| Panel | ||||
|---|---|---|---|---|
|
Overview
| Note | title | Note
|---|
The information provided on this page assumes you have a working knowledge of SAML Single Sign-On. |
...
Identity Provider-initiated SAML Single Sign-On begins at the Identity Provider, typically by accessing an application-specific Identity Provider URL. Once authenticated, the user will be taken to the Universal Controller web application.
Action URLs
Any Action action URL parameters on the URL used by the SAML-authenticated user to access the Universal Controller web application are restored when the Service Provider-initiated SAML SSO authentication flow has completed successfully and the user has been redirected back to the Universal Controller web application.
| Note | ||
|---|---|---|
| ||
This is not applicable for an Identity Provider-initiated login. |
...
If you are a SAML-enabled user, the Controller allows you to initiate the SAML Single Sign-On authentication flow without leaving the application. On the Session Expired pop-up, instead of entering your login credentials, simply click the Login button to initiate the SAML SSO authentication flow..
If only your Universal Controller session has expired, and not your session with the Identity Provider, you are logged in without being prompted for your credentials. Click Continue on the original dialog to proceed, which closes the SAML SSO authentication flow window.
...
The following diagram illustrates the expectations in Universal Controller for provisioning users from attributes available in the SAML assertion:
As illustrated, when LDAP synchronization is enabled, provisioning of users through LDAP synchronization takes precedence over provisioning of users through the SAML assertion during the Single Sign-On process.
...
Any user created by SAML assertion attributes, during the single sign-on process, is considered an Identity Provider-sourced user. See Attribute Mappings in SAML Single Sign-On Settings.
User Field Defaults
Single Sign-On provisioned users are created with the following default field values:
...
However, Universal Controller allows an administrator to customize the Service Provider Entity ID by specifying a Service Provider Entity ID Subdomain in the SAML Single Sign-On Settings in the user interface.
For example, an Service Provider Entity ID Subdomain value of dev would allow for a Service Provider Entity ID of https://dev.uc.stonebranch.com/sp.
...
To configure the SP Entity Base URL to a specific value, an administrator can specify the Service Provider Entity Base URL from the SAML Single Sign-On Settings in the user interface.
The following table documents the SAML endpoints, and their supported bindings, contained within the Universal Controller Service Provider metadata.
...
You can specify the location of the Identity Provider metadata file in the SAML Single Sign-On Settings Details of the user interface. By default, on initial start-up, the Controller automatically populates the Identity Provider metadata file setting with a value of ${catalina.base}/conf/saml/idp.xml.
...
An administrator can turn on/off and configure SAML Single Sign-On through the user interface.
| Note | ||
|---|---|---|
| ||
Each Universal Controller cluster node maintains its own SAML Single Sign-On configuration, associated by Node Id. Therefore, you must complete the SAML Single Sign-On configuration for each deployed cluster node, including the Active node and any Passive nodes. The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node. |
Step 1 | From the Administration navigation pane, selectConfiguration > SAML SAML Single Sign-On. The SAML Single Sign-On page displays. |
|---|---|
Step 2 | Enter / select your SAML Single Sign-On, using the field descriptions below as a guide.
|
Step 3 | Click the |
...
Universal Controller Uninitialized | While the Universal Controller web application is initializing, the user login flow cannot proceed. Any users attempting to authenticate with SAML at this time receive the following error: |
|---|---|
User Account Not Found | Any SAML-authenticated user who cannot be linked to a user account in the Universal Controller database is prohibited from accessing the application and receives the following error: |
User Account Not Active | Any SAML-authenticated user linked to a Universal Controller user account that is not Active is prohibited from accessing the application and receives the following error: |
Login Method | Any SAML-authenticated user linked to a Universal Controller user account that is not designated to use Single Sign-On login method is prohibited from accessing the application and receives the following error: |
User Account Locked | Any SAML-authenticated user linked to a Universal Controller user account that is locked is prohibited from accessing the application and receives the following error: |
No Web Browser Access | Any SAML-authenticated user linked to a Universal Controller user account designated with the Single Sign-On login method, but without Web Browser Access, is prohibited from accessing the application and receives the following error: |
...