nexus/knowledgebase/csd-wiki/ICSD/Configure-SAML-authentication-for-SaaS-Customer_686065288.md

# Configure-SAML-authentication-for-SaaS-Customer_686065288
## Introduction

This document describe how to configre SAML authentication for SaaS customer. Before this, the SaaS customer should follow the [online doc](https://docs.microfocus.com/doc/ESM/SaaS/ConfigureSAML) to finish the IDP configuration and submit service request in PCS to share IDP meta data to Cloud team. The Cloud Ops engineer can follow this document to conitnue the rest part of configration in IdM.

## Create a SAML configuration in IdM

To create a SAML configuration, follow these steps:

1. In Suite Administration, click the **IdM settings** tab in the tenant detail page. The system opens the **Authentication** page for the corresponding organization in the IdM Admin Portal of the suite.
2. From the **CONFIGURATIONS** section, click "+" to add one authentication.
3. Select **SAML** as the authentication type from the drop-down list, and then click **CREATE**.
4. Enter the related SAML configuration settings:
	1. Enter the display name. Naming Rules: <customer name>-<prod or dev>-saml
		2. Do one of the following:
		- Select **IDP Metadata URL**, enter the following IdP metadata URL, and then upload the certificate of the IdP.
			- ADFS: `https://*<ad_host>*/FederationMetadata/2007-06/FederationMetadata.xml`
						- Azure AD: The App Federation Metadata URL you noted during SAML configuration in Azure
				- Select **IDP Metadata**, and then upload the IdP metadata file.
			- ADFS: You can download the metadata file from this URL: `https://*<ad_host>*/FederationMetadata/2007-06/FederationMetadata.xml`
						- Azure AD: The Federation Metadata XML you downloaded during SAML configuration in Azure
5. Click **SAVE**.

## Create a SAML configuration group in IdM

To create a configuration group for SAML, follow these steps:

1. After you create a SAML configuration, from the **CONFIGURATION GROUPS** section, click "+" to add an authentication group.
2. In the **Name** field, enter **saml**.
	Note: You must use **saml** as the name for the SAML configuration group. Otherwise, the default login type feature in Suite Administration doesn't work.
3. In the **Display Name** field, enter a display name for the authentication group.
4. In **Authentication Group Type**, select **Normal**.
5. In the **Configurations** field, select the SAML authentication configuration that you just created.
	Note: You can add only one SAML authentication configuration to the SAML configuration group.
6. Click **SAVE**.

Now, you have completed the SAML configurations. SAML users can access the tenant. After the user logs in to the tenant for the first time, the system automatically synchronizes their user profiles to Suite Administration.

## Verify the SAML SSO configuration

To verify that the SAML SSO configuration works, check the following:

- Users added in the IdP can log in to Service Management using their IdP user credentials.
- After such a user logs in to Service Management, you can see the user record for the user created in Suite Administration, and various user-related fields that correspond to the outgoing claim types or claims you added in the IdP have the IdP value populated.
- Once above change is completed, the SaaS Ops engineer should schedule a call with customer to validate the SSO login and user record information in IDM/BO/SMAX tenant
	1. Ask an existing user to login via SSO
		2. check the claims updated in IDM
		3. check the fields in BO and SMAX tenant is correct, like "First Name", "Last Name", "Email", "User Prinsiple Name"
		4. Check user sync - Force the sync between IDM and BO, on the Account page > Users tab ( **don't touch** the "Hard sync user" button the the Tenant form)
		5. Check user sync - Go into the tenant and force the Sync button on the Person grid (BO -> SMAX tenant)
		6. The testing should cover both new user (create new a user in IDM) and existing user (mapping to existing user in IDM)