Specifying SAML properties

SAML properties are specified on the SAML 2.0 tab of the Configuration > Account Management > Remote Authentication page. Depending on which IdP you are using, entries or selections in the following fields and controls may be required.

NameID Attribute

When this field is left empty, NetProfiler uses the value of the IdP NameID attribute as the user name for the user attempting to log in. This is typically the user’s email address.

You can specify an alternative attribute for identifying the user’s name. If the IdP is configured to use some other attribute to identify user’s names, enter the name of that attribute in this field. NetProfiler looks for the attribute you specify and uses its value as the user name.

Certain special characters are not accepted in user names. However, domain style names and email addresses are supported.

IdP Metadata

If your configuration requires NetProfiler to use Identity Provider metadata, paste it into the IdP Metadata box.

Allow local login

When SAML 2.0 authentication is enabled, the NetProfiler web user interface login page is not displayed. However, you can allow administrators to log in to locally-authenticated administrative accounts. Select this check box to allow administrators to access a local login page. Record the link for administrators who may have no other means of logging in to NetProfiler.

Require signed assertions

As an additional level of security, you can select this check box to require assertions from the IdP to be signed. When this checkbox is selected, the response from the IdP to NetProfiler is signed with the IdP private key. This option requires the configured IdP metadata to contain the IdP certificate and public key. The public key is used to verify that an assertion received by NetProfiler was signed with the IdP private key and is therefore genuine.

SP Metadata

If your configuration requires NetProfiler "Service Provider" XML metadata, click Download as XML to generate a file containing the NetProfiler metadata. Copy and paste the contents of this file into the IdP so it can communicate with NetProfiler.

Fully Qualified Domain Name

This field is automatically filled in with the fully qualified domain name of the NetProfiler. The field can be edited if necessary. This is used when NetProfiler redirects the user’s browser to the IdP and the IdP redirects the browser back to NetProfiler.

Assertion Consumer Service URL

If an IdP does not support obtaining the URL of the assertion consumer ( NetProfiler in this case) from the Service Provider metadata, then the IdP may require manual configuration. If manual configuration is required, add this URL to the IdP so it can access the NetProfiler assertion consumer service.

The EntityID of the SP

This is the entity identifier of the NetProfiler. It is based on the value in the Fully Qualified Domain Name fields and is the login URL.

Sign authentication request

Select this checkbox to require signing on the authentication request that NetProfiler sends to the IdP. This requires generating a client certificate and adding it to the IdP. Authentication requests are then signed with the NetProfiler SAML private key and verified by the IdP using the NetProfiler SAML certificate and public key.

Click Generate certificate to generate the client certificate. The certificate is stored in NetProfiler and listed on the Local Credentials tab of the Administration > Appliance Security > Encryption Key Management page. If you need to use your own certificate, you can change the certificate on the Encryption Key management page.   more

Apply

Click Apply to save changes. If you navigate away from the page or end your browser session with NetProfiler without clicking Apply, any changes you have made to the settings on this page are lost.

Test

The Test button causes NetProfiler to send an authentication request to the IdP. The user running the test is presented with a log in screen. They log in with a name known to the IdP. The IdP authenticates the user and sends NetProfiler the user’s name, user role and SAML attributes. NetProfiler displays these on a test screen for the user to verify.

This test should run successfully before you enable SAML 2.0 authentication on NetProfiler.

Configuring for SAML authentication

SAML 2.0 authentication and authorization