Configure the IdP metadata in Address Manager. Obtain the metadata information from your IdP.
Note: Completing the steps below will enable the SSO Enabled mode.
- In Address Manager, select the Administration tab.
- Under User Management, select Identity and Access Management.
- Select the SAML IdP Configuration tab.
Complete the IdP Settings section:
- Name (required): the name of the IdP configuration
- Description (optional): a brief description of the IdP configuration
- Email Attribute Name (required): attribute name for Email in SAML response. The default value is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress which is the default claim group in the IdP server (ADFS).
Group Attribute Name (required): attribute name
for Group in SAML response. The default value is http://schemas.xmlsoap.org/claims/Group which is the default claim email in
the IdP server (ADFS).
Important: The default Email and Group Attribute names are for ADFS. The format and syntax of the Email and Group names are different per IdP.
- SSO (required): The default value is Enable. Before enabling SSO, you must configure Address Manager as a service provider and create SSO groups. For more information, refer to Configuring Address Manager as a Service Provider and Creating SSO groups.
- In the IdP Metadata section, you can either upload the metadata file (XML file) by clicking Choose File in the File field or entering the metadata URL provided by your IdP in the URL field. If you enter the metadata URL, you're directed to a trust page. On the trust page, click Yes to confirm the IdP server certificate.
The IdP metadata populates in the Sign In URL, Single Logout URL, and Entity ID fields.
The SSO Enabled mode is now activated.Note: SSO Enabled modeIn the SSO Enabled mode, the following apply:
- Users can log in to Address Manager using external authentocators such as LDAP, TACACS+, RADIUS, Microsoft Active Directory, and Kerberos
- BAM allows local users (GUI and API)
- The BAM login page has two login options:
- SSO login
- Local login
The next step is to test the SSO connection. You can remain on this page to test the connection.