SAML is a method used to exchange information between a service provider and an identity provider. A service provider is the provider of a third-party service that users connect to, such as Salesforce or Microsoft. An identity provider, such as AuthPoint, authenticates users when they log in to a service or application.
In AuthPoint, SAML resources connect AuthPoint with a service provider. Add SAML resources and define access policies for the resources to require that users authenticate before they can connect to those services and applications.
When you add SAML resources, we recommend that you also add an IdP portal resource. The IdP portal is a portal page that shows users a list of SAML resources available to them. For more information, see Add an IdP Portal Resource.
Configure Authentication for a Third-Party Application
Before you add a SAML resource, you must configure SAML authentication for your third-party service provider. To do this, you must get the AuthPoint metadata from the Certificate Management page in the AuthPoint management UI.
The AuthPoint metadata provides your resource with information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint).
Some service providers require the metadata file to configure authentication, while others only require the metadata URL. Which one you need depends on the third-party service provider.
- Select Resources.
- Click Certificate.
- On the Certificate Management page, next to AuthPoint certificate you will associate with your resource, click and select an option to download the metadata, copy the metadata URL, download the certificate, or copy the fingerprint based on what the service provider for your resources requires.
The AuthPoint metadata provides your resource with information necessary to identify AuthPoint as a trusted identity provider. This is necessary for SAML authentication.
- Import the AuthPoint metadata file to the service provider and get the Service Provider Entity ID and Assertion Consumer Service from the service provider. These values are necessary to configure the SAML resource in AuthPoint. Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.
Add a SAML Resource in AuthPoint
To add a SAML resource, in the AuthPoint management UI:
- Select Resources.
- From the Choose a resource type drop-down list, select SAML. Click Add.
- In the Name text box, type a name for the resource.
- From the Application Type drop-down list, select the relevant application or select Others if the application is not listed.
You can click the Integration Guide link to open a help topic with the steps to set up your application. This link is context sensitive.
- In the Service Provider Entity ID and Assertion Consumer Service text boxes, type the values from the service provider of the application.
- From the User ID drop-down list, select which user ID attribute to send to the service provider. The user ID is the attribute for an AuthPoint user that is compared to the user name in your application. These values must match.
For example, Salesforce requires the user name to have a domain (it is in email format). So your user ID must be email to match the Salesforce user name, since the AuthPoint user name will not be in domain format.
- (Optional) Click Choose File to upload a certificate from the service provider. When you upload a certificate, you can select the Encryption enabled slider to enable or disable encryption for the SAML communication.
- If applicable, complete any additional fields required for the application.
- Click Save.
- Assign an access policy for the SAML resource to a group. See Access Policies for more information.
Now you have successfully added a SAML resource, you must assign an access policy for the SAML resource to an AuthPoint user group. Access policies are assigned to user groups in order to specify which resources require authentication and which authentication method to use for the users that are in that group. For more detailed information, see Access Policies.