SAML Authentication Quick Start Guide

Transcription

1 SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY

2 Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Support SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs. To contact SafeNet Authentication Service support directly: Europe / EMEA Freephone: Telephone: (UK) +44 (0) (Int l) North America Toll Free: Telephone: sassupport@safenet-inc.com sassupport@safenet-inc.com Technical Support Customer Portal Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. 2

3 Publication History Date Description Revision Changes for Salesforce s new SAML configuration interface, and minor corrections Correction to Add Google Apps as a SAML Service Provider process Updates for SafeNet Branding Minor changes to Salesforce screenshots Add My Domain step to Salesforce configuration Initial Release 1.0 3

4 Contents Applicability... 5 Introduction... 6 Purpose of this Guide... 6 Audience... 6 Customer Feedback... 6 SafeNet Authentication Service and SAML... 7 Traditional RADIUS Scenario without SAML... 8 Introduction to SAML... 9 How SAML Works With SAS Web Application SSO Managing Cloud Identities Normalizing User Credentials using SafeNet Authentication Service Using SafeNet Authentication Service with Cloud SSO Service Providers Automatic Cloud App Authorization Configuring SAML Authentication in SAS Configuring SAML Service Providers in SAS Configuring SAML Services in SAS Configuring SAML Provisioning Rules in SAS Sample SAML Configurations Configuring SAML Authentication in Salesforce Part 1: Configuring Salesforce for Single Sign-On Part 2: Adding Salesforce as a SAML Service Provider Configuring SAML Authentication in Google Apps Part 1: Configuring Google Apps for Single Sign-On Part 2: Adding Google Apps as a SAML Service Provider Configuring SAML Authentication in Symplified Web SSO Part 1: Configuring Symplified for Single Sign-On Part 2: Adding Symplified as a SAML Service Provider

5 Applicability The information in this document applies to: SafeNet Authentication Service (SAS) A Cloud service of SafeNet, Inc. SafeNet Authentication Service Service Provider Edition (SAS-SPE) The software used to build an authentication service. SafeNet Authentication Service Private Cloud (SAS-PC) A term used to describe the implementation of SPE on-premise. Applicability 5

6 Introduction Purpose of this Guide This guide describes the application, configuration and use of SafeNet Authentication Service as a SAML Identity Provider (IdP) to relying SAML Service Providers (SP). It describes: How to configure a Virtual Server to be an IdP. How to use the SAML Provisioning Rules module introduced in SafeNet Authentication Service and LDAP to automate the configuration of individual user accounts to permit authentication for designated SPs such as Google Apps. How to customize logon and other pages presented to the user during SAML authentication. Examples of SAML configurations for: o Configuring SAML Authentication in Salesforce (see page 22) o Configuring SAML Authentication in Google Apps (see page 25) o Configuring SAML Authentication in Symplified Web SSO (see page 28) Readers are encouraged to read this guide in the order in which information is presented, as successive chapters often rely on information and concepts presented in prior chapters. Audience This guide is intended for SafeNet Authentication Service administrators responsible for how managed authentication services are delivered and responsible for configuring the Service to reflect the internal business processes, service level agreements and management hierarchy. Customer Feedback Help us to improve this documentation, our products and our services by communicating any ideas and suggestions that you feel would improve the usefulness and clarity of the documentation, product feature set or application in practice. Suggestions should be sent to: sasfeedback@safenet-inc.com or faxed to Customer Feedback at Introduction 6

7 SafeNet Authentication Service and SAML Figure 1: SafeNet Authentication Service s Various Authentication Options SafeNet Authentication Service now offers SAML authentication to its Cloud Subscribers. This means that enterprises can: Extend strong authentication beyond the enterprise perimeter to include Cloud Apps such as Salesforce, Google Apps, etc. Use SafeNet Authentication Service to protect internal applications, such as SAP, that support SAML authentication. Use SafeNet Authentication Service with perimeter devices, such as SSL VPNs, that support SAML authentication. Enable authorized users to authenticate to Cloud apps in a simple, familiar and consistent manner using the same token/authentication method they use for VPN and other traditional access. Automate Cloud app authorization. Use SafeNet Authentication Service reporting to audit all user authentication activity, including authentication into Cloud apps. SafeNet Authentication Service and SAML 7

