3.3.6.2. SAML Integration

In order to integrate MetaDefender Core with SAML 2.x:

Create new application on IDP site for MetaDefender Core

We selected Okta IDP (https://www.okta.com/) as a supported IDP to demonstrate SAML integration with MetaDefender Core.

1.) Sign in Okta site, and navigate to admin dashboard

images/download/attachments/6752249/image-20200519-070708.png

2.) Add an application, select “Web” application type, and choose “SAML 2.0” for Sign on method

images/download/attachments/6752249/image-20200519-070822.png images/download/attachments/6752249/image-20200519-092846.png

Proceeding to “Configure SAML” step on SAML integration configuration, and keep this page on-hold, we need to generate some data from MetaDefender Core management console before getting back to this page later.

images/download/attachments/6752249/image-20200519-102914.png

On MetaDefender Core management console, create a new user directory for SSO

  • Navigate to Settings > User Management

  • On “USER DIRECTORIES” tab, hit “ADD NEW USER DIRECTORY” button

  • Choose “Security Assertion Markup Language (SAML)” option for “USER DIRECTORY TYPE”

  • Type directory name at your choice

  • In “IDENTIFY PROVIDER” section, hit “FETCH” button to input IDP’s SAML designated metadata API URL (e.g. Okta could be found at https://developer.okta.com/docs/guides/add-an-external-idp/saml2/configure-idp-in-okta/)

images/download/attachments/6752249/image-20200519-102106.png images/download/attachments/6752249/image-20200519-102612.png images/download/attachments/6752249/image-20200519-102633.png

  • In “SERVICE PROVIDER” section:

+ On MetaDefender Console current display, type your MetaDefender Core address in “HOST OR IP” field

images/download/attachments/6752249/image-20200519-084426.png

and a login redirect URL will be auto generated by MetaDefender Core, you will want to copy the full link to proceed:

images/download/attachments/6752249/image-20200519-102817.png

+ Switching to Okta IDP console, paste the single sign on URL and also input Audience URI, check “Use this for Recipient URL and Destination URL” option

images/download/attachments/6752249/image-20200519-103143.png

“USER IDENTIFIED BY” field:

  1. Username can be constructed by attributes set by IDP, or

  2. Defined by customer on IDP site

Please review IDP document for more details. For example, for Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm

images/download/attachments/6752249/image-20200519-103502.png

  • In “USER ROLE” section, you are supported to choose default role to map an existing MetaDefender Core local role:

images/download/attachments/6752249/image-20200519-082229.png

Or create a custom role mapping based on RegEx:

images/download/attachments/6752249/image-20200519-082211.png

  • Hit “ADD” button to finish creating new SSO user directory, by default the new created user directory is disabled:

images/download/attachments/6752249/image-20200519-103546.png

You may want to enable it for SSO login fashion

Warning: This action will auto forcefully logout all current active users

images/download/attachments/6752249/image-20200519-103815.png images/download/attachments/6752249/image-20200519-103609.png

Sign on using IDP authentication

Now hitting “LOGIN” button on MetaDefender Core management console upon created SSO user directory, it will auto redirect you to SAML IDP login page as expected:

images/download/attachments/6752249/image-20200519-085829.png

  • Logged in successfully will help you are redirected back to MetaDefender Core management console:

images/download/attachments/6752249/image-20200519-091807.png