Configure SAML Assertion Attributes on the Identity Provider - BlueCat DNS Edge

DNS Edge User Guide

prodname
BlueCat DNS Edge

Before configuring the DNS Edge Cloud with the SAML integration details of your Identity Provider (IdP), you must configure settings on your IdP to ensure that the correct information is being used to authenticate with the DNS Edge Cloud, and you must authorize the federated users in your IdP with their associated Edge privilege.

Attention: The SAML attribute names and values are case sensitive.

Configuring DNS Edge Roles

There are currently 3 roles available in DNS Edge: Administrators, System Administrators, and Analysts (read-only access). To authorize the IdP's federated users to access DNS Edge as one of these roles, you must configure a SAML attribute for the DNS Edge roles that are assigned to specific users or groups within the IdP. The SAML attribute name must be BluecatEdgeRole and the value can be either ADMIN, SYSADMIN, or ANALYST. Each SAML response sent back to DNS Edge from the IdP must contain the assertion of the attached role to ensure that the appropriate access is granted to the authenticated federated user. The following code block lists a sample SAML attribute statement:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="BluecatEdgeRole">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN</saml:AttributeValue>
</saml:Attribute>

Configuring email authentication

You must also configure the assertion attribute to use the email address of the user to authenticate with the DNS Edge Cloud. The SAML attribute name must be Email. The following code block lists a sample SAML attribute statement:
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">example@bluecatnetworks.com</saml:AttributeValue>
</saml:Attribute>

Configuring NameID format

When configuring the NameID format on your IdP, you must set the value to Email.

(Optional) Configuring name format

By default, if you log in to Edge using SSO and view your profile page, the User and Email fields display your email address. If you'd like to display the name of the user within the User field on Profile page rather than displaying the email address, you must configure a SAML attribute. The SAML attribute name must be Name. The following code block lists a sample SAML attribute statement:
<saml:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">Jane Doe</saml:AttributeValue>
</saml:Attribute>