8 Traditional RADIUS Scenario without SAML In a traditional RADIUS scenario, a user is prompted to provide authentication credentials (UserID and password) to an access point, such as a VPN. The VPN uses the RADIUS protocol to pass the credentials to the authentication service for validation. The authentication service in turn sends an accept or reject message via RADIUS back to the VPN. Figure 2: RADIUS Authentication User Experience The standardized RADIUS allows an organization to choose any vendor s RADIUS client, such as VPN, and be assured that it could use any other vendor s RADIUS Server, such as SafeNet Authentication Service. However, RADIUS has rarely been adopted outside of network perimeter devices. Much like the days before the adoption of RADIUS, applications have each tended to have their own authentication mechanism. As a result, users tended to have many passwords and had to log in to individual applications. With the growth in web apps and in Cloud computing, this quickly became unmanageable for users and administrators alike. A new authentication standard was required that could be adopted by application developers with ease and without requiring specific knowledge of how or what the authentication method will be. And equally important, the standard had to provide a way to federate identity so that users were not required to have many passwords or separate logons to individual applications. SAML, and in particular SAML 2.0, became the standard that made this possible. Traditional RADIUS Scenario without SAML 8

9 Introduction to SAML SAML (Security Assertion Markup Language) is an XML (Extensible Markup Language) standard for exchanging authentication and authorization data between two security domains: A. an identity provider (IdP) such as SafeNet Authentication Service B. a service provider (SP), typically a web application such as Google Apps SAML allows a user to log on once for affiliated but separate web sites or web applications. SAML has three components: 1 Assertions are of three different statement types: authentication, attribute, and authorization decision. Authentication assertion validates the user's identity. Attribute assertion contains specific information about the user. Authorization decision assertion identifies what the user is authorized to do. 2 Protocol defines how SAML asks for and receives assertions. 3 Binding defines how SAML message exchanges are mapped to Simple Object Access Protocol (SOAP) exchanges. SAML works with multiple protocols including Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and also supports SOAP, BizTalk, and Electronic Business XML (ebxml). While generally considered an authentication protocol for web apps and in particular for Cloud computing, SAML is in fact supported by a range of applications and devices including SAP and perimeter devices such as SSL VPNs. Introduction to SAML 9

10 How SAML Works With SAS The SAML Service Provider, such as Google Apps, Salesforce, or SSL VPN, relies on SafeNet Authentication Service as the SAML identity provider (IdP) to present the logon page and to authenticate users. The SAML assertion generated by the IdP in response to a successful authentication is used by the Service Provider to grant the user access to the application. When a user attempts to log on to an application that supports SAML, they are redirected to SafeNet Authentication Service where they must authenticate. If the authentication is successful, the user is redirected to their Cloud app where access is granted. Figure 3: SAML Authentication General User Experience - illustrates SAML s net effect on the user logon experience Web Application SSO When separate web sites or applications are affiliated, the successful SAML authentication results in user access to the affiliate without requiring an additional user logon. This is essentially web SSO. Figure 3: SAML Authentication General User Experience illustrates a possible affiliation between Google Apps and Salesforce which would permit a user authenticated to one of these services to be able to use the other service without additional authentication. How SAML Works With SAS 10

11 Managing Cloud Identities It is not uncommon for individual Cloud applications to impose specific requirements for UserID. For example, a user may require a gmail account (e.g. bill@gmail.com) to log on to Google Apps, whereas Salesforce may require a domain specific address (e.g. bill@acmecompany.com). If there is no affiliation between the web apps, the user would be required to log on separately to each application using different credentials. These may be in addition to the UserID required for logon through the corporate VPN (e.g. blaham). This can become confusing and unmanageable for users and administrators. Fortunately there are a couple of solutions: 1. Normalizing User Credentials using SafeNet Authentication Service 2. Using SafeNet Authentication Service with Cloud SSO Service Providers Normalizing User Credentials using SafeNet Authentication Service Use SAS to normalize the user s logon credentials across corporate and Cloud applications and services. One of the capabilities of SafeNet Authentication Service is to authenticate a user with a single credential set the UserID and One-Time Password, but provide a different, specific credential required by the Cloud app service. On successful authentication, SAS replaces the UserID provided during authentication with the UserID required by the Cloud application in the SAML assertion. This is illustrated in Figure 4: Normalizing User Credentials using SafeNet Authentication Service. For the user, this delivers a consistent logon methodology (such as UserID: Bill, Password: OTP), and insulates the user from any other credential management requirements. Figure 4: Normalizing User Credentials using SafeNet Authentication Service How SAML Works With SAS 11

