Configuring SSO SAML settings - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
24.1

Within the SSO configuration page, the SAML section contains settings that set up Gateway as a service provider (SP) to a single sign-on (SSO) identity provider (IdP). It also contains settings that specify the identity provider itself.

Tip: If you have a JSON file with SAML settings for your system, you can instead import them directly into Gateway. For more details, see Creating JSON SSO configuration setting files.

BlueCat Gateway forwards information provided in the SAML section to the IdP. Gateway then creates a /metadata endpoint that identifies Gateway as a service provider to the IdP, with data returned in XML format.

To configure the Gateway SSO service provider and identity provider settings:

  1. Open the SAML section of the SSO Configuration window. (Click the Navigator button if necessary, then click Configurations > SSO Configuration.)

    The SSO Configuration page opens. If the SAML settings are not displayed click SAML to expand it.

  2. Either manually enter service provider and IdP settings, or upload them (and the IdP signing certificate) from files.

    To manually update service provider and IdP settings:

    1. In Settings source, select Manual Input.

      Additional fields for manually configuring SAML SSO settings appear.

    2. Enter settings to identify Gateway as a service provider:

      • In BlueCat Gateway FQDN, enter the fully-qualified domain name of the Gateway instance, including the http:// or https:// prefix.

        Gateway automatically fills in the Gateway entity ID, Consume URL (for logging in), and Signout URL based on the entered FQDN.

    3. Configure settings for the identity provider (IdP):

      • In IDP metadata URL, enter the metadata URL of your identity provider.

        After you enter this field, Gateway cnecks to see if it can successfully connect to the identity provider. If it can, it flags the Gateway entity ID, Consume URL, and Signout URL with a green checkmark.

        Gateway also automatically imports the IdP's SSL certificate and adds it to Gateway's trusted store.

      • In x509 Certificate, enter the public key of the Gateway HTTPS server.

      • In Private Key, enter the private key of the Gateway HTTPS server.

    To upload previously-configured service provider and IdP settings as a JSON file (and manually upload the IdP certificate):

    1. In Settings source, select Upload file.

      Additional fields appear for importing settings from files.

    2. In Server provider settings, either drag your SAML settings JSON file into the box, or click in the box area to browse to the JSON file.

      For more details about first downloading a copy of this file and editing it for your system, see Creating JSON SSO configuration setting files.

    3. In IDP signing certificate, either drag the IdP signing certificate file onto the box, or click in the box area to browse to the .crt file.

  3. (Optional) Additional SSO security settings for authentication signing and encryption are considered "advanced" settings. To update these settings, either drag your advanced settings JSON file onto the Advanced settings box area, or click in the box area to browse to the JSON file.

    Sometimes you will be provided with an appropriate advanced settings JSON file from a system administrator. If you do not have such a file (or if you're the one responsible for configuring these settings), you can download the existing advanced settings JSON file, edit it with updated values given by your identity provider, then return here to upload the new one.

    For more details, see Creating JSON SSO configuration setting files.

  4. When you're done, click Save.

    If you've configured settings for all of Gateway as an SSO service provider, for the IdP, and the OAuth settings (in the OAuth section (see Configuring SSO OAuth settings), you can now enable SSO for Gateway. For more details, see Enabling Gateway SSO.

    Attention:

    If you made changes to SSO settings with SSO already enabled, we strongly recommend that you retest your SSO connection right away.

    You can do so by opening a new browser session and logging in to Gateway with the username and password of an SSO user.

    To cancel your changes, click Cancel.