Home » What is SAML and how it works?
Applicable For Endpoint Central MSP 
 
 

Note: All the SAML configuration and authentication steps discussed for Endpoint Central also applies to Patch Manager Plus and Vulnerability Manager Plus.

What is SAML Authentication?

Security Assertion Markup Language (SAML) is the de facto open standard used for exchanging authentication and authorization details between the Service Provider and the Identity Provider. The exchange of details is done through digitally signed XML documents containing user data. Endpoint Central on-premises offers support for SAML 2.0 authentication. By enabling this feature, users can login to Endpoint Central on their desktops and mobiles (Endpoint Central Mobile App) via a Single Sign-On (SSO) service, which supports SAML authentication.

Table of contents

  1. Glossary
  2. How SAML authentication works?
  3. Prerequisites

Glossary:

Service Provider - The application providing a specific service which authenticates and authorizes users by security assertions requested by SSO. For example: CRM, Endpoint Central, etc..

Identity Provider - The entity which maintains and manages the user's credentials. For example: Okta, OneLogin, etc..

Single Sign-On service - A service provided by Identity Provider, that has a centralized login system in which the user enters the credentials once, after which, the authentication and authorization details are passed to different service providers to grant access to the user.

The main advantage of SSO is that it has centralized authentication, thereby eliminating the need for users to remember multiple passwords to access different applications.

How SAML authentication works?

When a user tries to login to access the Service Provider, the user will be redirected to SSO login page. Upon entering the credentials, the SSO will pass the information to the Service Provider. Further, the Service Provider will decide based on the authentication and authorization details provided by the SSO, whether or not to grant access to the user.

Prerequisites:

  • Since, the IdP redirection happens via HTTPS port, the HTTPS port must be kept open. The ACS URL is generated using HTTPS only.
  • Identity Provider should support HTTP POST binding.
  • Certificates from the Identity Provider should not have been tampered with, encrypted or expired and should be encoded in base 64 format.

Click below for configuring SAML authentication settings between Endpoint Central and

Data provided by Endpoint Central that has to be entered in IdP

After logging in, go to the Admin tab, and select SAML Authentication. Here, you can find the details that are provided by Endpoint Central to be entered in IdP's side.

  • Entity ID
    An Entity ID is a Globally-Unique Identifier used to represent your Endpoint Central instance.
  • Assertion Consumer Service URL (ACS URL)
    The ACS URL or Reply URL is an endpoint pointing to your Endpoint Central instance that tells the IdP where to send the SAML response. The ACS URL must be used in IdP configuration.

    Note: Steps to change the default ACS URL:
    1. Open <Installation_directory>/Desktop Central server/conf/websettings.conf
    2. In a new line, type saml.fqdn.name=FQDN_Name
    3. Save the websettings.conf file
    For example: saml.fqdn.name=dc.com
    4. Restart the Endpoint Central server
    5. Reconfigure SAML Authentication

    where FQDN_Name is the new FQDN, without the port.

Note: Both Entity ID and the Assertion Consumer URL will be present in the Metadata XML.

Data required by Endpoint Central from IdP

After logging into the product console, go to the Admin tab, and select SAML Authentication. At the bottom, you have to enter the IdP's details.

  • Name ID
    The Name ID is used to uniquely identify the user who is trying to sign in- it can be either the username or the email ID.
    Note: For domain users, the Username should be in this format: domain\username. This may not be supported in some IdPs.
  • Login URL
    The Login URL is an endpoint pointing to your IdP that tells Endpoint Central where to send the SAML request.
  • Certificate
    A certificate from the IdP, used by Endpoint Central to verify future SAML requests from the IdP.
Note: The Federation Metadata XML file from IdP, that contains the information mentioned above, can be uploaded to Endpoint Central.
 
 
Note:
  • To successfully log in using SAML, the user must be present both in the IdP and Endpoint Central.
  • SAML authentication may not work in browsers that are not supported by the Identity Provider.
  • SAML Single logout is not supported currently.
  • If FQDN changes, the ACS URL changes. This implies that the ACS URL should be again updated manually in the Identity Provider.
  • FQDN and port mentioned in the ACS URL must be used to configure the Endpoint Central mobile app for SAML Authentication.
  • In SAML Authentication settings of Endpoint Central, the Name ID  can be either chosen as Username or Email ID. The same option should be selected in the Identity Provider for authenticating users.
  • All accounts should have a unique email ID associated with Endpoint Central.
  • The metadata file while configuring Identity Provider, must have these three parameters- SSO URL, SSO Signing Certificate; SSO Binding Protocol
  • If the user tries to access Secure Gateway Server on the mobile app, the security protocols of Secure Gateway Server restrict the user to login via SAML authentication. As a workaround, access the internal server's FQDN/IP address to login via SAML on the mobile app.