12 Using SafeNet Authentication Service with Cloud SSO Service Providers Cloud SSO Service Providers, such as Symplified ( provide a front end for managing multiple Cloud Service Providers and applications. Typically, these front ends support SAML authentication and can therefore use SafeNet Authentication Service as the IdP. The Cloud SSO can be configured as a SAML SP, relying on SafeNet Authentication Service to authenticate the user. Once authenticated, the user has access to Cloud applications and services configured for their personal Cloud SSO account. Figure 5: SafeNet Authentication Service and Cloud SSO Automatic Cloud App Authorization One of the challenges facing administrators of large user populations is efficient and timely activation of SAML authentication. As the number of users and Cloud apps grow, so does the challenge of timely activation and deactivation. To solve this problem, SafeNet Authentication Service offers SAML Provisioning Rules. Generally, these rules are triggered on the addition or removal of a user from an LDAP security group and/or SafeNet Authentication Service internal group. These rules allow or deny authentication for users authenticating to the specified SAML Service Providers. How SAML Works With SAS 12

13 Configuring SAML Authentication in SAS Configuring SAS for SAML authentication requires the following steps: Configuring SAML Service Providers in SAS Configure the virtual server to process authentication requests received from specific SAML Service Providers. Click Apply to save the new Service Provider. Configuring SAML Services in SAS Manually enable SAML authentication for your users to one or more of the SAML Service Providers that were configured on the virtual server. Click Add to save the new SAML service. Configuring SAML Provisioning Rules in SAS Automatically enable SAML authentication for users in specific containers or groups to one or more of the SAML Service Providers configured on the virtual server. SAML Provisioning Rules can be used instead of, or in addition to, configured SAML services. Configuring SAML Service Providers in SAS From the COMMS tab of your virtual server, select SAML Service Providers. Select SAML 2.0 Settings, and click Add to add a new Service Provider. Configuring SAML Authentication in SAS 13

14 Note: After a Service Provider has been configured in SAS, information is displayed in the SAML 2.0 Settings area fields. You will need these values when you configure the Service Provider to use SAS as a SAML identity provider. In the Add SAML 2.0 Settings area: Entity ID This is the Entity ID of the SAML Service Provider, typically (but not always) in the form of a URL. This value will be provided by the Service Provider, or it can be extracted from the metadata (XML file) provided by the Service Provider. For example: <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor xmlns:md="urn:oasis:names:tc:saml:2.0:metadata" entityid= Friendly Name This is a name you assign to the SAML Service Provider for easy identification. This name will appear in the SAML Services list displayed in Assignment SAML Services and Policies Automation Policies SAML Provisioning Rules. SAML 2.0 Metadata o Upload Existing Metadata File Use this to upload an XML file that has been generated by your SAML Service Provider. Configuring SAML Authentication in SAS 14

15 o Create New Metadata File Some SAML Service Providers do not provide a metadata file but instead provide only their Entity ID and Location (essentially the resource being accessed). This option instructs the virtual server to create and add a metadata file based on this information. The remaining options are used to customize the appearance of the logon page presented to the user. Custom Logo This is a customized logo that will appear on the logon form presented to your users during authentication. Custom CSS This is a customized CSS (Cascading Style Sheet) for the logon form presented to your users during authentication. If no file is chosen, the following default CSS is used:.tablebanner width: 600px; border-width: 0px; border-spacing: 0px; background-color: white;.tablemain width: 600px; border-width: 1px; border-spacing: 0px; border-style: solid; border-color: #4682B4; Configuring SAML Authentication in SAS 15

