Once you have configured the SAML assertion attributes on the Identity Provider (IdP), you must configure DNS Edge to leverage the existing IdP to authenticate users within your organization.
Note: You must be a System Administrator to configure the SSO integration.
Configuring an SSO Integration on DNS Edge:
- In the top navigation bar, click and select SSO.
- Click Download to retrieve the metadata information and upload it to your
IdP. If your IdP doesn't support uploading the metadata file, enter the
information found within the metadata file into your IdP.If you are entering the metadata file into your IdP, the IdP might require the following service provider settings:
Attention: If you are manually entering the information from the metadata file, ensure that all information is entered correctly as this can cause the SSO integration to fail.
- Audience—the entityId of the EntityDescriptor. For example, urn:auth0:<Tenant Name>:<Tenant ID>-SamlConnection
- Customer URL—the field in the IdP that designates where to
send the SAML assertions once it has authenticated a user. This must
be configured with the Location value in the
AssertionConsumerService of the metadata file.
For example, https://<Edge Cloud
ID>-SamlConnectionNote: Some IdPs refer to this field as the Assertion Consumer Service URL, Application Callback URL, or SignIn/SSO Endpoint.
- Login URL—the login URL of the instance. For example, https://<Edge Cloud URL>/login
- Return to the DNS Edge UI and complete the following information:
- Enter a name and description of the SSO integration.
- Sign In URL: Enter the SAML SSO URL that you obtained from your IdP.
- Request Protocol Binding: The protocol used by DNS Edge to send the SAML authentication request to your IdP. You can select HTTP-Redirect or HTTP-POST. The default binding value is HTTP-Redirect.
- User ID Attribute (optional): The attribute in
the SAML token that uniquely identifies a user. If this value isn't set,
the user_id will be retrieved from the following in the
Note: DNS Edge accepts the URL or friendly name of the unique identifier.
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier or nameidentifier
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or upn
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name or name
- Signing Certificate: Upload the IdP public key. This must be encoded in PEM or CER format.
- Click Test to test the new connection. A new tab opens
where you will be asked to sign in to your IdP to test the authentication and
connection.Note: If you are editing an active SSO integration, click Apply & Test to test the updated connection. Clicking the Apply & Test button immediately applies all modified settings to the active SSO integration.
- If the SSO test is successful, click the Active toggle to
activate the SSO integration. If the test was unsuccessful, you can't activate
the connection. If you are editing an active SSO integration, you can toggle to
deactivate the SSO integration.Attention: Any API access key set created before activating or deactivating the SSO integration won't be valid in the new SSO state. You must create a new API access key set in the new SSO state to continue to use the DNS Edge API. If you deactivate or activate the SSO integration again, you can use the API access key set that was previously created.
- Click Save to apply the settings.
The SSO integration is enabled immediately and you won't be able to connect to DNS Edge using locally created credentials.
Attention: BlueCat strongly recommends that the corporate system administrator users create a new API access key set after enabling the SSO integration.