.. _sso-sp-settings:



Configure Self-service SSO SP settings
----------------------------------------

.. _20.1.1|VOSS-568:

:bdg-info-line:`hcs-admin`


.. tip:: 

   :ref:`use-action-search-to-navigate-automate`


This procedure configures Self-service Single Sign-On (SSO) for Automate.

.. note:: 
   
   * The configuration applies to customers and customer administrators associated with the 
     identify provider (IdP).

   * Administrators are configured for SSO use via the **Users** page.

   * Administrators can also be configured with multiple user roles, that is, have a user type
     "End User + Admin" (see: :ref:`role-based-access-admins`).
     
     While the role of such an administrator user is "selfservice", the user's association 
     with an Authorized Hierarchy model instance redirects such an administrator to the 
     *same* interface as a single role administrator when using the SSO URLs for login. See 
     *Integrating with an SSO Identity Provider*.

     Administrators with multiple user roles who wish to access the 
     *Self-service* interface need to explicitly switch to the Self-service portal URL
     upon login:

     ::

        https://<Hostname>/selfservice/#/



.. rubric:: Prerequisites: 

* Create a self-signed or third-party-signed system certificate. 
* The Automate server and the IdP server must be configured so that their clocks are synchronized.

  You can define the number of seconds of permitted clock drift between Automate and the 
  IdP. The number of seconds for tolerance is customizable, and this value must be 
  set in accordance with the deployment's security policy. By default, Automate uses a value of 0 for clock drift; that is, assume clocks are 
  exactly in sync.

* You must be a high-level administrators logging in above the *Provider* admin level to 
  perform this procedure. 



.. rubric:: To configure self-service Single Sign-On (SSO) for Automate:

1. Log in to Automate as `hcsadmin`.
#. Go to **SSO SP Settings**.
#. Click the Plus icon (+) to add a new record.

   .. note:: 
      
      Configure only one instance of SSO SP Settings.

#. On the **Base** tab/panel: 

   * (Mandatory). At **System Certificate**, select the signed third-party system 
     certificate to use. 

     .. note:: 

        Choosing an unsigned third-party-signed certificate will result in an error. For details 
        around renewing an expired certificate. See *Renew single sign-on certificate for Automate* in the Core Feature Guide.
   
   * At **Validity (Hours)**, to allow the SSO SP setting to expire, enter a number of hours. This is 
     the validity period (in hours) that the metadata is valid for.
   
#. On the **SAML SP Settings** tab/panel: 

   * (Mandatory). At **FQDN of the Server**, fill out the server FQDN. 
   
     .. note:: 
      
        The FQDN that will be embedded in the SP metadata for this IdP for URLs that refer back to the Service Provider. 
        The FQDN of the server is stored in the SP metadata that is uploaded to the IdP. The SSO login URL 
        then contains the fully qualified domain name (FQDN):
      
        ``https://<FQDN of the Server>/sso/<login_URI>/login``
  
        If you have configured a custom hostname for SSO user login, enter it here. Upon login, the 
        IdP will redirect you to this FQDN.

   * Select options relevant to your security environment and requirements: 
   
     * **Sign Authn Requests**

       Defines whether outgoing authentication messages will be signed. If yes, the specified private key will 
       be used. By default, this is False (unchecked). If one of your identity providers has *WantAuthnRequestsSigned* 
       set in its metadata, then select this checkbox (set to True).

     * **Want Assertions Signed** 

       Defines whether assertions should be signed. 
       Only select Want Reponse Signed if you’re sure that all IdPs sign responses.

   .. note:: 

      If a secure connection is required with the secure attribute set on the cookies, the URL 
      values for bindings of end points must be specified with ``https``. 

      The **Assertion Consumer Service** fields define how SAML requests and responses map on to standard 
      messaging and communications protocols. 

#. Save your changes. 

   .. note:: 

      Saved SSO settings are published by the Automate service provider and are available 
      from metadata URL, for example: http://mydomain/sso/metadata/. SSO service provider 
      configuration requests to this URL automatically trigger an xml file download of the specified 
      SSO service provider configuration.

#. View the location of the Automate SP metadata that you will upload to the IdP: 

   * Go to **SSO SP Metadata**. 
   * Point your browser to the URL shown here. 
   * Save a copy of the SP metadata.

#. Upload SP metadata to the IdP.

   Refer to your IdP documentation for details on configuring SSO on your IdP.
      
   The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that 
   authenticates with Active Directory can map the UID SAML attribute to sAMAccountName in the 
   Active Directory server.

#. Download IdP metadata from the IdP server. 

   Refer to your IdP documentation for details on downloading IdP metadata.
      
   If an expired SSO certificate is being renewed and the IdP metadata has *not* changed, then the 
   download, configure, and upload of the IdP metadata is not required.