Note: All the SAML configuration and authentication steps discussed for Endpoint Central MSP also applies to Patch Manager Plus and Vulnerability Manager Plus.

What is SAML Authentication?

Security Assertion Markup Language (SAML) is the de facto open standard used for exchanging authentication and authorization details between the Service Provider and the Identity Provider. The exchange of details is done through digitally signed XML documents containing user data. Endpoint Central MSP offers support for SAML 2.0 authentication. By enabling this feature, users can login to Endpoint Central MSP via a Single Sign-On (SSO) service, which supports SAML authentication.

Terms to know:

Service Provider - The application providing a specific service which authenticates and authorizes users by security assertions requested by SSO. For example: CRM, Endpoint Central MSP, etc..

Identity Provider - The entity which maintains and manages the user's credentials. For example: Okta, OneLogin, etc..

Single Sign-On service - A service provided by Identity Provider, that has a centralized login system in which the user enters the credentials once, after which, the authentication and authorization details are passed to different service providers to grant access to the user.

The main advantage of SSO is that it has centralized authentication, thereby eliminating the need for users to remember multiple passwords to access different applications.

How SAML authentication works

When a user tries to login to access the Service Provider, the user will be redirected to SSO login page. Upon entering the credentials, the SSO will pass the information to the Service Provider. Further, the Service Provider will decide based on the authentication and authorization details provided by the SSO, whenther or not to grant access to the user.

Prerequisites:

  • Since, the IdP redirection happens via HTTPS port, the HTTPS port must be kept open. The ACS URL is generated using HTTPS only.
  • Identity Provider should support HTTP POST binding.
  • Certificates from the Identity Provider should not have been tampered with, encrypted or expired and should be encoded in base 64 format.

Click below for configuring SAML authentication settings between Endpoint Central MSP and

Data provided by Endpoint Central MSP that has to be entered in IdP

After logging into Endpoint Central MSP, go to the Admin tab, and select SAML Authentication. Here, you can find the details that are provided by Endpoint Central MSP to be entered in IdP's side.

  • Entity ID
    Entity ID is a Globally-Unique Identifier used to represent your Endpoint Central MSP instance.
  • Assertion Consumer Service URL (ACS URL)
    The ACS URL or Reply URL is an endpoint pointing to your Endpoint Central MSP instance that tells the IdP where to send the SAML response.

    Note: Steps to change the default ACS URL in Endpoint Central MSP:
    1. Open <Installation_directory>/Desktop Central MSP server/conf/websettings.conf
    2. In a new line, type saml.fqdn.name=<FQDN_Name>
    3. Save the websettings.conf file
    4. Restart the Endpoint Central MSP server
    5. Reconfigure SAML Authentication

    where FQDN_Name is the new FQDN, without the port.

Note: Both Entity ID and the Assertion Consumer URL will be present in the Metadata XML.

Data required by Endpoint Central MSP from IdP

After logging into Endpoint Central MSP, go to the Admin tab, and select SAML Authentication. At the bottom, you have to enter the IdP's details.

  • Name ID
    The Name ID is used to uniquely identify the user who is trying to sign in- it can be either the username or the email ID.
    Note: Username may not be supported in some IdPs.
  • Login URL
    The Login URL is an endpoint pointing to your IdP that tells Endpoint Central MSP where to send the SAML request.
  • Certificate
    A certificate from the IdP, used by Endpoint Central MSP to verify future SAML requests from the IdP.
Note: The Federation Metadata XML file from IdP, that contains the information mentioned above, can be uploaded to Endpoint Central MSP.
 
 
Note:
  • To successfully log in using SAML, the user must be present both in the IdP and Endpoint Central MSP.
  • SAML authentication may not work in browsers that are not supported by the Identity Provider.
  • SAML Single logout is not supported currently.
  • If FQDN changes, the ACS URL changes. This implies that the ACS URL should be again updated manually in the Identity Provider.
  • In SAML Authentication settings of Endpoint Central MSP, the Name ID  can be either chosen as Username or Email ID. The same option should be selected in the Identity Provider for authenticating users.
  • All accounts should have a unique email ID associated with them in Endpoint Central MSP.
  • The metadata file while configuring Identity Provider, must have these three parameters- SSO URL, SSO Signing Certificate; SSO Binding Protocol