3.1.3 SAML 2.0

The following example will use Okta as the SSO Identity Provider

Multiple SAML User Directories can be configured but only one can be enabled at a given time.

Select SAML (SSO) in the menu to create a User Directory that integrates with a SAML 2.0 SSO Identity Provider (IdP).
Switch the toggle button to ON to enable this User Directory.
As soon as it is submitted, any other User Directories configured with SAML (SSO) will be automatically disabled.
Switching to OFF only creates the User Directory and will not change any currently enabled User Directories.

images/download/attachments/4927213/image-20201103-192834.png

Click CONTIUNE to go to the Configure Service Provider page.
This will set up the login URL the Identity Provider uses to redirect after a successful login.
Fill in Host or IP to generate the Login URL.

Make sure to enter a URL in Host or IP that can be accessed by all of the users that will log in through SSO.

Use the value in Login URL when setting up the application in your Identity Provider

images/download/attachments/4927213/image-20201104-173240.png

Keep this tab open in your browser then open up your IdP admin page to the section where Applications are added.
In Okta, it looks like the following:

images/download/attachments/4927213/image-20201103-193401.png

Select the option to add an application and then choose to create a new application that uses SAML 2.0.
The way to create a new SAML 2.0 application will vary between Identity Providers.
Refer to the documentation for your IdP for more details.
In Okta, it looks like the following:

images/download/attachments/4927213/image-20201103-193615.png

Continue until the step where the Identity Provider will ask for the Single Sign-on or Login URL.
Switch back to your tab with the Kiosk User Directory setup.
Copy and paste the Login URL from Kiosk into the Identity Provider application setup and finish the setup.

There may be multiple places where you will need to enter this login URL.
In Okta you will need to enter it in the Single sign on URL section and the Audience URI (SP Entity ID) section.
Refer to your Identity Provider documentation for information.

images/download/attachments/4927213/image-20201104-173352.png

You should now have access to the Identity Provider metadata URL for your newly setup application.
Go back to Kiosk and click CONTINUE to go to Configure Identity Provider.
Copy and paste the metadata URL into the Metadata URL section.

images/download/attachments/4927213/image-20201104-002329.png

Click CONTINUE to go to Configure User Role(s).
Here you will configure the role users will get when they log in using SSO.

images/download/attachments/4927213/image-20201104-162030.png

Role Matching Option allows you to choose between:

  • Default Role: assign one user role to anyone that successfully signs in through SSO

  • Role Mapping: assign specific users to specific roles

Select Role Mapping to show the list of assigned users.

images/download/attachments/4927213/image-20201104-162307.png

Fill in the email address or user name in the Add User section and use the dropdown to select a role.
Click Add to add the user to Users assigned to roles.

images/download/attachments/4927213/image-20201104-164258.png

Click CONTINUE to go to SAML (SSO) Wizard Complete and review the User Directory configuration.
Use the BACK button to go back and make any changes if needed.

Click SUBMIT to create the User Directory.
If the toggle is set to ON, SSO will now be enabled for any users attempting to log in to the Management Console.

images/download/attachments/4927213/image-20201104-164748.png

SAML Validation Logging

SAML authentication logging exists in the Kiosk logging directory (<kiosk install dir>\Log) within omdauth.log.
There may be some verbose logging such as: "Failed to compare notAfter timestamp to required regex notAfter=".
This is not a critical error and should not have an affect on the basic usage of SSO login for the Management Console.
It does indicate that the SessionNotOnOrAfter attribute is not being provided by the IdP.

SessionNotOnOrAfter [Optional]
Specifies a time instant at which the session between the principal identified by the subject (Kiosk) and the SAML authority (IdP) issuing this statement MUST be considered ended.

If it is desired to use this attribute, please refer to your Identity Provider documentation to either enable the attribute or add it as a custom attribute.

Per the Okta example, it can be added as a custom attribute in SAML Settings -> General -> Show Advanced Settings:

images/download/attachments/4927213/saml_attributes.png

Then preview the SAML Assertion to ensure it is correct:

images/download/attachments/4927213/saml_preview.png images/download/attachments/4927213/saml_assertion.png