nexus/knowledgebase/csd-wiki/ICSD/Configure-SAML-authentication-for-SaaS-Customer_686065288.md

Configure-SAML-authentication-for-SaaS-Customer_686065288

Introduction

This document describe how to configre SAML authentication for SaaS customer. Before this, the SaaS customer should follow the online doc to finish the IDP configuration and submit service request in PCS to share IDP meta data to Cloud team. The Cloud Ops engineer can follow this document to conitnue the rest part of configration in IdM.

Create a SAML configuration in IdM

To create a SAML configuration, follow these steps:

1. In Suite Administration, click the IdM settings tab in the tenant detail page. The system opens the Authentication page for the corresponding organization in the IdM Admin Portal of the suite.
2. From the CONFIGURATIONS section, click "+" to add one authentication.
3. Select SAML as the authentication type from the drop-down list, and then click CREATE.
4. Enter the related SAML configuration settings:
   1. Enter the display name. Naming Rules: --saml 2. Do one of the following:
      • Select IDP Metadata URL, enter the following IdP metadata URL, and then upload the certificate of the IdP.
        • ADFS: https://*<ad_host>*/FederationMetadata/2007-06/FederationMetadata.xml - Azure AD: The App Federation Metadata URL you noted during SAML configuration in Azure
          • Select IDP Metadata, and then upload the IdP metadata file.
        • ADFS: You can download the metadata file from this URL: https://*<ad_host>*/FederationMetadata/2007-06/FederationMetadata.xml - Azure AD: The Federation Metadata XML you downloaded during SAML configuration in Azure
5. Click SAVE.

Create a SAML configuration group in IdM

To create a configuration group for SAML, follow these steps:

1. After you create a SAML configuration, from the CONFIGURATION GROUPS section, click "+" to add an authentication group.
2. In the Name field, enter saml. Note: You must use saml as the name for the SAML configuration group. Otherwise, the default login type feature in Suite Administration doesn't work.
3. In the Display Name field, enter a display name for the authentication group.
4. In Authentication Group Type, select Normal.
5. In the Configurations field, select the SAML authentication configuration that you just created. Note: You can add only one SAML authentication configuration to the SAML configuration group.
6. Click SAVE.

Now, you have completed the SAML configurations. SAML users can access the tenant. After the user logs in to the tenant for the first time, the system automatically synchronizes their user profiles to Suite Administration.

Verify the SAML SSO configuration

To verify that the SAML SSO configuration works, check the following:

• Users added in the IdP can log in to Service Management using their IdP user credentials.
• After such a user logs in to Service Management, you can see the user record for the user created in Suite Administration, and various user-related fields that correspond to the outgoing claim types or claims you added in the IdP have the IdP value populated.
• Once above change is completed, the SaaS Ops engineer should schedule a call with customer to validate the SSO login and user record information in IDM/BO/SMAX tenant
  1. Ask an existing user to login via SSO 2. check the claims updated in IDM 3. check the fields in BO and SMAX tenant is correct, like "First Name", "Last Name", "Email", "User Prinsiple Name" 4. Check user sync - Force the sync between IDM and BO, on the Account page > Users tab ( don't touch the "Hard sync user" button the the Tenant form) 5. Check user sync - Go into the tenant and force the Sync button on the Person grid (BO -> SMAX tenant) 6. The testing should cover both new user (create new a user in IDM) and existing user (mapping to existing user in IDM)