16 border-collapse: separate; background-color: white; padding: 0px;.tdTopSpaceAboveBanner height: 50px; text-align: center;.tdbanner height: 100px; text-align: center;.tdspacebelowbanner height: 50px; text-align: center;.tdloginheader height: 50px; text-align: center; font-size: 28px; color: white; background-color: #4682B4; padding-left: 0px; padding-right: 0px;.tdLoginMessage height: 50px; text-align: center; font-size:20px; color: #4682B4;.tdUserNameLabel text-align: right; font-size: 15px; color: #4682B4; padding-left: 70px; Configuring SAML Authentication in SAS 16

17 .textusername width: 225px; height: 20px; text-align: left; border-color: #4682B4; border-width: 1px;.tdPasswordLabel text-align: right; font-size: 15px; color: #4682B4; padding-left: 70px;.textPassword width: 225px; height: 20px; text-align: left; border-color: #4682B4; border-width: 1px;.tdUserName padding-left: 60px;.tdPassword padding-left: 60px;.td20PxSpace height: 20px;.td40PxSpace height: 40px;.tdUserErrorMessage height: 40px; color: red; text-align: center; font-size: 14px;.tdSubmit Configuring SAML Authentication in SAS 17

18 text-align: center; height: 30px;.buttonSubmit background-color: white; background-repeat:no-repeat; border-width: 0px; width: 120px; height: 28px; text-align: center; font-size: 14px; color: white;.tdspacebelowloginwindow height: 80px;.relayingParty text-align: center; font-size: 10px; color:darkblue; height: 20px;.sessionTimeout text-align: center; font-size: 12px; color:blue;.sessionwarning text-align: center; font-size: 14px; color:crimson;.copyright text-align: center; font-size: 8px; color: darkblue; height: 20px;.td404Error height: 40px; color: red; text-align: left; font-size: 28px;.tdError height: 40px; color: red; text-align: left; font-size: 28px;.tdWarning Configuring SAML Authentication in SAS 18

19 height: 40px; color: brown; text-align: left; font-size: 28px;.tdInformation height: 40px; color: darkblue; text-align: left; font-size: 28px;.tdSignoutMessage height: 40px; color: red; text-align: left; font-size: 18px;.tdErrorMessage height: 40px; color: red; text-align: left; font-size: 14px; Custom Button Image This defines the image to be used for the logon button. Custom Page Title This is the page title to be displayed on the browser tab. Custom Icon This is the icon to be displayed on the browser tab. Custom Login Header Text This is the text to be displayed in the header of the logon form. Custom Login Button Text This is the text to be displayed on the logon button. Login Message This is the text, usually containing instructions, to be displayed between the Logon Header Text and the Username field. Custom Username Field This is the text to be displayed for the user name field. Custom Password Text This is the text to be displayed for the password field. Click Apply to save the new Service Provider. Configuring SAML Authentication in SAS 19

20 Configuring SAML Services in SAS Manually enable a user to authenticate against one or more configured SAML Service Providers. From the Assignment tab of your virtual server, select SAML Services, and click Add to add a new SAML service. Service This lists all of the SAML Service Providers that were already configured in SAS. SAML Login ID This is the UserID that will be returned to the Service Provider in the SAML assertion on successful authentication. For example, if your Service Provider requires a UserID of name@domain.com, which is identical to the user s address, choose the option. Doing so allows the user to consistently use their UserID to authenticate regardless of the Service Providers requirements. In most cases, a Service Provider will require either the UserID or the . For all other cases, choose the Custom option and enter the field containing the UserID to be returned. Note: You can automate the creation and removal of SAML Services for users by creating a SAML provisioning rule. See Click Add to save the new SAML service. Configuring SAML Provisioning Rules in SAS. Click Add to save the new SAML service. Configuring SAML Provisioning Rules in SAS You can automate the granting and revocation of permissions for user authentication to SAML Service Providers. From the Policies tab of your virtual server, select Automation Policies SAML Provisioning Rules. Click New Rule to add a new rule. Configuring SAML Authentication in SAS 20

