Configure SAML authentication for end users

In this article you will learn at a high level how to:

  • Set up and configure MetaAccess SDP as a Service Provider (SP) in most IdPs

  • Export the resulting connection data from your IdP and import it to the MetaAccess Console.

  • Enable SAML SSO for your SDP end users.

  • Provide access to SDP-protected applications based on IdP group membership.

  • Invoke SDP by logging in to your IdP as an end user.

If you need help with your specific IdP, please see one of the pages below.

  1. Log into your existing SAML IdP as an administrator or create a trial account (for example JumpCloud )

  2. In an existing production IdP, you will likely already have a number of user accounts organized into groups. For a test IdP, you will need to create one or more users and assign them to groups as shown here: JumpCloud

  3. In your IdP, create an application. If there is a catalogue of common SP applications, you will NOT want to use those options. You will want to create a custom app.

  4. Give the new app a label.

  5. Configure the SP Entity IDs. If required, you may also need to fill in an IdP EntityID, but most IdPs specify this for you. These are identifiers the two ends are going to use to verify that authentication attempts are coming from and going to the right places. It doesn’t really matter what they are, just remember them for later when configuring MetaAccess.

  6. In some IdPs, you will also need to configure an IDP URL.

  7. Assign one or more existing Users or Groups to access the new application.

  8. Enable group attributes for the application. Some IdPs will NOT let you pick a group attribute (Microsoft Azure for example). In this case, you will need to determine your IdP’s group attribute. Whatever your group attribute, you will need to remember it later for entry into MetaAccess.

    NOTE: Some IdPs will not allow you to assign groups attributes at this point. For those providers, you will need to wait until after you configure MetaAccess. As such, a couple of these steps will be repeated below. Please ignore them if you have already done the work here!

  9. Export the IdP metadata that you will later load into the MetaAccess Console. In some cases your IdP will require you to save the application first and go to a different part of the UI to export the metadata.

  10. Navigate to the MetaAccess administration console. Enable single sign-on for SDP.
    Note that there are two kinds of SAML SSO setup here. The “Console” setup is for logging into the MetaAccess administration console itself. The “SDP” setup is for logging in end-users to the SDP product. We’re setting up SDP here. images/download/attachments/4078904/screenshot-2020-09-28T12-39-54-0400.png

  11. Import configuration from an XML file. Select the IdP Metadata file you downloaded earlier. This should populate a variety of fields on this page automatically.
    Note that while some of these fields are marked as mandatory (they have an asterisk next to them) they should all be provided by the IdP metadata xml file. All of the fields on this page other than the metadata upload are intended for cases where the metadata file isn’t provided by the IdP, or is incomplete. images/download/attachments/4078904/screenshot-2020-09-25T10-54-42-0400.png

  12. At the bottom of this form is configuration for Group Attributes. You need to tell MetaAccess what your IdP is going to use as the attribute containing group information. This can be anything, you’ll just need to enter the same thing into your IdP later. images/download/attachments/4078904/screenshot-2020-09-25T10-56-16-0400.png

  13. Copy the MetaAccess Login URL. images/download/attachments/4078904/screenshot-2020-09-25T10-57-26-0400.png

  14. Save the MetaAccess SDP SSO configuration using the Save button in the upper right of the current page. images/download/attachments/4078904/screenshot-2020-09-28T12-46-39-0400.png

  15. Go back to the IdP configuration for this application. Paste the MetaAccess Login URL as the ACS URL or the SP Login URL.

  16. Enable group attributes for the application. Make sure to use the same name specified earlier in the MetaAccess configuration.

  17. Add the group you created earlier to this application in the User Groups tab.

  18. Save the application again in your IdP.

  19. The MetaAccess settings applied to a device depend on what MetaAccess group it is in. In this case we want to make sure that SDP is enabled for the MetaAccess group. For this example I only have the single default group.
    Note that I’ve already got a device in this group. If you need to install the OPSWAT client and get a device in inventory do so now. images/download/attachments/4078904/screenshot-2020-09-25T14-23-44-0400.png images/download/attachments/4078904/screenshot-2020-09-25T14-24-30-0400.png

  20. You should now define the IdP groups. This should match the name of the group used earlier when configuring the group in your IdP. images/download/attachments/4078904/screenshot-2020-09-25T14-30-58-0400.png

  21. Add an IDP Group to act as an anchor for the SAML group within MetaAccess. The “Identity Provider Group” value should match exactly what you entered as the group name in your IdP. The “Name On MetaAccess” can be anything you like. Some IDPs don’t expose nice names for groups, so this is a chance to give the group a name that is easy to work with on the MetaAccess side. images/download/attachments/4078904/screenshot-2020-09-28T09-56-22-0400.png

  22. At this point you can add any protected applications. When prompted for what users have access to these applications select the IDP groups you created earlier. images/download/attachments/4078904/screenshot-2020-09-28T09-59-02-0400.png images/download/attachments/4078904/screenshot-2020-09-28T09-59-51-0400.png

  23. Log in to your IdP as an end user. You may need to log out of the administrator console to get back to a login prompt.

  24. Select the MetaAccess application.

  25. You’ll be prompted to launch the SDP client if it is already installed. If you still need to install the OPSWAT client you can do so from the link on this page. images/download/attachments/4078904/screenshot-2020-09-25T14-18-29-0400.png images/download/attachments/4078904/screenshot-2020-09-25T14-25-45-0400.png

  26. SDP should launch and connect. You should have access to that test resource. images/download/attachments/4078904/screenshot-2020-09-28T10-10-45-0400.png