname>/admin/sso/<login-uri>/login	administrator	Redirect to Admin Portal
administration	No	https://<hostname>/sso/<login-uri>/login	administrator	Redirect to Admin Portal
administration	No	https://<hostname>/admin/sso/<login-uri>/login	administrator	Redirect to Admin Portal

Administrators set up with SSO but who have multiple user roles and who wish to access the Self-service interface must navigate to the Self-service portal URL upon login:

https://<Hostname>/selfservice/#/