Add a SAML 2 IDMS

Follow

Add a SAML 2 IDMS

SAML 2.0 provides authentication between a service provider and an identity provider. Kion is the service provider that will use your identity provider (Azure AD, Okta, OneLogin, PingFederate, Google, etc.) to authenticate the users into the application.

These instructions assume the Kion (service provider) URL is https://kion.example.com and the identity provider URL is https://idp.domain.com. When you see these example URLs, replace them with the URLs specific to your environment.

Obtaining Information from your Identity Provider

Before creating a SAML IDMS in Kion, you must obtain the following information from your identity provider. This process varies from provider to provider. See your specific identity provider's help documentation for more information.

  • Generate the metadata from the identity provider. This should not require any information from Kion.
  • Generate a new application in the identity provider. The information required from Kion will typically be the Service Provider Issuer and the Service Provider ACS URL.

Creating a New SAML IDMS in Kion

Once you have obtained the metadata and created a new application in your identity provider, you can create a new SAML IDMS in Kion.

To create a SAML 2.0 IDMS:

  1. In Kion, navigate to Users > Identity Management Systems
  2. Click Add New
  3. For the IDMS Type, select SAML 2.0.
  4. For the IDMS Name, enter a name to describe the IDMS.
  5. For the Identity Provider Issuer, enter the URL that will issue the SAML 2.0 security token (https://idp.domain.com). This is typically known as the Entity ID for the identity provider and it can be found in the metadata.
  6. For the Identity Provider Metadata, paste in the metadata from the identity provider. It should be in XML format.
  7. For the Service Provider Issuer, enter the Kion URL. Typically, this value will end in 1 and doesn't need to be changed (https://kion.example.com/api/v1/saml/auth/1). This value is the Entity ID for Kion.
  8. The Service Provider ACS URL automatically populates the callback URL (https://kion.example.com/api/v1/saml/callback). This is the callback/redirect URL the identity provider should use when sending the SAML assertions to Kion.
    If you need to reset this, click the Reset Service Provider ACS URL button, which will change the service provider ACS URL to match the current domain of your Kion environment.
  9. For the Service Provider Binding, leave the field as-is.
  10. For the Audience URI, enter the SP Entity ID (https://kion.example.com/api). This should be set to the same value as the Service Provider ACS URL if there are errors during initial configuration.
  11. For the Allowed Auth Context, enter an allowed value. This is the auth context from the specification that is required to login to Kion (urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken).
  12. For the Auth Context for Privilege Elevation, enter an allowed value that will provide the user with the ability to access the cloud console (urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI). If this field is blank, console access will not be limited by auth context.
  13. For the Name ID Format, enter a format to use for name IDs (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified). This is the first field you should try changing when testing.
  14. If requests are signed, enable Should Sign AuthN Requests.
  15. Enable Enable Single Logout to automatically invalidate and end the SAML session when a user logs out of Kion.
  16. Enable Enable Custom Login URL to direct users to log in using an external URL. Once enabled, add your custom URL in the Custom Login URL field.
  17. Select the Canonicalizer.
  18. For the First Name, enter the field from the IDP that will be mapped to the user first name (first_name).
  19. For the Last Name, enter the field from the IDP that will be mapped to the user last name (last_name).
  20. For the Email, enter the field from the IDP that will be mapped to the user email (email).
  21. (Optional) For the Phone Number, enter the field from the IDP that will be mapped to the user phone number.
  22. For the Username field, enter the field from the IDP that will be mapped to the user username (username).
  23. Fill in the Validation Rules, Access Rules, and User Group Associations as necessary. All of these fields read the SAML assertions by name and then apply the regular expression to the value of the assertion. The regex simply returns either a true or false based on the expression.
    • Validation Rules. Control which users can log into Kion via SAML assertions. If any of the expressions returns false, the user cannot log into Kion.
    • Access Rules. Set the level of console access available to users via SAML assertions. If no access rules are specified, then all users have Full Access. If any access rules are specified, then all users have No Access.
      • Full Access. Users may use cloud access roles to access the cloud consoles. This access only applies to cloud access roles, not other functions within Kion.
      • Restrict Console Access. Users can log in and use the Kion application, but they cannot access any cloud consoles.
        This is useful if you have a SAML provider that allows users to login with a SmartCard instead of a password. Typically, users with a SmartCard would be granted Full Access while users with just a password would be granted Restrict Console Access.
      • No Access. Users are not allowed to log into Kion.
    • User Group Associations. Automatically add or remove users to groups in Kion based on SAML assertions. If the expression returns true, the user will be added to the user group at login. If the expression returns false, group membership will not change, unless the Should Update on Login option is enabled. Ensure you don't have multiple associations for the same group, because they will overwrite each other. If you remove an association, it will not affect previous group membership.
      • Association Type. Select whether you would like to add users to groups manually or via LDAP.
        If you choose LDAP Sync, enter your LDAP information (you can see examples for these fields in the Add an Active Directory IDMS article). If the Should Update on Login option is enabled, any expressions that return false will remove the user from the designated groups.
  24. Click Upload Icon to upload a custom icon.

  25. Click Create IDMS.

 

Was this article helpful?
0 out of 0 found this helpful