Configure SAML Assertion Attributes on the Identity Provider - BlueCat Edge

Configure SAML Assertion Attributes on the Identity Provider - BlueCat Edge - Service Point v3.x.x

BlueCat Edge User Guide

Locale

English

Product name

BlueCat Edge

Version

Service Point v3.x.x

Before configuring the BlueCat Edge Cloud with the SAML integration details of your Identity Provider (IdP), you must configure settings on your IdP to ensure that the correct information is being used to authenticate with the BlueCat Edge Cloud, and you must authorize the federated users in your IdP with their associated Edge privilege.

Attention: The SAML attribute names and values are case sensitive.

Configuring BlueCat Edge Roles

There are currently 4 roles available in BlueCat Edge: Administrators, System Administrators, Policy Admin, and Analysts (read-only access). To authorize the IdP's federated users to access BlueCat Edge as one of these roles, you must configure a SAML attribute for the BlueCat Edge roles that are assigned to specific users or groups within the IdP. The SAML attribute name must be BluecatEdgeRole and the value can be either ADMIN, SYSADMIN, POLICYADMIN, or ANALYST. Each SAML response sent back to BlueCat Edge from the IdP must contain the assertion of the attached role to ensure that the appropriate access is granted to the authenticated federated user. The following code block lists a sample SAML attribute statement:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="BluecatEdgeRole">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN</saml:AttributeValue>
</saml:Attribute>

Configuring email authentication

You must also configure the assertion attribute to use the email address of the user to authenticate with the BlueCat Edge Cloud. The SAML attribute name must be Email. The following code block lists a sample SAML attribute statement:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email">
    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">example@bluecatnetworks.com</saml:AttributeValue>
</saml:Attribute>

Configuring NameID format

When configuring the NameID format on your IdP, you must set the value to Email.

(Optional) Configuring name format

By default, if you log in to Edge using SSO and view your profile page, the User and Email fields display your email address. If you'd like to display the name of the user within the User field on Profile page rather than displaying the email address, you must configure a SAML attribute. The SAML attribute name must be Name. The following code block lists a sample SAML attribute statement:

<saml:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xsi:type="xs:string">Jane Doe</saml:AttributeValue>
</saml:Attribute>