You can configure an Authentication Service using the SAML2 protocol from the Roles view of System task in Security Center Config Tool.
In the Properties tab, you can configure a SAML2 identity provider for third-party authentication.
- Sets the authentication protocol to use with this identity
provider. Changing the protocol migrates the Authentication Service configuration
between OpenID and SAML2.CAUTION:Depending on the original configuration, migrating an Authentication Service role to another protocol might leave errors in the new configuration. After migrating, ensure that the new configuration is complete and accurate before using it.
- Display name
- Identifies this provider on the client logon screen. Each provider is presented as a button with the text "Sign in with <display name>".
- EntityId URI for the identity provider.
- Metadata URL
- Secure URL (https) pointing to the provider's SAML2 metadata document. This file contains all necessary information to interact with the third-party identity provider, including endpoint locations and capabilities.
- Client ID
- The client ID (also known as audience) is a unique identifier for Security Center that is issued by the identity provider when the application is registered.
- Domain names
- A list of domain names associated with users who will connect to Security Center using this identity provider. Usernames that include one of these domains will automatically be redirected to the provider's logon screen.
- Use artifact resolution
- This switch is turned off by default. Turn it on to use the Artifact Resolution Protocol if it is supported by your identity provider. Artifact resolution provides a more secure form of authentication.
- Username assertion
- SAML2 assertion used by the identity provider to return the username of the authenticated party. Security Center requires a username to authorize access to the client.
- Group assertion
- SAML2 assertion used by the identity provider to return the group memberships of the authenticated party. Security Center requires group membership to authorize access to the client.
- User groups
- Add or remove Security Center user groups that are associated with this identity provider. If your identity provider can export a list of groups in CSV format, that list can be imported here. Groups missing from this list are not associated with the identity provider and will not be used to authorize incoming users.