Versions Compared

Version Old Version 10 New Version 11
Changes made by

Sean McDade

Sean McDade

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
minLevel1
maxLevel7
indent10

Info

About SAML Single Sign-On in SMACS

Single Sign-On can be setup in SMACS against any Identity Provider (IdP) which supports SAML 2.0.

This guide covers the steps required to setup SAML SSO against Okta, Azure AD & ADFS IdP’s.

For an exhaustive list of supported IDP’s, visit SAML-based products and services.

Install signed certificate on the SMACS machine

Note

Wildcard Certificates are not supported for SSO.

  1. Generate a CSR

    Image Modified

  2. Import the Signed Certificate

    Image Modified

  3. Restart Apache via the Stack8 Console (SSH)

    Image Modified

Anchor
SP-Metadata
SP-Metadata
Provide SMACS Service Provider (SP) Metadata to your Identity Provider (IdP)

Once the certificate is installed and working correctly, export the SP Metadata to provide to your IdP.

...

Code Block
languagehtml
https://<SMACS-FQDN>:8443/saml/medatada

Adding SMACS as a Service Provider (SP) in OKTA using URL to the hosted metadata.xml file:

  1. Open the SMACS SP Metadata file you exported in the previous step to get the information required for configuring the required SAML settings in OKTA

...

  1. Fill in the Single sign on URL and Audience URI (SP Entity ID) fieldsin OKTAby searching your SMACS SP Metadata file for the values in red below:

    1. Copy the entityID value from the SMACS SP metadata to the Single sign on URL field in OKTA.

      In this example the value is https://stack8-demo.smacs.stack8.com:443/saml/SSO

    2. Copy the </md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= value from the SMACS SP metadata to the Audience URI (SP Entity ID) field in OKTA.

      In this example the value is https://stack8-demo.smacs.stack8.com:443/saml/metadata

...

Adding SMACS as a Service Provider (SP) in ADFS using metadata.xml file:

  1. Click on Add Relying Party Trust

    Image Modified

  2. Select default option “Claims Aware”

    Image Modified

  3. Select “Import data about the relying party from a file”

    Image Modified

  4. Upload the Service Provider (SP) metadata file from previous step.

  5. Provide a meaningful Display Name for the SMACS relying party and click “Next”

    Image Modified

  6. Select “Permit everyone” and click “Next””

    Image Modified

  7. Enable “Configure claims issuance policy for this application” checkbox and click “Close”

    Image Modified

Configure Name Identifier (NameID)

Configuring Name Identifier in Okta

  1. Set Name ID format to “Unspecfied”

  2. Set Application username to “AD SAM account name”

    Image Modified

  3. Click Next and then Finish.

    Image Modified

Configuring Name Identifier in Azure AD

...

Configuring Name Identifier in ADFS

  1. Edit Claim Issuance Policy

    Image Modified

  2. Click “Add Rule”

    Image Modified

  3. Choose Claim rule template “Send LDAP Attributes as Claims” and click “Next”

    Image Modified

  4. Provide a Claim rule name, select the Attribute Store “Active Directory” from the dropdown, provide the SAM-Account-Name to Name ID mapping and click “Finish”.

    Image Modified

Provide Users Access to the SMACS Application

In OKTA

Go to the Assignments tab of your newly created application and click the Assign dropdown to select people or groups to assign.

...

In Azure AD

  1. From the Enterprise Application you added in the previous steps, select Users and groups from the lefthand vertical menu.

    Image Modified

     

  2. Click on + Add user/group

    Image Modified

     

  3. Click on None Selected

    Image Modified

     

  4. A search panel will appear on the right hand side. Use it search for and select the individual users or groups who should be able to log into your SMACS tenant via Single Sign-Onand click Select.

    Image Modified

Download your Identity Provider (IdP) Metadata

Download ADFS IDP Metadata

Drop this link in your browser to download your IdP metadata.

Code Block
languagehtml
https://< hostname >/federationmetadata/2007-06/federationmetadata.xml

...

Download OKTA IDP Metadata

  1. Click on “View Setup Instructions” of the SMACS Application you created for OKTA.

    Image Modified

  2. Navigate to the bottom of the page and copy paste the contents of the box containing your IDP metadata to a text file. You will upload this file to SMACS to complete your SSO setup.

    Image Modified
Note

Making changes to the OKTA applications SAML Settings (the steps completed in previous sections) will modify the IDP Metada.

You must re-download the latest IDP Metadata anytime a change is made to these settings.

Download Azure AD IDP Metadata

Click on the Download link next to Federation Metadata XML

...

Go back into SMACS and complete the SAML SSO Configuration

  1. Import your IDP metadata

    Image Modified

  2. Enable SSO

    Image Modified

  3. Logout from SMACS

  4. Login to the stack8-console using s8admin account and restart the active side of the machine.

  5. Follow the instructions here on how to restart the active side of the smacs machine.

  6. Go to the SMACS URL & click the orange login button to authenticate using SAML SSO

    Image Modified

  7. Use the Recovery URL to bypass Single Sign-On and to login using LDAP.

    Image Modified

Tip

SSO Configuration Complete ✔

Once logged in you will have initiated a Single Sign-On session which will give you access to all other applications registered to your IdP server without having to re log-in.