Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

About SAML Single Sign-On in ZPC

Single Sign-On can be setup in ZPC against any Identity Provider (IdP) which supports SAML 2.0.

This guide covers the steps required to setup SAML SSO against Okta, Azure AD & ADFS IdP’s.

For an exhaustive list of supported IDP’s, visit SAML-based products and services.

Provide ZPC Service Provider (SP) Metadata to your Identity Provider (IdP)

Export the SP Metadata to provide to your IdP.

Adding ZPC as a Service Provider (SP) in OKTA using URL to the hosted metadata.xml file:

  1. Open the ZPC SP Metadata file you exported in the previous step to get the information required for configuring the required SAML settings in OKTA

  1. Fill in the Single sign on URL and Audience URI (SP Entity ID) fields in OKTA by searching your ZPC SP Metadata file for the values in red below:

    1. Copy the entityID value from the ZPC SP metadata to the Single sign on URL field in OKTA.

      In this example the value is https://stack8-demo.smacs.stack8.com:443/saml/SSO

    2. Copy the </md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location= value from the ZPC SP metadata to the Audience URI (SP Entity ID) field in OKTA.

      In this example the value is https://stack8-demo.smacs.stack8.com:443/saml/metadata

Adding ZPC as a Service Provider (SP) in ADFS using metadata.xml file:

  1. Click on Add Relying Party Trust

  2. Select default option “Claims Aware”

  3. Select “Import data about the relying party from a file”

  4. Upload the Service Provider (SP) metadata file from previous step.

  5. Provide a meaningful Display Name for ZPC relying party and click “Next”

  6. Select “Permit everyone” and click “Next”

  7. Enable “Configure claims issuance policy for this application” checkbox and click “Close”

Configure Name Identifier (NameID)

Configuring Name Identifier in Okta

  1. Set Name ID format to “Unspecfied”

  2. Set Application username to “sAMAccountName”

  3. Click Next and then Finish.

Configuring Name Identifier in ADFS

  1. Edit Claim Issuance Policy

  2. Click “Add Rule”

  3. Choose Claim rule template “Send LDAP Attributes as Claims” and click “Next”

  4. Provide a Claim rule name, select the Attribute Store “Active Directory” from the dropdown, provide the value from Username Attribute from LDAP Management in ZPC to Name ID mapping and click “Finish”.

Provide Users Access to the ZPC Application

In OKTA

Go to the Assignments tab of your newly created application and click the Assign dropdown to select people or groups to assign.

Download your Identity Provider (IdP) Metadata

Download ADFS IDP Metadata

Drop this link in your browser to download your IdP metadata.

https://< hostname >/federationmetadata/2007-06/federationmetadata.xml

Download OKTA IDP Metadata

  1. Click on “View Setup Instructions” of the ZPC Application you created for OKTA.

  2. Navigate to the bottom of the page and copy paste the contents of the box containing your IDP metadata to a text file. You will upload this file to ZPC to complete your SSO setup.

Making changes to the OKTA applications SAML Settings (the steps completed in previous sections) will modify the IDP Metadata file.

You must re-download the latest IDP Metadata anytime a change is made to these settings.

Go back into ZPC and complete the SAML SSO Configuration

  1. Import your IDP metadata

  2. Enable SSO

  3. Logout from ZPC

  4. Go to the ZPC URL & click the teal login button to authenticate using SAML SSO

  5. For any login issues with SSO, please reach out to ZIRO Support.

SSO Configuration Complete ✔

Once logged in you will have initiated a Single Sign-On session which will give you access to all other applications registered to your IdP server without having to re log-in.

  • No labels