Skip to content

Configure SAML Authentication Source

To facilitate enterprise user authentication login, the IDaaS platform supports configuring the SAML protocol as an authentication source. Users can authenticate and log in to various application systems through the SAML protocol, bringing enterprise users a simpler and more convenient login method and better user experience.

This guide explains the related operations for configuring a SAML authentication source.

Prerequisites

  • Permissions for the third-party identity provider (IDP) application system, and the IDP supports SAML authentication.
  • Administrator permissions for the IDaaS Enterprise Center.

Procedure

Obtain IDaaS SP Metadata

  1. Log in to the IDaaS Enterprise Center, choose Authentication > Authentication Source Management from the top navigation bar, and enter the SAML authentication source page.

    Steps

  2. On the SAML authentication source page, click SP Metadata to download and view the metadata.

    Steps

    Steps

Third-Party SAML Authentication Platform Configuration

  1. On the third-party platform, create an application with SAML 2.0 as the access method. Complete the application's relevant information based on the metadata obtained from the IDaaS platform. For details, refer to the documentation of each platform.
  2. Obtain the IDP metadata file of the newly created application.
  3. Grant users access to the newly created application.

Configure SAML Authentication Source in IDaaS

  1. Log in to the IDaaS Enterprise Center, choose Authentication > Authentication Source Management from the top navigation bar, enter the SAML authentication source page, and click Add Authentication Source.

    Steps

  2. Configure the key parameters of the SAML authentication source according to the table below.

    Steps

    ParameterDescription
    Display NameCustom authentication source display name
    entityIdThe entityID in the IDP metadata file of the newly created application on the third-party platform
    Signing CertificateThe Certificate in the IDP metadata file of the newly created application on the third-party platform
    Binding TypeThe binding type supported by the SingleSignOnService address in the IDP.
    SSO URLThe Identity Provider Single Sign-On URL in the IDP metadata file of the newly created application on the third-party platform
    Logout URLThe application's global logout address
    Source Association AttributeThe unique attribute name of the user in Okta
    User Association AttributeThe unique attribute name maintained for users in IDaaS
    When User Not AssociatedFail, or auto-create user

    TIP

    • The username in IDaaS must be consistent with the authorized account in the third-party platform.
    • When User Not Associated: When the source association attribute of the user information returned by the third-party platform does not match the associated user attribute in IDaaS, and no system user is associated, the optional configurations are as follows.
      • Fail: Set to Fail, meaning the user is not allowed to pass authentication.

      • Auto Create User: Set to Auto Create User. You can choose whether to update existing attributes, and click Add Mapping to map user attributes from the third-party platform to IDaaS user attributes based on mapping rules and associated attributes, and create the user so that the user can pass authentication.

        Attribute descriptions are as follows:

        • User Attribute Name: Select an IDaaS user attribute from the dropdown.
        • Mapping Type: Select authentication source attribute.
        • Authentication Source Attribute Name: Third-party platform user attribute.

BambooCloud IDaaS Open Platform