Panel | |
---|---|
|
...
UDMG Authentication Proxy uses SAML Single Sign-On for authentication and User Provisioning. All user and group authorization must be configured within UDMG through Permission assignment.
Terminology
IdP | Identity Provider (for example, Okta) | Third-party system that pre-authenticates SAML users. |
SAML | Security Assertion Markup Language | SAML is an XML-based protocol for exchanging security information between a SAML Identity Provider and a SAML Service Provider. |
SP | Service Provider (for example, Universal Controller) | Receives and accepts authentications via SAML Single Sign-On. |
SSO | Single Sign-On | Method of authentication. |
Administrator Account
A list of administrator accounts can be defined on the service configuration (with the admins
parameter) to bypass the SSO authentication and revert to local authentication; therefore, these accounts will always be accessible for cases where, for example, Single Sign-On Settings are incorrectly configured or the Identity Provider is inaccessible.
Example Configuration:
Assuming the following service configuration on the UDMG Authentication Proxy, the below sections describe how to add the saml provider as option for user authentication.
Code Block | ||
---|---|---|
| ||
[service.localsso] protocol = "http" policy = "failover" admins = ["admin"] [service.localsso.credential] username = "user" password = "password" [[service.localsso.targets]] hostname = "<fqdn>udmg.stonebranch.com:" port = <port>10808 |
Example with Okta App Integration
Before you begin
The Single sign on URL (SAML Post URL location, or callback URL) must be determined.
It will be in the form https://<FQDN>:<PORT>/service/auth/sso/saml/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.
For example https://udmg.stonebranch.com:8080/service/auth/sso/saml/callback.
SAML integration on Okta
To configure the SAML integration on Okta, follow these steps:
...
- Enter an App name such as UDMG SSO and click Next:
In Configure SAML step, in the SAML Settings section, enter value for
Single sign on URL
- Keep the other default setting and click Next.
...