Versions Compared

Old Version 23

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 24

changes.mady.by.user Olivier Michaut

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

Table of Contents

Overview

Note
titleNote

The information provided on this page assumes you have a working knowledge of SAML Single Sign-On.


UDMG Authentication Proxy enables Web Browser Single Sign-On (SSO) on the UDMG Admin UI through Security Assertion Markup Language 2.0 (SAML 2.0).

...

A list of administrator accounts and local account with fewer privileges can be defined on the UDMG Server database. They can login with the local authentication provider that is enabled for any service; therefore, these accounts will always be accessible for cases where, for example, Single Sign-On Settings are incorrectly configured or the Identity Provider is inaccessible.

Example Configuration:

Assuming the following service configuration on the UDMG Authentication Proxy, the below sections describe how to add the saml provider as option for user authentication.

Code Block
languagetext
[service.ssodemo]
protocol = "http"
policy = "failover"

[service.sso.credential]
username = "user"
password = "password"

[[service.ssodemo.targets]]
hostname = "udmg.stonebranch.com:demo"
port = 1080818080

Example with Okta App Integration

Before you begin


The Single sign on URL (SAML Post URL location, or callback URL) must be determined.

It will be in the form https://<FQDN>:<PORT>/service/auth/sso/saml/callback, where FQDN and PORT are the name and port for the host where the UDMG Authentication Proxy and NGINX server are installed.

For example https://udmg.stonebranch.com:8080demo/service/auth/sso/saml/callback.

SAML integration on Okta


To configure the SAML integration on Okta, follow these steps:

...

  • Enter an App name such as UDMG SSOstb-udmg, optionally add a logo and click Next:

Image RemovedImage Added

  • In Configure SAML step, in the SAML Settings section, enter the value for 
    Single sign on URL

...


Image Added

  • Set the Audience URI to stb-udmg
  • Select EmailAddress for Name ID format
  • Select Email for Application username
  • Keep the other default setting and click Next.

...

  • Review the configuration for Sign On Settings

Image RemovedImage Added

  • Follow the View SAML setup instructions link.

Image RemovedImage Added

  • From this view, keep the Identity Provider Single SingSign-On URL for later and download the X.509 Certificate.


User preparation in Okta

  • Create a user with an email address demo@std-udmg.com
  • Assign the stb-udmg application to this user:

Image Added

User preparation in UDMG


For the SSO integration, the users must aleady exist in UDMG with the primary email that is used on the SSO Identity Provider to identify these users.

For example, the "demo" user:

Image Added


SAML integration on UDMG

To configure the SAML integration on UDMG Authentication Proxy, follow these steps.

  • Create a credential and a auth.saml provider section sections in the configuration file for a service, for example here for the service sso:
Code Block
languagetext
[service.demo]
protocol = "http"
policy = "failover"

[service.demo.credential]
username = "user"
password = "password"

[service.ssodemo.auth.saml]
file = "udmg-sso-okta.json"

[[service.demo.targets]]
hostname = "udmg.demo"
port = 18080
  • The user in credential section must exist on UDMG Server and have "user write" permission.
  • Add a file parameter with a filename, for example udmg-sso-okta.json
  • Create this configuration file in the same location as the UDMG Authentication Proxy configuration file
Code Block
languagetext
{
    "entityIssuer": "stb-udmg-sso",
    "ssoURL": "https://dev-3949277335063850.okta.com/app/dev-3949277335063850_udmgssostbudmg_1/exk9a2wo9rT8orbpj5d7exk9k3mscnz06Wx2g5d7/sso/saml",
    "ca": "/config/udmg-okta-sso.cert",
    "redirectURI": "https://udmg.stonebranch.com:8080demo/service/auth/sso/saml/callback",
    "insecureSkipSignatureValidation": truefalse,
    "usernameAttr": "name",
    "emailAttr": "name",
    "groupsAttr": "groups"
 }
  • Set the entityIssuer to the value that was set for Audience URI: stb-udmg
  • Set the ssoURL parameter to the SAML application URL. 
  • Set the ca parameter to the path of the downloaded X.509 Certificate, see above.
  • Set the redirectURI parameter to Single Sign on URL value 
  • Restart the UDMG Auth Proxy.
  • The saml provider is now available for the sso service on UDMG Admin UI login page

Go to the Admin UI and select the SAML Provider.

Image RemovedImage Added


Click the arrow button to open the Okta login page 


Image RemovedImage Added


After signing in, the web browser is redirected to the UDMG Admin UI with the authenticated user.

Image Added


References:

Okta documentation:

...