Before configuring the BlueCat Edge Cloud with the SAML integration details of your Identity Provider (IdP), you must configure settings on your IdP to ensure that the correct information is being used to authenticate with the BlueCat Edge Cloud, and you must authorize the federated users in your IdP with their associated Edge privilege.
Attention: The SAML attribute names and values are case sensitive.
Configuring BlueCat Edge Roles
There are currently 4 roles available in BlueCat Edge: Administrators, System
Administrators, Policy Admin, and Analysts (read-only access). To authorize the
IdP's federated users to access BlueCat Edge as one of these roles, you must configure a
SAML attribute for the BlueCat Edge roles that are assigned to specific users or groups
within the IdP. The SAML attribute name must be
BluecatEdgeRole and the value can be either
ADMIN, SYSADMIN,
POLICYADMIN, or ANALYST. Each SAML
response sent back to BlueCat Edge from the IdP must contain the assertion of the
attached role to ensure that the appropriate access is granted to the authenticated
federated user. The following code block lists a sample SAML attribute
statement:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="BluecatEdgeRole">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN</saml:AttributeValue>
</saml:Attribute>
Configuring email authentication
You must also configure the assertion attribute to use the email address of the user
to authenticate with the BlueCat Edge Cloud. The SAML attribute name must be
Email. The following code block lists a sample SAML
attribute
statement:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">example@bluecatnetworks.com</saml:AttributeValue>
</saml:Attribute>
Configuring NameID format
When configuring the NameID format on your IdP, you must set the value to Email.
(Optional) Configuring name format
By default, if you log in to Edge using SSO and view your profile page, the
User and Email fields display your email address. If you'd like to
display the name of the user within the User field on
Profile page rather than displaying the email address, you
must configure a SAML attribute. The SAML attribute name must be
Name. The following code block lists a sample SAML
attribute
statement:
<saml:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Jane Doe</saml:AttributeValue>
</saml:Attribute>