21 Rule Name This is a friendly name that describes the rule. User is in container Only users in the selected container are affected by this rule. Groups Filter: Search for Virtual Server groups Optionally enter text in the Groups Filter box to narrow the search. Groups: Virtual Server groups Users in these groups are not affected by this rule. Groups: Used by rule Only users in one or more of these groups are affected by this rule. Parties: Relying Parties Lists the Service Providers that are not affected by this rule. Parties: Rule Parties Lists the Service Providers which this rule enables the users to authenticate to. SAML Login ID This is the UserID that will be returned to the Service Provider in the SAML assertion. Click Add to save the new rule. Configuring SAML Authentication in SAS 21

22 Sample SAML Configurations The following examples illustrate how to configure various SAML Service Providers to use SafeNet Authentication Service as a SAML IdP. Note: The data used in these examples is for illustration purposes only! Be sure to use the actual data displayed in your SafeNet Authentication Service and SAML Service Provider. Configuring SAML Authentication in Salesforce To use SAML with Salesforce you must configure My Domain in Salesforce. Refer to Salesforce Administration Setup Company Profile My Domain. Part 1: Configuring Salesforce for Single Sign-On We recommend opening the virtual server to COMMS SAML Service Providers SAML 2.0 Settings. Some of the values displayed in that window are needed during this configuration. Figure 6: SAML configuration information displayed in SafeNet Authentication Service 1 Log in to Salesforce Administration Setup Security Controls Single Sign-On Settings. Sample SAML Configurations 22

23 2 Enable SAML. Figure 7: SAML configuration information displayed in Salesforce 3 Entity Id This is a unique ID created by Salesforce for your organization. This information, usually in the form of a URL, must be entered into the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Entity ID field in SafeNet Authentication Service. See Part 2: Adding Salesforce as a SAML Service Provider, step 8. 4 Identity Provider Certificate Obtain this certificate from the link displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Download URL for Identity Provider Certificate. 5 Identity Provider Login URL Use the value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Identity Provider AuthRequest login URL. 6 Identity Provider Logout URL Use the value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Identity Provider logout URL. 7 Select Download Metadata Download the metadata file from Salesforce and save to a convenient location. You will need to upload this file to SafeNet Authentication Service. See Part 2: Adding Salesforce as a SAML Service Provider, step 10. Sample SAML Configurations 23

24 Part 2: Adding Salesforce as a SAML Service Provider From the COMMS tab of your virtual server, select SAML Service Providers, and click Add to configure a new SAML Service Provider. Figure 8: Configuring Salesforce as a SAML Service Provider 8 Entity ID Copy the Entity Id value displayed in Salesforce. See Part 1: Configuring Salesforce for Single Sign- On, step 3. 9 Friendly Name This is a name you assign to the SAML Service Provider for easy identification. This name will appear in the SAML Services list displayed in Assignment SAML Services and Policies Automation Policies SAML Provisioning Rules. 10 SAML 2.0 Metadata Select Upload Existing Metadata File, and upload the Salesforce metadata file to SafeNet Authentication Service. See Part 1: Configuring Salesforce for Single Sign-On, step Customize Customize the logon page presented to users during logon to Salesforce. Sample SAML Configurations 24

25 Configuring SAML Authentication in Google Apps Part 1: Configuring Google Apps for Single Sign-On We recommend opening the virtual server to COMMS SAML Service Providers SAML 2.0 Settings. Some of the values displayed in that window are needed during this configuration. Figure 9: SAML configuration information displayed in SafeNet Authentication Service Log in to Google Apps Advanced tools Authentication Set up single sign-on (SSO). Figure 10: SAML configuration information displayed in Google Apps 1 Enable Single Sign-on. Sample SAML Configurations 25

