Configuring SAML
You set up SAML in the Administration > Security: SAML page.
Security Assertion Markup Language (SAML) 2.0 is an XML standard that acts as an authentication interface between a SteelHead and an identity provider (IdP). You can use the IdP to provide additional requirements for authentication, such as a multifactor authentication based on a common access card (CAC) or personal identity verification (PIV).
When a SteelHead receives a login request, it determines if SAML is enabled. If SAML is enabled, user authentication through AAA is disabled and the SteelHead redirects the authentication request to the IdP. The IdP authenticates the user and redirects the user to the SteelHead, which allows access.
SAML authentication process
To enable IdP authentication, you configure the SteelHead and the IdP with XML metadata that provides detailed appliance identification. The metadata also establishes a trust relationship between the SteelHead and the IdP.
Administrators must add users to the IdP server to provide them login access, and those users need to correspond to SteelHead users. You can have one-to-one mapping of users between IdP and SteelHead, or you can have multiple users on IdP map to single account on the SteelHead, such as the admin account. (You have to create individual user accounts on the SteelHead for one-to-one mapping as the user accounts determine the access permissions.)
If a user who has not been set up in the IdP tries to log in to the SteelHead, the login fails on the IdP login page. (This failed login is not tracked in the SteelHead logs.) If the user has been set up but their user mapping has not been defined in the IdP, the login succeeds but the SteelHead displays an error page (instead of the dashboard).
SAML authentications are only available in the Management Console web interface; they are not available through the CLI. Users can log in to a SAML-enabled SteelHead through the CLI but they are authenticated using the local, RADIUS, or TACACS+ authentication methods.
If you cannot log in using SAML (for example, if the IdP server is unavailable), you can log in through the CLI and disable SAML using the no aaa saml command. Once SAML is disabled, you revert to the previously configured authentication method for the web interface. For command details, see the Riverbed Command-Line Interface Reference Manual.
You must be logged in as the administrator to enable or disable SAML.
To enable SAML
1. Choose Administration > Security: SAML to display the SAML page.
IdP Configuration section of the SAML page
2. Under Appliance Metadata, click Download XML to download the SteelHead metadata in XML format.
The sp_metadata.xml file downloads to your local machine.
3. Configure the appliance in your IdP.
Refer to the documentation for your IdP for specific instructions. In general, you complete these steps:
– Log in to the IdP website.
– Upload the metadata from the sp_metadata.xml file and provide any other required details.
– When the configuration is complete, download the IdP metadata.
4. In the management console, under SAML > IdP Configuration, configure the SAML settings as described in this table.
Control | Description |
IdP Metadata | Paste the IdP metadata you copied or received from the IdP website. |
Security Settings These setting should match the IdP settings. | Sign Authentication Request—Select this option to have SteelHead sign the SAML authentication request sent to the identity provider. Signing the initial login request sent by SteelHead allows the identity provider to verify that all login requests originate from a trusted service provider. |
Requires Signed Assertions—Select if the IdP signs the assertion response. Some SAML configurations require signed assertions to improve security. |
Requires Encrypted Assertions—Select this option if the SAML identity provider encrypts the assertion section of the SAML responses. Even though all SAML traffic to and from SteelHead is already encrypted by the use of HTTPS, this option adds another layer of encryption. |
Attribute | Username Attribute—Enter the name of the IdP variable that carries the username. The Username attribute is mandatory and must be sent by your identity provider in the SAML response to align the login with a configured SteelHead account. |
Member of Attribute—Enter the name of the IdP variable that carries the role of the user. The role must match with a local SteelHead user. This setting is mandatory. If you use the default memberOf attribute, the SteelHead only attempts to match against the first entry in the IdP memberOf attribute list. If you require more control, we recommend creating a custom attribute. For details, go to Knowledge Base article
S33447. |
5. Click Apply to save your configuration settings.
6. Under Validate the IdP Configuration, click Validate.
The IdP Validation window appears.
7. Click Go to IdP.
The IdP login page opens.
8. Log in to the IdP website.
The page indicates if your IdP configuration was successful.
9. After successful validation, return to the SAML page in the management console and select the Enable SAML check box and click Apply.
If the validation status on the SteelHead page does not update after a successful validation, reload the page to refresh the status.
With SAML enabled, all web login requests are redirected to the IdP.
10. Click Save to Disk to save your settings permanently.
If you make changes to the SAML settings after you validate the IdP configuration, you need to validate again with the new settings and enable SAML again.