Previous page

Next page

Locate page in Contents

SP Side Configuration (RAS side)

On the service provider side, you need to add the identity provider to the RAS Farm.

Adding an IdP to the RAS Farm

To add an IdP:

  1. In the RAS Console, select the Connection category.
  2. Select the SAML tab.
  3. Click Tasks > Add.
  4. In the Add Identity Provider wizard, specify a provider name.
  5. In the Use with Theme drop-down box, select an HTML5 Client Theme to which the IdP will be assigned. If you don't have a specific Theme yet, you can use the default Theme or you can select <not used> and assign a Theme later. Note that there can be multiple IdPs configured in the same RAS Farm. However, at this time, one IdP can be assigned to one Theme.
  6. Select one of the following methods that the wizard will use to obtain the IdP information:
    • Import published IdP metadata: Import from an XML document published on the Internet. Specify the document URL taken from the IdP side configuration.
    • Import IdP metadata from file: Import from a local XML file downloaded from the IdP application. Specify the file name and path in the field provided.
    • Manually enter the IdP information: Select this option and then enter the information manually on the next wizard page.
  7. Click Next.
  8. If the configuration was imported, the next page will be populated with data obtained from the XML file. If you've selected to enter the IdP data manually, you'll have to enter the values yourself:
    • IdP entity ID: Identity provider entity ID.
    • IdP certificate: Identity provider certificate data. To populate this field, you need to download the certificate from the IdP side, then open the downloaded file, copy its contents and paste it into this field.
    • Logon URL: Logon URL.
    • Logout URL: Logout URL.

    Select the Allow unencrypted assertion option if needed.

    Note: By default, the Allow unencrypted assertion option is disabled. Ensure that the IdP configuration is set to encrypt assertion or change the default setting within the RAS configuration.

  9. Click Finish to validate the configuration

The identity provider object will appear in the RAS Console. You now need to configure SP settings and take note of the populated SP side configuration or export a metadata file to be later imported on the IdP side (IdP portal).

To configure SP settings:

  1. Right-click the identity provider object previously created and choose Properties.
  2. In the dialog that opens, select the SP tab.
  3. Enter the host address. The IdP will redirect to this address, which should be accessible from the end user browser.
  4. The other fields including SP Entity ID, Reply URL, Logon URL and Logout URL are prepopulated based on the host address.
  5. The SP Certificate is autogenerated.

Next step is to complete IdP configuration based on the values above. These values can be manually copied or exported as a metadata file (XML).

To export the metadata:

  1. Click the Export SP metadata to file link.
  2. Save the metadata as an XML file.
  3. Import the XML file into your IdP.

Configuring user account attributes

When user authentication is performed by the IdP, user account attributes in Active Directory are compared with the matching attributes in the IdP user database. You can configure which attributes should be used for comparison as described below.

The following table lists available attributes:

RAS name

SAML name *

AD name

Description

UserPrincipalName

NameID

userPrincipalName

User Principal Name (UPN) is the name of a system user in an email address format.

Immutable ID

ImmutableID

objectGUID

A Universally Unique Identifier.

SID

SID

objectSid

An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain.

sAMAccountName

sAMAccountName

sAMAccountName

The sAMAccountName attribute is a logon name used to support clients and servers from previous version of Windows, such as Windows NT 4.0 and others.

Custom

Email

Mail

A custom attribute that can be used to allow any SAML attribute name to match any AD attribute value. By default, it is the email address.

* The attributes in the SAML name column are editable and can be customized based on the IdP that you are using.

To configure attributes:

  1. In the RAS Console, right-click an IdP that you've added in previous steps.
  2. In the IdP Properties dialog, select the Attributes tab. On this tab, you can select or clear the attributes to be used for comparison or create custom ones:
    • Attributes that are selected will be compared for a match.
    • The names of all of the preconfigured SAML attributes (the IdP side) can be modified to match the AD attributes as required.
    • The custom attribute can be used to allow any SAML attribute name to match any AD attribute value. By default, it is the email address.
  3. Configure and enable the desired attributes as needed based on the attributes configured on the IdP side.
  4. Click OK to close the dialog.

Note 1: Multiple attributes are used in the presented order. If an attribute fails, the next configured attribute is used. Only one attribute is used at a time (in either/or fashion).

Note 2:  If multiple AD users are configured with the same AD attribute value, user matching will fail. For example, if the email attribute is chosen and different AD users have the same email address, attribute matching between IdP account and AD User account will not be successful.

Attributes configuration tips

  • When possible, use automation for user synchronization (such as Microsoft Azure AD Connect for Azure IdP configuration) between your Active Directory and the IdP to minimize user identity management overhead.
  • Choose a user identification attribute that is unique to your environment, such as the User Principal Name (UPN) or Immutable ID (ObjectGuid) when possible. Alternatively, you can use other unique identifiers such as email address. In this case make sure that the Email address field in the user object in the AD is configured. If you use Microsoft Exchange Server, use the Exchange Addresses tab and Exchange policies.
  • If using UPN as an attribute, you can also configure alternative UPN suffixes. This can be done from Active Directory Domains and Trusts (select root > right-click to open the Properties dialog).Once a new alternative UPN suffix is created, you can change the UPN on the user object properties from Active Directory Users and Computers.