SAML SSO for Solve
    • Dark
      Light
    • PDF

    SAML SSO for Solve

    • Dark
      Light
    • PDF

    Article Summary

    When accessing Solve via a direct URL, you can configure SAML to enable Single Sign-On (SSO) authentication. Use the settings in Solve to set up a trust relationship between Solve and your company's Identity Provider (IdP) so users can access Solve securely.

    To open SAML settings in Solve, go to Settings > SAML Single Sign On. You need to have the Manage Solve permission to access these settings.

    LDAP and SAML
    We recommend not to enable both SAML and LDAP. If both are enabled, Solve uses SAML authentication.

    Create Solve Users from Your IdP

    If you enable the option Create Solve user automatically and add the additional attributes listed in the attribute table below, then a user account is created the first time a new user signs in to Solve using SAML. This means that a new user can access Solve without having to register their account in the Real-Time DX console. If you don't enable this option, each user must first register in the Real-Time DX console, or be added to ControlUp using a script.

    With this option enabled, a Solve user account is created the first time a new user signs in to Solve with SAML. The new user does not necessarily have permission to access Solve, unless the user already belongs to an Active Directory group that has permission to access Solve. After the user account has been created, a ControlUp admin can give the user permission to Use Solve or Manage Solve in the Real-Time DX console security policy.

    Use Case Examples

    If your IdP is listed, follow the instructions under your IdP. If not, follow the steps below to set up SAML with any IdP.

    3rd party Identity Provider applications
    We have provided these use case examples for your benefit but do not take responsibility for the screenshots, content, and functionality of these 3rd party applications.

    Active Directory Federated Services

    Read here to get the basic details of how to configure secure SAML authentication if your Identity Provider (IdP) is ADFS.

    1. Open your ADFS interface.
    2. Under the Service folder, click Certificates. Copy the Token-signing certificate and upload it to in the IdP Signing Certificate field on the Solve settings page.
      SAML-ADFS-SigningCertificate
    3. In the ADFS interface, select Relying Party Trusts. Right-click to open the Properties dialog.
      360017672258ADFSRelyingPartyTrustsMenuBlank.png
    4. In the Properties dialog, select the Endpoints tab and click Add SAML... The Edit Endpoint dialog opens.
    5. In the Trusted URL field, enter the Endpoint/Assertion URL from the Solve settings page.
      360017672298ADFSAddEndpoint.png

      Ensure that:
      Endpoint type is SAML Assertion Consumer
      Binding is POST
    6. Click OK and this Endpoint is added.
      360017614677ADFSEndpointAdded.png
    7. In the same Properties dialog, select the Signature tab, click Add and upload the Solve Signing Certificate that you can download from the Solve settings page.
      360017620097ADFSSignature.png
    8. In the same Properties dialog, select the Identifiers tab, and under the Relying party identifier: field, enter the Relying Party Trust Identifier value from the Solve settings page. Click Add next to the field and you'll see the URN added to the list of Relying party identifiers in the dialog.
      360017672938ADFSIdenfifiers.png
    9. Click the Relying Party Trusts folder, right-click the claim rule, and select Edit Claim Issuance Policy...
    10. In the Edit Claim Issuance Policy wizard, click Add Rule...
    11. In the Choose Rule Type wizard, select Send LDAP Attributes as Claims as the claim rule template and click Next.
    12. On the Configure Rule screen, enter a Claim rule name, and select Active Directory from the Attribute store dropdown menu.ADFS-Claim1
    13. Under Mapping of LDAP attributes to outgoing claim types, add the required user attributes. The required attributes depend on if you are using SAML to create Solve users.
      • If you are not using SAML to create Solve users, add the following attribute:ClaimListWithoutUserCreation
      • If you are using SAML to create Solve users, add the following attributes:ClaimListForUserCreation
    14.  After you have added the LDAP attributes, click Finish.
    15. Confirm the new rule by clicking OK.

    Your Solve users should now be able to authenticate through your ADFS identity provider.

    Azure Active Directory

    Prerequisites:

    • Must have an Azure Enterprise account.
    • Azure Active Directory (AD) must be configured.
    • Must have the necessary permissions to create the application.

    Setup in Azure AD

    1. In Azure AD, go to Enterprise Applications > New application.
    2. Select Create your own application.
    3. Enter a name for the application, select Integrate any other application you don't find in the gallery, and click Create.
    4. After your application is created, click Set up single sign on.
    5. Select SAML as the single sign on method.
    6. Next, you'll need to share several values between Solve and Azure AD. Open your Solve SAML settings next to Azure AD, and use the following side-by-side comparison to see which values need to go where. The arrows indicate where the value comes from and where you need to put it in the other application. For more information about these fields mean, read Configure IdP settings and Configure Solve settings above.
    7. If you have enabled Create Solve user automatically, then you need to add additional attributes in the Attributes & Claims section. Make sure that all users accessing Solve via SAML have the relevant attributes contained in their Azure AD user properties. If you are not using SAML to automatically create ControlUp user accounts, then the default attributes in Azure AD are sufficient for existing user accounts to sign in to Solve with SAML because the Unique User Identifier (NameID) is the UPN. For details about automatic user account creation with SAML, see Create Solve Users from Your IdP.
      1. In the Attributes & Claims section, click Edit.
      2. Click Add new claim.
      3. Add the claim sAMAccountName from the attribute user.onpremisessamaccountname and click Save.
      4. Add another claim distinguishedName from the attribute user.onpremisesdistinguishedname and click Save
      5. After you add the additional claims required for automatic user creation, your Attributes & Claims section should look like this:
    8. Set which Azure Active Directory users are allowed to access Solve using SAML. You can either:
      • Go to Users and groups and click Add user/group to add users to the application.
      • Go to Properties and set Assignment required? to No if you want all users in your Active Directory to be able to access Solve using SAML.

