6.11 SAML v2 Integration - BlueCat Infrastructure Assurance - 25.2.0

BlueCat LiveAssurance User Guide
ft:locale
en-US
Product name
BlueCat Infrastructure Assurance
Version
25.2.0
You can log in to the LiveAssurance web application using the Security Assertion Markup Language (SAML) v2.0 single sign-on (SSO) protocol. SAML is an open standard protocol for authenticating users to web applications. The SAML v2 protocol is used for exchanging authentication and authorization data between the Identity Provider (IdP) and the Service Provider (the LiveAssurance Web application).
Note: Only a single integration is supported.

SAML v2 Setup

Before you begin the setup, obtain Identity Provider SSO URL, Identity Provider Issuer and the X.509 Certificate from the Identity Provider.

Step 1: Configure SAML v2 integration

  1. Select Settings in the sidebar, then select Integrations.

  2. Select Add New Integrations > SSO.

  3. Configure the following parameters:
    • Identity Provider SSO URL—enter the Identity Provider SSO URL. This is the endpoint on the Identity Provider side where LiveAssurance posts SAML requests to.
    • Identity Provider Issuer—enter the name of the Identity Provider Issuer.
    • Identity Provider Certificate—paste the X.509 Certificate. LiveAssurance needs to obtain the public certificate from the IdP to validate the signature.
    • Select default role—select the default role for users who log in to the LiveAssurance Web Application using SAML v2 authentication.

  4. Select Save.

Step 2: Configure the Identity Provider for single sign-on login to LiveAssurance

Provide the information below to be copied and pasted into the configuration of the Identity Provider.

Provide this Assertion Consumer Service URL to your Identity Provider. Use this URL in your identity provider to begin the setup.

Step 3: Login to LiveAssurance using SSO

You can sign in to LiveAssurance from the Identity Provider user portal. This is known as the IdP-initiated sign-in flow. Alternatively, you can sign in to LiveAssurance using the LiveAssurance login page with SAML authentication by selecting the SSO LOGIN button. This is known as the SP-initiated sign-in flow.

Assigning a different role other than the default

Once the user is signed in as an SSO user, a new username will be created in the user database. To associate a role other than the default role for an SSO user:

  1. Select the Settings tab in the sidebar, then select Users.

  2. Select the vertical ellipsis icon in the row containing the user whose role you want to modify, then select Edit.

  3. Under Groups and Roles, modify the role.

  4. Select Save.

Note: If you cannot locate the SSO user from the user database, have the user log in using SSO authentication. In order to change the role, an SSO user must already exist in the user database.

Migration Considerations

If SSO is mandated in your environment and you want to disable local users, remove existing users from the local database as part of the migration process. Unlike LDAP & Radius, LiveAssurance never directly interacts with the IdP. A browser acts as the agent to carry out all the redirections. Since LiveAssurance doesn’t interact with the IdP, there is no easy way we can easily test the setup like we do with Radius and LDAP. You should first validate the SAML authentication for one user before removing remaining users from the local database.