Configuring SAML in Applications Manager


SAML in Applications Manager can be configured in two ways. You can either do it manually by providing the necessary credentials or you can upload the metadata file directly, if available.

Service provider details

If you opt to configure SAML manually, you will need to provide with the following details in the Applications Manager UI: Entity ID, Assertion Consumer URL, SSO Logout URL. It will allow you to add Applications Manager as a supported application in your IdP.

You can also download the SP metadata file directly from Applications Manager and import it on the IdP side. This metadata file will have all the above-mentioned details in XML format.

SAML authentication in Applications Manager

Identity provider details

Configuring IdP details is much the same as SP details configuration. You can either configure the IdP details manually or upload the metadata file fetched from the IdP side.

Uploading the IdP metadata file:

you can directly upload the metadata file in Applications Manager from your IdP, if you have one.

  1. Under Settings → User Management → SAML Authentication, navigate to the SAML Authentication tab.
  2. Under the 'Configure Identity Provider Details' section, choose Upload IdP metadata file and enter the IdP Name.
  3. Find the metadata file acquired from the IdP and click Upload.

SAML authentication in Applications Manager

Configuring IdP information manually:

To enter the IdP details manually in Applications Manager, you will need the following details:

  1. IdP name
  2. IdP login URL
  3. IdP logout URL
  4. IdP certificate

Enter the above details in the 'Configure IdP information manually' section under Settings → User Management → SAML Authentication.

New User role

While Configuring IdP Details, you can configure the "New Users Role". So if any user, who is not a user in APM, logins with SAML, a New user profile will be created based on this selected user role.

SAML authentication in Applications Manager

To see the steps to configure SAML between Applications Manager and that IdP, click the corresponding IdP name.

SAML authentication in App

Note:
  1. Applications Manager also offers an option called Single Logout. You can configure the same by specifying the IDP Logout URL field. If configured, users will be able to see it in the Applications Manager UI by clicking the logout URL provided.
  2. As of now, Transient and Persistent name identifiers can be used for SAML configuration.
  3. The Username configured in the IdP should match the same Username provided in Applications Manager for successful authentication.

Frequently Asked Questions (FAQs)

1. Do we have an option to enable or disable AD authentication while using SAML?

Yes. Once SAML authentication is enabled, there will be a checkbox to disable other authentications and you can disable other login methods, if necessary. Also, you will only be able to login locally via Super Admin.

2. Can we configure more than one IdP?

No, currently only one IdP can be configured at a time.

3. What are the different name ID formats supported in Applications Manager ?

At present, Transient, and Persistent are the Name ID formats supported for SAML authentication in Applications Manager .

4. Can we use both SAML authentication and TFA features in Applications Manager ?

In Applications Manager , you will not be able to use TFA when SAML authentication is enabled. This is because, the entire authentication flow is handled by the IdP when SAML authentication is enabled. TFA can be used only when signing in using Local or AD authentication.

5. How do I access the product WebClient if the IdP is not reachable?

If the IdP is not reachable and the other authentication methods are disabled, you can log in locally via Super Admin. If other authentication methods are not disabled, you can login to Applications Manager by using the Local or AD Authentication.

6. How to configure SAML if the certificate is expired?

If the certificate is nearing expiry, Applications Manager will raise an alert after the user logs in. The Service Provider's certificate can be regenerated from the Applications Manager UI and uploaded to IdP and vice versa. After uploading, the lifetime of the certificates will be renewed.