    DUO

    Prerequisites:

    • You have a DUO account with the necessary permissions to Protect an Application.
    • You have set up DUO to use Active Directory as an authentication source for single sign-on.

    Set up the SAML application in DUO

    1. Go to Applications > Protect an application.
    2. Search for Generic SAML Service Provider and click Protect.
    3. Under the Metadatasection, copy the following values and paste them into the fields in the Solve SAML settings page:
      1. Copy the Entity ID and paste it into the Entity/Issuer ID field in Solve.
      2. Copy the Single Sign-On URL and paste it into the IdP Login URL field in Solve.
      3. Copy the Single Log-Out URL and paste it into the IdP Logout URL field in Solve.
    4. Under the Downloads section, click Download certificate and upload the certificate into the IdP Signing Certificate field in Solve.
    5. Copy the following values from the Solve SAML settings page and paste them into the fields in DUO under the Service Provider section:
      1. Copy the Relying Party Trust Identifier from Solve and paste it into the Entity ID field in DUO.
      2. Copy the Endpoint/Assertion Login URL from Solve and paste it into the Assertion Consumer Service (ACS) URL field in DUO.
      3. Copy the Assertion Logout URL from Solve and paste it into the Single Logout URL field in DUO.
    6. Under the SAML Response section:
      1. Set the NameID format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
      2. In the NameID attribute field, enter UserPrincipalName.
    7. If you are using SAML for automatic user account creation, you must add the following attributes in the Map attributes section exactly as they appear in the image below. The attribute mapping pulls the required IdP attributes from your Active Directory and sends them to ControlUp with the correct attribute names. This step is not required if your users accessing Solve with SAML have already created a ControlUp account using another method.
    8. Scroll to the bottom of the page and click Save.

    OKTA

    Prerequisite for Automatic Solve User Creation

    Note
    This section is required only if you are using SAML to provision new ControlUp accounts. You can skip this section if the users accessing Solve with SAML have already created a ControlUp account using another method.

    If you are using SAML to Create Solve Users from Your IdP, then you must configure Okta to send the attributes listed in the attribute table above. Not all of these attributes are added to your Okta user profiles by default when you setup the Active Directory integration with Okta.  

    If the required attributes are not already in your Okta user profiles, then you need to map the Active Directory attributes to your Okta user profiles.

    To map the required Active Directory attributes to your Okta user profile:

    1.  In Okta, go to Profile Editor and select the Okta User (default) user profile. SAML-Okta-Prereq-1
    2. Click Add Attribute.SAML-Okta-Prereq-2
    3. Add three new attributes:
      1. Display name = "Distinguished Name", Variable name = "dn".
      2. Display name = "SAM Account Name", Variable name = "samAccountName".
      3. Display name = "User Principal Name", Variable name = "userName". Note that you might not have to add this attribute to the Okta user profile if you selected to use the UPN as the Okta username when setting up the Active Directory integration.SAML-Okta-Prereq-4
    4. After saving the attributes, go back to your profiles and select your Active Directory.SAML-Okta-Prereq-5
    5. Click Mappings.SAML-Okta-Prereq-6
    6. Map the following Active Directory attributes to the new Okta user profile attributes you just created, and click Save Mappings.SAML-Okta-Prereq-7

    Set up the SAML Application in Okta

    1. Sign in to the Okta admin dashboard with a user who has the Create App Integration and go to Applications.SAML-Okta-1
    2. Click Create App Integration.SAML-Okta-2
    3. Select SAML 2.0 as the sign-in method and click Next.SAML-Okta-3
    4. Enter an App name of your choosing and click Next.SAML-Okta-4
    5. Under SAML Settings, fill out the following fields using values from your Solve SAML settings page.
      1. In the Single sign-on URL field, add the value Endpoint/Assertion Login URL from Solve.
      2. In the Audience URI field, add the value Relying Party Trust Identifier from SolveSAML-Okta-5
    6. If you are using SAML for automatic user account creation, you must add the following attributes under Attribute Statements (optional). This step is not required if your users accessing Solve with SAML have already created a ControlUp account using another method. Note that the following attribute statements are based on the Active Directory attribute mappings described in the prerequisite section above. Your attribute mappings might be set up differently, so ensure that the Values in the attribute statements refer to the correct attributes in your Okta user profiles.
      NameName formatValue
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUnspecifieduser.email
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameUnspecifieduser.firstName
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameUnspecifieduser.lastName
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnUnspecifieduser.userName
      sAMAccountNameUnspecifieduser.samAccountName
      distinguishedNameUnspecifieduser.dn

