Integration overview for third-party authentication using SAML 2.0 - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

Before users can log on to Security Center using an external identity provider with SAML 2.0, you must configure Security Center with an external identity provider.

The following table lists the tasks required to deploy third-party authentication using SAML 2.0:
Step Task Where to find more information
Understand the prerequisites and key issues before integrating
1 Learn about the different components and how they connect.
2 Ensure all Security Center clients trust the connection to your identity provider.

To establish trust, a trusted Certificate Authority must sign the public key certificate for the identity provider on the computer or mobile device connecting to Security Center.

 
3 Verify that your Security Center license includes SAML2 integrations.

Go to the Config Tool homepage, click About > Security Center, and confirm that Number of SAML2 integrations is one or more.

Prepare Security Center
4 Add an Authentication Service role for SAML2 and click the Network endpoint tab. You might need to restart the System task to see the endpoints.

To configure your identity provider, you require the redirect and logout endpoints. There are different URIs for each client type:

/genetec
Config Tool, Security Desk, and SDK
/<Mobile>OpenId
Genetec™ Mobile

Mobile is the default web address for the Mobile Server role.

/<WebApp>OpenId
Genetec™ Web App

WebApp is the default web address for the Web App Server role.

/<SecurityCenter>OpenId
Security Center Web Client

SecurityCenter is the default web address for the Web Client Server role.

Any modification to the Mobile, SecurityCenter, or WebApp addresses creates corresponding changes to the URIs.

To work with role failover, separate redirect and logout URIs are needed for each server that can host the Directory, Mobile Server, Web Client Server, and Web App Server roles. Ensure that the role failover is properly configured to see all the required endpoints.

If any servers are added or retired after setting up the identity provider, you might need to update the configuration by adding or removing URIs.

All clients must be able to resolve the endpoint URI for their type. If a public address is being used, that address must resolve to the correct server for clients connecting from your private network.

Security Center also provides a SAML2 metadata document that includes all required endpoints. You can point to this endpoint from your identity provider to accelerate the setup and ensure that the latest configuration is always available.

Integrate the external identity provider
5 Following the instructions from your identity provider, add Security Center as a relying application in that system.

For successful authentication, Security Center requires the identity provider to return assertions about the authenticated party in an access token.

At a minimum, those assertions must include a username assertion, a name identifier assertion, and a group membership assertion. The Security Center SAML2 metadata document outlines the expected format of the name identifier.

 
6 Add authorized user groups from your identity provider to Security Center and set privileges.

If your identity provider can export a list of groups in CSV format, you can import that list to Security Center.

Typically, identity providers use names to uniquely identify user groups. When names are used, Security Center user groups must have the same name as the corresponding group from your identity provider, and include the domain name. For example: Operators@YourCompany.com.

If your identity provider uses an ID to uniquely identify a user group, you must perform another step before linking the group to the Authentication Service role. Add the ID to the External unique identifier property for the corresponding user group in Security Center.

Users are automatically created and added to their assigned group, or groups when they log on for the first time.

7 Configure the Authentication Service role with information about your identity provider.

Open the Authentication Service role for SAML2, click the Properties tab, and input the required fields.