Versions Compared

Old Version 8

changes.mady.by.user Olivier Michaut

Saved on

compared with

New Version 9

changes.mady.by.user Olivier Michaut

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

Table of Contents

Overview

Note
titleNote

The information provided on this page assumes you have a working knowledge of SAML Single Sign-On.


UDMG Authentication Proxy enables Web Browser Single Sign-On (SSO) on the UDMG Admin UI through Security Assertion Markup Language 2.0 (SAML 2.0).

SAML 2.0 is an XML-based protocol for exchanging security information between a SAML Identity Provider and a SAML Service Provider.

As a SAML Service Provider, UDMG Authentication Proxy accepts authentication assertions from a configured SAML Identity Provider compliant with the SAML 2.0 Web Browser Single Sign-On profile.

SAML Single Sign-On eliminates the need for application-specific passwords. UDMG Admin UI issues an authentication request to the configured Identity Provider, through the web browser, for any unauthenticated user accessing the UDMG Admin UI web application through the selected service and provider on the login page.

UDMG Authentication Proxy uses SAML Single Sign-On for authentication and User Provisioning. All user and group authorization must be configured within UDMG through Permission assignment.

Example Configuration:

Code Block
languagetext
[service.local]
protocol = "http"
policy = "failover"
admins = ["admin"]

[service.local.credential]
username = "user"
password = "password"

[[service.local.targets]]
hostname = "<fqdn>"
port = <port>

Example with Okta

Under your account create a new App Integration.

Image Removed

Follow the steps:

  • Set the application Name:

Image Removed

  • SAML Settings

Image Removed

For callback ( POST ) use: https://<fqnd>:<port>Before you begin, the Single sign on URL (SAML Post URL location, or callback URL) must be determined.

It will be in the form https://<FQDN>:<PORT>/service/auth/sso/saml/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.

For example https://udmg.stonebranch.com:8080/service/auth/sso/saml/callback.

Review your configuration underImage Removed

From this view, copy Point 1 and download the certificate

Image Removed


Create the following entry under the Proxy configuration for a serviceTo configure the SAML integration on Okta, follow these steps:

  • Sign in to your Okta tenant as an administrator.
  • In the Admin Console, navigate to Applications > Applications.
  • .Click Create App Integration
  • In the Create a new app integration dialog, choose SAML 2.0 and click Next..

Image Added

  • Enter an App name such as UDMG SSO and click Next:

Image Added

  • In Configure SAML step, in the SAML Settings section, enter value for 

    Single sign on URL


Image Added

  • Keep the other default setting and click Next.


  • Review the configuration for Sign On Settings

Image Added

  • Follow the View SAML setup instructions link.

Image Added

  • From this view, keep the Identity Provider Single Sing-On URL for later and download the X.509 Certificate.


To configure the SAML integration on UDMG Authentication Proxy, follow these steps.

  • Create a saml provider section in the configuration file for a service, for example here for the service sso:
Code Block
languagetext
[service.localsso.auth.saml]
file = "udmg-sso-okta.json"

...

  • Add a

...

  • file parameter with a filename, for example udmg-sso-okta.json
  • Create this configuration file in the same location as the UDMG Authentication Proxy configuration path
Code Block
languagetext
{
    "entityIssuer": "udmg-sso",
    "ssoURL": "https://dev-39492773.okta.com/app/dev-39492773_udmgsso_1/exk9a2wo9rT8orbpj5d7/sso/saml",
    "ca": "/config/udmg-okta-sso.cert",
    "redirectURI": "https://<fqdn>:<port>udmg.stonebranch.com:8080/service/auth/sso/saml/callback",
    "insecureSkipSignatureValidation": true,
    "usernameAttr": "name",
    "emailAttr": "name",
    "groupsAttr": "groups"
 }
  • Set the ssoURL parameter to the SAML application URL. 
  • Set the ca parameter to the path of the downloaded X.509 Certificate, see above.
  • Set the redirectURI parameter to Single Sign on URL value 
  • Restart the UDMG Auth Proxy.

Go to the Admin UI and select the SAML Provider.Image Removed.

Image Added


Click the arrow button to open the Okta login page 


Image Added


After signing in, the web browser is redirected to the UDMG Admin UI with the authenticated user.


References:

Okta documentation:

https://help.okta.com/oag/en-us/Content/Topics/Access-Gateway/add-app-saml-pass-thru-add-okta.htm