Before users can log on to Security Center using an external identity provider with SAML 2.0, you must follow a sequence of steps.
|Step||Task||Where to find more information|
|Understand prerequisites and key issues before integrating|
|1||Learn about the different components and how they connect.|
|2||Ensure all Security Center
clients trust the connection to your identity provider.
To establish trust, the public key certificate for the identity provider must be signed by a trusted Certificate Authority on the computer or mobile device connecting to Security Center.
|3||Verify that your Security Center license includes SAML2
Go to the Config Tool home page, click , and confirm that Number of SAML2 integrations is one or more.
|Prepare Security Center|
|4||Add an Authentication Service role for SAML2 and click the
Network endpoint tab. You might need to restart
the System task to see the endpoints.
The redirect and logout endpoints are required to configure your identity provider. There are different URIs for each client type:
NOTE: Mobile and SecurityCenter are the default web addresses for the Mobile Server role and the Web Server role. Any modification to these web addresses will be reflected in the corresponding URIs.
To work with role failover, separate redirect and logout URIs are needed for each server that can host the Directory, Mobile Server, and Web Server roles. Ensure that role failover is properly configured to see all the required endpoints.
If new servers are added, or any servers are retired after the identity provider is set up, you might need to update the configuration by adding or removing URIs, as needed.
All clients must be able to resolve the endpoint URI for their type. If a public address is being used, that address must resolve to the correct server for clients connecting from your private network.
Security Center also provides a SAML2 metadata document that includes all of the required endpoints. You can point to this endpoint from your identity provider to accelerate the set up and ensure that the latest configuration is always available.
|Integrate the external identity provider|
|5||Following the instructions from your identity provider, add Security Center as a relying application
in that system.
For successful authentication, Security Center requires the identity provider to return assertions about the authenticated party in an access token.
At a minimum, those assertions must include a username assertion, a name identifier assertion, and a group membership assertion. The Security Center SAML2 metadata document outlines the expected format of the name identifier.
|6||Add authorized user groups from your identity provider to Security Center and set privileges.
If your identity provider can export a list of groups in CSV format, that list can be imported to Security Center.
Typically, identity providers use names to uniquely identify user groups. When names are used, Security Center user groups must have the exact same name as the corresponding group from your identity provider, and include the domain name. For example: Operators@YourCompany.com. However, if your identity provider uses an ID to uniquely identify a user group, that ID must be added to the External unique identifier property for the corresponding user group in Security Center before the group is linked to the Authentication Service role.
Users are automatically created and added to their assigned group, or groups when they log on for the first time.
|7||Configure the Authentication Service role with information about your
Open the Authentication Service role for SAML2, click the Properties tab, and input the required fields.