Configure SAML integration

The SAML page lets you add and configure security assertion markup language (SAML).

Before you begin

Make sure that you have defined a new application in your identity provider (IdP). This should consist of:

About this task

Note:
You can configure a mid-level Central Management Console (CMC) as IdP. For more details, see Configure identity provider. You can download the metadata from https://<address>/idp/saml/metadata, where address is the internet protocol (IP) address of the CMC that is configured as IdP.

Procedure

  1. In the top navigation bar, select Administration icon - which looks like a gear cog
    The administration page opens.
  2. In the Settings section, select Users.
    The Users management page opens.
  3. In the top right section, select SAML.
    The SAML page opens.
  4. In the Nozomi URL field, enter the URL for your Nozomi Networks instance.

  5. In the SAML role attribute key field, enter a string that will be used to map role names between the sensor and your IdP.
    Note:
    The value in this field is used to compare groups defined in the sensor with those defined in your IdP. The nature of this value depends on your IdP. (For example, if you are using Microsoft Office 365 as your IdP, the value might be http://schemas.microsoft.com/ws/2008/06/identity/claims/role
    Note:
    After you insert the URL in the IdP URL field, a Open metadata page hyperlink will show. This will open a new page that contains the metadata you can use in the downstream sensor. The metadata will be only be available after you save the configuration.
  6. Select Save.
  7. On the sensor login page, select Single Sign On.
  8. To test the integration, use the credentials from your IdP.
    Note:
    For SAML to work properly, groups that match SAML roles must exist in the system. Groups are found using the role name. For example, if the SAML role attribute specifies an Operator role, the IdP looks for the Operator group when authorizing an authenticating user.

Results

SAML has been configured, and the login page shows a new Single Sign On button.