Once you have configured the SAML assertion attributes on the Identity Provider (IdP),
you must configure BlueCat Edge to leverage the existing IdP to authenticate users within
your organization.
Note: You must be a System Administrator to configure the SSO
integration.
Configuring an SSO Integration on BlueCat Edge:
- In the top navigation bar, click and select SSO.
- Click Download to retrieve the metadata information and upload it to your
IdP. If your IdP doesn't support uploading the metadata file, enter the
information found within the metadata file into your IdP.If you are entering the metadata file into your IdP, the IdP might require the following service provider settings:
- Audience—the
entityId
of theEntityDescriptor
. For example,urn:auth0:<Tenant Name>:<Tenant ID>-SamlConnection
- Customer URL—the field in the IdP that designates where to
send the SAML assertions once it has authenticated a user. This must
be configured with the
Location
value in theAssertionConsumerService
of the metadata file. For example,https://<Edge Cloud URL>/login/callback?connection=<Tenant ID>-SamlConnection
Note: Some IdPs refer to this field as the Assertion Consumer Service URL, Application Callback URL, or SignIn/SSO Endpoint. - Login URL—the login URL of the instance. For example,
https://<Edge Cloud URL>/login
Attention: If you are manually entering the information from the metadata file, ensure that all information is entered correctly as this can cause the SSO integration to fail. - Audience—the
- Return to the BlueCat Edge UI and complete the following information:
- Enter a name and description of the SSO integration.
- Sign In URL: Enter the SAML SSO URL that you obtained from your IdP.
- Request Protocol Binding: The protocol used by BlueCat Edge to send the SAML authentication request to your IdP. You can select HTTP-Redirect or HTTP-POST. The default binding value is HTTP-Redirect.
- User ID Attribute (optional): The attribute in
the SAML token that uniquely identifies a user. If this value isn't set,
the
user_id
will be retrieved from the following in the order listed:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
ornameidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
orupn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
orname
Note: BlueCat Edge accepts the URL or friendly name of the unique identifier. - Signing Certificate: Upload the IdP public key. This must be encoded in PEM or CER format.
- Click Test to test the new connection. A new tab opens
where you will be asked to sign in to your IdP to test the authentication and
connection.Note: If you are editing an active SSO integration, click Apply & Test to test the updated connection. Clicking the Apply & Test button immediately applies all modified settings to the active SSO integration.
- If the SSO test is successful, click the Active toggle to
activate the SSO integration. If the test was unsuccessful, you can't activate
the connection. If you are editing an active SSO integration, you can toggle to
deactivate the SSO integration.Attention: Any API access key set created before activating or deactivating the SSO integration won't be valid in the new SSO state. You must create a new API access key set in the new SSO state to continue to use the BlueCat Edge API. If you deactivate or activate the SSO integration again, you can use the API access key set that was previously created.
- Click Save to apply the settings.
The SSO integration is enabled immediately and you won't be able to connect to BlueCat Edge
using locally created credentials.
Attention: BlueCat strongly recommends
that the corporate system administrator users create a new API access key set after
enabling the SSO integration.