Versions Compared

Old Version 9

changes.mady.by.user Caleb Miller

Saved on

compared with

New Version 10

changes.mady.by.user Caleb Miller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

It is possible to configure your ASM setup so that users sign in using Single Sign On (SSO) via an Customers who have adopted a centralized SAML 2.0-compatible Identity Provider (IdP) rather than using static credentialscan utilize SSO to sign into the ASM portal and to manage and administer user accounts.

Overview

Note

Read this section before attempting an SSO setup. It contains important information which will help you understand the configuration you will be performing! If you have already read the Overview or otherwise wish to proceed to SSO setup from within the ASM Portal, see the section https://apica-kb.atlassian.net/wiki/spaces/ASMDOCS/pages/2150498502/Configuring+SSO+Within+ASM#Setting-up-SSO-From-the-ASM-Portal.

Understanding the Roles of Identity and Service Providers in Relation to ASM

SSO enables customers that have adopted a centralized SAML 2.0-compatible Identity Provider (IdP) to integrate this with the ASM WPM portal login and also to manage and administrate its users.

SAML 2.0 is SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about an end-user between an IdP and a service provider identity provider (IdP) and a service provider (SP). SAML 2.0 enables web-based authentication and authorization scenarios including cross-domain SSO, which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

The Single Sign-On screen allows you to enable and configure settings for SSO Identity Providers/ IdPs such as:

  • Centrify

  • Okta

  • CA SSO (formerly CA Siteminder)

  • Azure and ADFS

  • OpenAM

  • Symantec/Broadcom VIP Access Manager

...

Comparing SP-initiated

...

and IdP-initiated Authentication

In order to correctly set up/define RelayState, you must first determine which kind of authentication flow you need. There is a difference between a Service Provider (SP)-Initiated authentication and an Identity Provider (IdP)-Initiated authentication flow.

SP-Initiated authentication flow

...

The ASM portal is capable of accepting SSO configurations which utilize either SP or IdP-initiated authentication flows.

In a SP-initiated authentication flow, the end user types the SP URL and the browser redirects to the IdP.

...

When this flow is utilized to perform SSO login from ASM, Apica sends the request via the browser to the IdP for authentication and the RelayState is sent as a token/value

...

panelIconId1f510
panelIcon:closed_lock_with_key:
panelIconText🔐
bgColor#EAE6FF

...

without being inspected or modified. Then, the IdP (e.g. Okta, Centrify, Azure AD., etc.)

...

is responsible for responding to the authentication request

...

and authorizing access to the portal.

Therefore, in this case, the IdP knows who is initiating the (SAML) authentication flow.

...

This is important because the IdP can serve more than one SP; after the request is sent,

...

the IdP knows

...

Apica is

...

initiating the SAML authentication flow and Apica does not need to modify the URL to identify itself to

...

the

...

So, the RelayState is a token/value that gets relayed (without modification/inspection) between Apica (the SP) and the IdP.

IdP-Initiated authentication flow

...

IdP.

Tip

Apica utilizes SP-initiated authentication flow by default!

In an IdP-initiated authentication flow, the end user types the IdP URL into a browser

...

, which acts as a User-Agent

...

; therefore, the IdP does not know who is sending the SAMLRequest.

...

When this flow is utilized to perform SSO login from ASM, the end user must authenticate to the IdP and attempt to access

...

the ASM portal via the IdP. A set of predetermined

...

additional

...

attributes associated with the authenticated user

...

will be populated in the SAML response which is POSTed back

...

to

...

Apica. This login flow uses RelayState to signal to

...

Apica what URL

...

Apica should POST/

...

redirect to after successful sign-on.

The SAML 2.0 Standard

...

states that RelayState

...

"MAY be the URL of a resource at the service provider.

...

So, in this IdP-initiated SSO

...

panelIconId1f510
panelIcon:closed_lock_with_key:
panelIconText🔐
bgColor#DEEBFF

...

case, the RelayState field in the SAML post from the browser is empty/absent but is used by the IdP for the URL redirect for the POST for Apica.

When this flow is utilized, the end user logs into their IdP (e.g. Okta, Centrify, Azure AD., etc.) and

...

clicks on a link to ASM from there.

...

Then, the IdP sends the browser a customerName and RelayState attribute in the SAML response, which will redirect the user to the ASM dashboard.

Understanding SP-initiated Authentication as it Relates to Apica SSO Login

...