Authenticate administrators using SAML v2 authentication method

You can authenticate administrators by using a Security Assertion Markup Language (SAML) based identity providers to facilitate Single Sign-on (SSO) to the SMC Web Access portal.

Before you begin

You must have the following:
  1. A SAML IdP configured. Please contact your SAML IdP support team for details.
  2. The identity provider metadata URL.
  3. Service Provider Entity ID.

The authentication is done by transferring identity data between two parties, that is an Identity Provider (IdP) and a Service Provider (SP).

Identity Provider: It performs the authentication and passes the identity data of the administrator and authorization level to the service provider.

Service Provider: It trusts the identity provider and in turn authorizes the user to access the requested resource.

Note:
  1. The SAML authentication method can only be used with the SMC Web Access portal. Also, this authentication methods can only be configured for an administrator.
  2. You must restart the SMC Web Access portal for the changes made to come into effect.

Steps

  1. Create a SAML authentication method element:
    1. Select Configuration, then browse to User Authentication > Authentication Methods.
    2. Right-click and select New Authentication Method.
    3. Enter a unique name for the authentication method element in the Name field.
    4. From the Type drop-down list, select SAML.
      Note: The fields below the Type drop-down list changes as per the options selected from the Type drop-down list.
    5. Enter the URL from where SMC will fetch the details about the SAML configuration in the Identity Provider Metadata URL field.
    6. Enter the unique identifier for SMC (Service Provider) in the Service Provider Entity ID field.
    7. From the Name ID Policy Format drop-down list, select a policy format. The following policy formats are supported:
      • Persistent: Use this policy format if you want a user to sign-in to the identity provider as one user, but sign-in to the service provider as a different user.
        Note: Before you can use this policy format, you must link the user at the identity provider with the user at the service provider. Also, you can choose to have the user linked during the single sign-on or by using the alias service.
      • Transient: Use this policy format if you want a user to sign-in as a shared anonymous user irrespective of which user they use to sign-in at the identity provider.
      • Email Address: Use this policy format if you want a user to sign-in at the service provider as the same user that they use to sign-in at the identity provider.
      • Unspecified: Use this option if you do not want to specify a policy format.
    8. Enter the name of SAML2 attribute that defines the username in the Username Attribute Name field.
    9. Select a TLS profile to use to connect to an Identity Provider. Click Select to select the element.
    10. Select the TLS credentials to use to sign in SAML requests, and decryptSAML responses. Click Select to select the element.
    11. Optionally, add a comment in the Comment field for your future reference.
    12. Click OK to save the changes.
  2. Configure the SAML authentication in the properties of the administrator:
    1. Select Configuration, then browse to Administration > Access Rights > Administrators.
    2. Right-click an Administrator element, then select Properties.
    3. From the Authentication drop-down list, select the SAML authentication element.
    4. Click OK.
  3. Configure the SMC Web Access. For more details on how to enable or configure the SMC Web Access, refer to the following sections in the Secure SD-WAN Online Help documentation:
    • Enable SMC Web Access
    • Management Server Properties dialog box