Versions Compared

Old Version 1

changes.mady.by.user Chris Smith

Saved on

compared with

New Version Current

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DOC and version HG-8.3.1

SAML Authentication

SAML is a Single Sign On (SSO) authentication method that uses an external identity provider to authenticate a user at their first login, saving a token to the user's browser that is then used for subsequent logins, so that the user does not need to re-submit credentials. 

...

Before configuring SAML in ProVision, you must have an account set up with an Identity Provider (IdP) and ProVision users / groups set up in the IdP:

Set up the Identity Provider (IdP)

To use SAML authentication, you will need SAML set up for your instance with an Identity Provider (IdP), such as Microsoft ADFS, OneLogin, Elastic SSO, or others. You can view a list of available SAML IdPs at Wikipedia's SAML based products page.

Info
titleNote

Some identity providers (such as Workspace One) have additional public/private key authentication requirements in excess of what is required in ProVision.

If you receive a SAML configuration error of "Unable to load private key" or similar, please check your IdP requirements and documentation.

Users and Permissions:

User credentials will need to be created and associated with ProVision permission group names via the IdP. All user creation, management and permissions handling occurs via the IdP, externally from ProVision.

...

Once the correct configuration has been established and users set up for SAML in the IdP, users will be able to use SAML logins.

Info

Documentation Note: Depending on the IdP used, some screens may appear different from what is shown here.

Initial Login:

The initial login process occurs for the first time a user logs in, and anytime afterwards if the browser token is not present (e.g., cookies are cleared from the browser, the browser closed, or a new browser is used).

From the ProVision login page, select SAML from the authentication options dropdown - you do not need to enter Username or Password.

Image RemovedImage Added

You will be redirected to the IdP site as set up in the Admin Configuration - here, we are using Microsoft ADFS (Active Directory Federation Services).

Log into the IdP site using your SAML credentials, and click "Sign In".

Image RemovedImage Added

If the sign in is successful, you will be logged into the ProVision home page.

...

After the initial login via the IdP (as long as the auth token is present) users will be able to login to ProVision simply by selecting the "SAML" options from the ProVision login page without entering credentials.

Image RemovedImage Added

The auth token may be destroyed or not available if browser cookies have been cleared, a different browser used, or the browser fully closed, depending on security settings. In these cases, the user will need to sign in again via the IdP.

Note
titleSetting default login authentication options

The default login is 'Local", but the default login method displayed may be updated by performing the following steps: 

  • In the ProVision directory, navigate

In the login screen, you would select the authentication method from the dropdown. If you like, you can set the default login option in the following way:

Go
  • to the /data/globals.php
and
  • open the file in vi (or other text editor)
.
  • Add in the following text as the last line of the file (before the closing ?>)
    Code Block
    define('DEFAULT_LOGIN_TYPE', 'saml');
  • Acceptable values are "local", "radius", "ldap" and "saml". If this line is not present in globals.php, the default option is "local".