Once you have configured the SAML assertion attributes on the Identity Provider (IdP), you must configure DNS Edge to leverage the existing IdP to authenticate users within your organization.
Note: You must be a System Administrator to configure the SSO integration.
Configuring an SSO Integration on DNS Edge:
- In the top navigation bar, click and select SSO.
- Click Download to retrieve the metadata information and upload it to your
IdP. If your IdP doesn't support uploading the metadata file, enter the
information found within the metadata file into your IdP.If you are entering the metadata file into your IdP, the IdP might require the following service provider settings:
Attention: If you are manually entering the information from the metadata file, ensure that all information is entered correctly as this can cause the SSO integration to fail.
EntityDescriptor. For example,
urn:auth0:<Tenant Name>:<Tenant ID>-SamlConnection
- Customer URL—the field in the IdP that designates where to
send the SAML assertions once it has authenticated a user. This must
be configured with the
Locationvalue in the
AssertionConsumerServiceof the metadata file. For example,
https://<Edge Cloud URL>/login/callback?connection=<Tenant ID>-SamlConnectionNote: Some IdPs refer to this field as the Assertion Consumer Service URL, Application Callback URL, or SignIn/SSO Endpoint.
- Login URL—the login URL of the instance. For example,
https://<Edge Cloud URL>/login
- Return to the DNS Edge UI and complete the following information:
- Enter a name and description of the SSO integration.
- Sign In URL: Enter the SAML SSO URL that you obtained from your IdP.
- Request Protocol Binding: The protocol used by DNS Edge to send the SAML authentication request to your IdP. You can select HTTP-Redirect or HTTP-POST. The default binding value is HTTP-Redirect.
- User ID Attribute (optional): The attribute in
the SAML token that uniquely identifies a user. If this value isn't set,
user_idwill be retrieved from the following in the order listed:
Note: DNS Edge accepts the URL or friendly name of the unique identifier.
- Signing Certificate: Upload the IdP public key. This must be encoded in PEM or CER format.
- Click Test to test the new connection. A new tab opens
where you will be asked to sign in to your IdP to test the authentication and
connection.Note: If you are editing an active SSO integration, click Apply & Test to test the updated connection. Clicking the Apply & Test button immediately applies all modified settings to the active SSO integration.
- If the SSO test is successful, click the Active toggle to
activate the SSO integration. If the test was unsuccessful, you can't activate
the connection. If you are editing an active SSO integration, you can toggle to
deactivate the SSO integration.Attention: Any API access key set created before activating or deactivating the SSO integration won't be valid in the new SSO state. You must create a new API access key set in the new SSO state to continue to use the DNS Edge API. If you deactivate or activate the SSO integration again, you can use the API access key set that was previously created.
- Click Save to apply the settings.
The SSO integration is enabled immediately and you won't be able to connect to DNS Edge using locally created credentials.
Attention: BlueCat strongly recommends that the corporate system administrator users create a new API access key set after enabling the SSO integration.