      After you are finished adding the user attributes, your Attribute Statements should look like this:SAML-Okta-6
    7. At the bottom of the page, click Next.SAML-Okta-7
    8. Select I'm an Okta customer adding an internal app and click Finish.SAML-Okta-8
    9. Under the Sign On tab, click View SAML setup instructions.SAML-Okta-9
    10. This page shows three values that you must copy or download and add to your Solve SAML settings page.SAML-Okta-10
      1. Copy the value Identity Provider Single Sign-On URL and paste it into the field IdP Login URL in Solve.
      2. Copy the value Identity Provider Issuer and paste it into the field Entity/Issuer ID in Solve.
      3. Click Download certificate and upload the certificate under the field IdP Signing Certificate in Solve.
    11. To assign Okta users or groups to the new ControlUp application so that those users are allowed to access Solve using SAML:
      1. Go back to Applications and select the new application you created.SAML-Okta-11
      2. Go to the Assignments tab, click Assign and select to either assign the application to people or groups.SAML-Okta-12
      3. Select the users or groups that will access Solve and assign them to the application. Those users are now able to sign in to your Solve URL using SAML.

    Troubleshooting

    If SAML isn't working correctly after following the procedure above, it's possible that the SAML assertion isn't sending the correct information. To preview the SAML assertion, edit the application and go back to the page where you added the attribute statement, and click Preview the SAML Assertion. Note that your Okta user must be assigned to the application to preview the assertion.SAML-Okta-troubleshooting

    Compare the generated SAML assertion against the attribute table above and make sure that:

    • The Attribute Name of each attribute is written exactly as it appears in the attribute table.
    • The AttributeValue of each attribute contains the correct information about the user.

    Configure SAML SSO with Solve and Your IdP

    This section describes how to set up SAML SSO with Solve with any IdP. See the Use Case Examples above for more details about selected IdPs.

    Step 1 - Configure IdP Settings

    This table lists the fields that are already filled out in your Solve SAML settings. You need to take the information from these fields and add it in your IdP.

    Field in Solve SAML settingsRequiredNotes
    Relying Party Trust IdentifierYesCopy this value from Solve SAML settings and paste it into your IdP settings.
    Your IdP might call this:
    • Identifier
    • Entity ID
    • Relying Party Identifier
    • Audience URI
    Endpoint/Assertion Login URLYesCopy this value from Solve SAML settings and paste it into your IdP settings.
    Your IdP might call this:
    • Reply URL
    • Assertion Consumer Service (ACS) URL
    • Trusted URL
    • Single sign on URL
    Assertion Logout URLNoIf you want to use single log out (SLO), copy the logout URL from your IdP and paste it here. SLO is not supported on all IdPs.
    Your IdP might call this:
    • Logout URL
    • Single log out URL

    Solve Signing CertificateFor some IdPsIf your IdP requires it, download the X.509 certificate from Solve and upload it to your IdP.

    Azure AD, for example, does not require that you upload this certificate.

    Step 2 - Configure Solve Settings

    This table lists the fields that you need to fill out in your Solve SAML settings.

    Field in Solve SAML settingsRequiredNotes
    Create Solve user automaticallyNoEnable this option if you want to automatically create a ControlUp user account when a new user signs into Solve using SAML. To use this option, you need to configure your IdP to send the additional attributes described in Step 2. For more details, see Automatically Create ControlUp Users from Your IdP.

    This feature is supported only if you use Azure AD, ADFS, Okta, or Ping as your IdP.
    IdP Login URLYesCopy the login URL from your IdP and paste it here.
    Your IdP might call this:
    • Login URL
    • Single sign on URL
    IdP Logout URLNoIf you want to use single log out (SLO), copy the logout URL from your IdP and paste it here. SLO is not supported on all IdPs.
    Your IdP might call this:
    • Logout URL
    • Single log out URL
    IdP Signing CertificateYesDownload the X.509 signing certificate from your IdP and upload it here.
    Entity/Issuer IDYesCopy the entity/issuer ID from your IdP and paste it here.
    Your IdP might call this:
    • Entity ID
    • Issuer ID
    • Issuer URL
    • Azure AD Identifier

    Step 3 - Configure User Attributes in Your IdP

    Configure your IdP to send the following attributes:

    AttributeRequiredDescription
    NameIDYes (see note below)User's UPN. This must match a user in your ControlUp organization.
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressOnly to create Solve users from your IdPUser's email address
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameOnly to create Solve users from your IdPUser's first name
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameOnly to create Solve users from your IdPUser's last name
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn, OR
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Only to create Solve users from your IdPUser's UPN
    sAMAccountNameOnly to create Solve users from your IdPUser's sAMAccountName
    distinguishedNameOnly to create Solve users from your IdPUser's distinguished name


    Note
    If you can't configure your IdP to send the UPN in the NameID, then you can send the attrbutes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn AND http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress instead. If both of these attributes are sent, then users are able to sign in to an existing account.


    Was this article helpful?