About SAML settings
Settings for SAML are under Administration > Security: SAML.
Configure the appliance in your IdP. Refer to the documentation for your IdP for specific instructions. In general, you complete these steps:
1. Log in to the IdP website.
2. Upload the metadata from the sp_metadata.xml file and provide any other required details.
3. When the configuration is complete, download the IdP metadata.
IdP Metadata
Is where you paste the IdP metadata you copied or received from the IdP website.
Security Settings
Should match the IdP settings.
Sign Authentication Request
Specifies that the SteelHead sign the SAML authentication request sent to the identity provider. Signing the initial login request sent by the appliance allows the identity provider to verify that all login requests originate from a trusted service provider.
Requires Signed Assertions
Indicates IdP signs the assertion response. Some SAML configurations require signed assertions to improve security.
Requires Encrypted Assertions
Specifies that the SAML identity provider encrypts the assertion section of the SAML responses. Even though all SAML traffic to and from the appliance is already encrypted by the use of HTTPS, this option adds another layer of encryption.
Username Attribute
Specifies the name of the IdP variable that carries the username. The Username attribute is mandatory and must be sent by your identity provider in the SAML response to align the login with a configured account on the appliance.
Member of Attribute
Specifies the name of the IdP variable that carries the role of the user. The role must match with a local appliance user. This setting is mandatory. If you use the default memberOf attribute, the appliance only attempts to match against the first entry in the IdP memberOf attribute list.
Click Apply to save your configuration settings, and under Validate the IdP Configuration, click Validate. The IdP Validation window appears.
Click Go to IdP. The IdP login page opens. Then log in to the IdP website. The page indicates if your IdP configuration was successful.
After successful validation, return to the SAML page in the management console and enable SAML.
If the validation status on the appliance page does not update after a successful validation, reload the page to refresh the status.
With SAML enabled, all web login requests are redirected to the IdP.
If you make changes to the SAML settings after you validate the IdP configuration, you need to validate again with the new settings and enable SAML again.