DX UIM 23.4 SAML Single Sign on documentation is a bit unclear on configuration
Article ID: 377610
Updated On:
Products
Issue/Introduction
The documentation for SAML is very extensive (for example there are several topics AFTER verifying if it's working) and needs a lot of information entered.
In contrast, we already configured SAML for Spectrum and only needed a URL there instead of all these details like Entity ID so we are a bit lost.
Here are some questions:
1. In general, which of these points need to be done for a very simple SAML integration without SSL?
2. Is Siteminder actually required? We are not using siteminder at the moment.
Can all steps mentioning Siteminder be skipped in this case or do we need to do them with our identity provider instead?
3. Is the keystore actually needed if we don't need SSL?
4. The keystore being talked about in "Modify the Operator Console Configuration to Enable SAML" is the one from "Create a Keystore for use with SAML" correct?
5. How do we import the metadata to our identity provider? It should be Active Directory.
Environment
- DX UIM 20.4 CU10
- SAML
Cause
- Guidance and clarification
Resolution
1. In general, which of these points need to be done for a very simple SAML integration without SSL?
Answer: It is recommended to go through and follow all of the steps provided in the document.
2. Is Siteminder actually required? We are not using siteminder at the moment.
Can all steps mentioning Siteminder be skipped in this case or do we need to do them with our identity provider instead?
Answer: User can use any other IDP or Identity provider (supporting SAML 2.0 protocol) and steps need to be followed according to that IDP.
3. Is the keystore actually needed if we don't need SSL?
Answer: Keystore is needed if SSL is mandatory (for example in ADFS, SSL is mandatory, so keystore is required)
4. The keystore being talked about in "Modify the Operator Console Configuration to Enable SAML" is the one from "Create a Keystore for use with SAML" correct?
Answer: Yes, correct.
5. How do we import the metadata to our identity provider? It should be Active Directory.
Answer: In this document, we have shared the steps to create the metadata (xml file) which is required to be deployed on the IDP server.
How to import could vary from IDP to IDP, so this should be discussed with an IDP admin / SME or follow the docs of a particular IDP.
Additional Information
Notes on SAML and LDAP
It's not clear how the SAML Auth happens. SAML is working, as I can log in with a SAML account to the Operator Console (OC). However, I'm unsure where this account is created in UIM and how I can set permissions for it. Additionally, I would like to know how to choose which origins this account can access. Is it necessary for LDAP to be enabled for use with SAML?
-
LDAP authentication can function independently without SAML, but if SAML is desired, LDAP becomes mandatory for integration.
-
To begin, LDAP is enabled in UIM by configuring the LDAP server details and credentials in the hub.cfg file under the LDAP-> server section, facilitating user authentication queries.
-
Subsequently, in the IM interface, under Security -> Manage Access Control List, UIM ACLs are linked to LDAP Groups, ensuring appropriate permissions for logged-in users.
-
When employing SAML, upon receiving the SAML response at OC, the user principal is extracted from the SAML token and triggers a callback called 'user_info' in the hub by passing the user name as a parameter. This gives us additional details such as user ACL, last name, email, etc.
-
Utilizing these details, UIM assigns permissions to users based on user ACL, ensuring secure and tailored access control.
Helpful KB Articles
Configure SAML Single Sign-On in DX UIM
Single Sign-On SSO - Can't Generate Operator Console Metadata
Feedback