26 2 Sign-in page URL Use the value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Identity Provider HTTP-Redirect login URL. 3 Sign-out page URL Use the value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Identity Provider logout URL. 4 Change password URL Use the value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Identity Provider HTTP-POST login URL. 5 Verification certificate Upload the certificate from the link displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Download URL for Identity Provider Certificate. 6 Use a domain specific issuer Ensure that this value is checked. A value is generated by Google Apps, typically google.com/a/<mycompany> where <mycompany> is your domain registered in Google Apps. This information must be entered into the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Entity ID field in SafeNet Authentication Service. See Part 2: Adding Google Apps as a SAML Service Provider, step 7. Part 2: Adding Google Apps as a SAML Service Provider From the COMMS tab of your virtual server, select SAML Service Providers, and click Add to configure a new SAML Service Provider. Figure 11: Configuring Google Apps as a SAML Service Provider Sample SAML Configurations 26

27 7 Entity ID Copy the issuer value displayed in Google Apps, typically google.com/a/<mycompany> where <mycompany> is your domain registered in Google Apps. See Part 1: Configuring Google Apps for Single Sign-On, step 6. 8 Friendly Name This is a name you assign to the SAML Service Provider for easy identification. This name will appear in the SAML Services list displayed in Assignment SAML Services and Policies Automation Policies SAML Provisioning Rules. 9 SAML 2.0 Metadata Google Apps does not generate metadata. Select Create New Metadata File, and enter the following information: Entity ID Copy the issuer value displayed in Google Apps, typically google.com/a/<mycompany> where <mycompany> is your domain registered in Google Apps. See Part 1: Configuring Google Apps for Single Sign-On, step 6. Location This is the SAML assertion consumer URL. Copy the Entity ID, preceded by and followed by: /acs. For example, where <mycompany> is your domain registered in Google Apps. 10 Customize Customize the logon page presented to users during logon to Google Apps. Sample SAML Configurations 27

28 Configuring SAML Authentication in Symplified Web SSO Part 1: Configuring Symplified for Single Sign-On We recommend opening the virtual server to COMMS SAML Service Providers SAML 2.0 Settings. Some of the values displayed in that window are needed during this configuration. Figure 12: SAML configuration information displayed in SafeNet Authentication Service Log in to Symplified Identity Providers New Identity Provider SAML2Generic IdP Handler. 1 Click the New Identity Provider icon. Figure 13: SAML configuration information displayed in Symplified Sample SAML Configurations 28

29 2 Name Enter a friendly name for SAS as the Identity Provider: SafeNet Authentication Service. 3 SP Entity ID A unique value is generated Symplified. This information must be entered into the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Entity ID field in SafeNet Authentication Service. See Part 2: Adding Symplified as a SAML Service Provider, step 8. 4 SP ACS URL A unique location value is generated Symplified. This information must be entered into the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Entity ID field in SafeNet Authentication Service. See Part 2: Adding Symplified as a SAML Service Provider, step IdP Entity ID Use the URL value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Entity ID. 6 IdP URL Use the value displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Identity Provider HTTP-POST login URL. 7 Public Key Upload the certificate from the link displayed in the virtual server s COMMS SAML Service Providers SAML 2.0 Settings Download URL for Identity Provider Certificate. Part 2: Adding Symplified as a SAML Service Provider From the COMMS tab of your virtual server, select SAML Service Providers, and click Add to configure a new SAML Service Provider. Figure 14: Configuring Symplified as a SAML Service Provider Sample SAML Configurations 29

30 8 Entity ID Copy the SP Entity ID displayed in Symplified. See Part 1: Configuring Symplified for Single Sign-On, step 3. 9 Friendly Name This is a name you assign to the SAML Service Provider for easy identification. This name will appear in the SAML Services list displayed in Assignment SAML Services and Policies Automation Policies SAML Provisioning Rules. 10 SAML 2.0 Metadata Google Apps does not generate metadata. Select Create New Metadata File, and enter the following information: Entity ID Copy the SP Entity ID displayed in Symplified. See Part 1: Configuring Symplified for Single Sign- On, step 3. Location Copy the SP ACS URL displayed in Symplified. See Part 1: Configuring Symplified for Single Sign- On, step Customize Customize the logon page presented to users during logon to Symplified. Sample SAML Configurations 30