SAML 2.0 Authentication
SAML 2.0 authentication is supported to facilitate single sign-on for use with one or more AppResponse 11 systems or other SteelCentral products accessed from a single browser session. When SAML 2.0 is enabled, AppResponse 11 relies on a specified SAML identity provider (IDP) for authentication, and does not use local authentication or RADIUS or TACACS+ servers in any combination. (Note that enabling SAML 2.0 authentication on AppResponse 11 disables all other forms of authentication used by the web UI.) If the SAML identity provider is unable to authenticate a user for any reason, that user will not be able to launch an AppResponse 11 web UI session. Note that SAML 2.0 authentication can be disabled via the AppResponse 11 CLI, using the no saml enable command.
When SAML 2.0 is enabled, the first time a user initiates access to an AppResponse 11 system in a browser session, AppResponse 11 will redirect the user to the SAML IDP for authentication. Upon successful authentication, the IDP will redirect the user back to the AppResponse 11 system, and the UI will open. The IDP will send back the user role corresponding to the user name being authenticated, and that user will have permissions in AppResponse 11 as defined by that role. As long as the user keeps that browser session active, any subsequent AppResponse 11 session, even if the user logs out of the system, quits the browser tab, or accesses a new system, will begin immediately without requiring the user re-authenticate. The user will need to re-authenticate with the IDP if they quit the browser session in which they had authenticated earlier.
Configuring SAML 2.0 Authentication
It is strongly recommended that you select Enable SAML 2.0 only after running Test successfully. [See the end of this procedure for more information about running Test.] Enabling SAML 2.0 will disable all other authentication types: local, RADIUS, and TACACS+.
1. Go to Administration > Account Management: Authentication to display the Authentication page.
2. Select the SAML 2.0 tab.
3. (Optional) The NameID field specifies what AppResponse 11 uses as the authenticated user’s name. If this field is left blank (the default), AppResponse 11 will use the SAML NameID field. If this field is populated, AppResponse 11 will look for a SAML attribute of the same name, and use it as the username. In either case, if a user name is not found, the user will not be allowed to log in.
4. In the IDP Metadata field, paste in the XML metadata that identifies the identity provider you wish to use. This step is manual, and you need to acquire the XML metadata from your IDP separately.
5. Leave the Roles Attribute field set to “memberOf”, unless your IDP has been configured to use a different attribute.
6. (Optional) If you need to acquire XML metadata that identifies your AppResponse 11 system (the service provider), click the Download as XML link to obtain it.
7. (Optional) Select whether you will return signed authentication requests or require signed assertions when interfacing to the identity provider.
8. (Optional) Specify a fully qualified domain name, if you wish to use one. This is needed only if AppResponse 11 is unable to determine this on its own, or if it otherwise obtains a host address that is not the same as what is required from a web browser.
9. (Optional) Import or generate a certificate that will verify the identity of your AppResponse 11 system (the service provider), if you wish.
10. Click Apply to implement your changes, then click Test to see what will happen without committing to the configuration changes. If the results of the test are satisfactory, click Enable SAML 2.0 and click Apply again. Click Revert to return to the last saved configuration.
It is strongly recommended that you select Enable SAML 2.0 only after running Test successfully. Enabling SAML 2.0 will disable all other authentication types: local, RADIUS, and TACACS+.