Before users can log on to Security Center using an external identity provider with SAML 2.0, you must configure Security Center with an external identity provider.
Step | Task | Where to find more information |
---|---|---|
Understand the prerequisites and key issues before integrating | ||
1 | Learn about the different components and how they connect. | |
2 | Ensure all Security Center clients trust the connection to your identity
provider. To establish trust, a trusted Certificate Authority must sign the public key certificate for the identity provider on the computer or mobile device connecting to Security Center. |
|
3 | Verify that your Security Center license includes SAML2
integrations. Go to the Config Tool homepage, click , and confirm that Number of SAML2 integrations is one or more. |
|
Prepare Security Center | ||
4 | Add an Authentication Service role for SAML2 and click the
Network endpoint tab. You might need to restart
the System task to see the endpoints. To configure your identity provider, you require the redirect and logout endpoints. There are different URIs for each client type:
Any modification to the Mobile, SecurityCenter, or WebApp addresses creates corresponding changes to the URIs. To work with role failover, separate redirect and logout URIs are needed for each server that can host the Directory, Mobile Server, Web Client Server, and Web App Server roles. Ensure that the role failover is properly configured to see all the required endpoints. If any servers are added or retired after setting up the identity provider, you might need to update the configuration by adding or removing URIs. All clients must be able to resolve the endpoint URI for their type. If a public address is being used, that address must resolve to the correct server for clients connecting from your private network. Security Center also provides a SAML2 metadata document that includes all required endpoints. You can point to this endpoint from your identity provider to accelerate the setup and ensure that the latest configuration is always available. |
|
Integrate the external identity provider | ||
5 | Following the instructions from your identity provider, add Security Center as a relying application
in that system. For successful authentication, Security Center requires the identity provider to return assertions about the authenticated party in an access token. At a minimum, those assertions must include a username assertion, a name identifier assertion, and a group membership assertion. The Security Center SAML2 metadata document outlines the expected format of the name identifier. |
|
6 | Add authorized user groups from your identity provider to Security
Center and set privileges. If your identity provider can export a list of groups in CSV format, you can import that list to Security Center. Typically, identity providers use names to uniquely identify user groups. When names are used, Security Center user groups must have the same name as the corresponding group from your identity provider, and include the domain name. For example: Operators@YourCompany.com. If your identity provider uses an ID to uniquely identify a user group, you must perform another step before linking the group to the Authentication Service role. Add the ID to the External unique identifier property for the corresponding user group in Security Center. Users are automatically created and added to their assigned group, or groups when they log on for the first time. |
|
7 | Configure the Authentication Service role with information about your
identity provider. Open the Authentication Service role for SAML2, click the Properties tab, and input the required fields. |