When accessing SOLVE via a direct URL, you can configure SAML to enable Single-Sign On (SSO) authentication. The settings in SOLVE enable you to set up a trust relationship between the URL hosting SOLVE and your company's Identity Provider (IdP) so users can access SOLVE securely.
Here is an overview of what you have to do to configure SAML with detailed steps provided below.
- Enter the required URLs from your IdP into the SOLVE settings page.
- Upload a trust certificate from your IdP into the SOLVE settings page.
- Download the trust certificate from the SOLVE page and add it into your IdP.
- Retrieve the necessary fields from the SOLVE settings page and enter them into your IdP.
Here are the specific steps you have to perform. Below this procedure, we have provided a use case using the Active Directory Federated Service (ADFS) as an example of how to configure an IdP with the SOLVE settings.
To configure SAML in the SOLVE interface:
- In your chosen IdP, locate the trust certificate to use for SOLVE and copy it to a location accessible to the local computer from where you are accessing SOLVE.
- Open the ControlUp Real-Time Console.
- Access SOLVE from the SOLVE menu on the top ribbon of the console.
The SOLVE interface opens in a browser window.
- In the SOLVE home page, click the settings link on bottom of the menu on the left side of the window.
- In the SOLVE Settings page, turn the toggle button on for Enable SAML (SSO) Authentication.
Note: It is recommended not to enable both SAML and LDAP. If both are enabled, SOLVE uses SAML authentication.
- Enter the following URLs from your IdP:
- Sign in URL. The URL used for logging into your IdP.
- Sign out URL. This is an optional field to use for signing out of the IdP.
For example, if ADFS is the IdP, the URLs could look like this with your company's domain:
- Click Upload Certificate and locate the certificate from your IdP that you copied in step 1.
- Enter the Virtual Server IDs. The virtual server as configured in the IdP connection certificate.
For example, the URL could look like this with your company's domain:
- The SOLVE settings page provides you with the following values:
- Relying Party Trust Identifier. The uniform resource name that is a unique, persistent identifier.
- Assertion URL. The endpoint that your IdP will use to redirect during the authentication process.
- Endpoint URL.
Here's an example of what these values could look like:
Copy these values and enter them into the appropriate locations in your IdP.
- Under Sign Request, click the certificate link to download the trust certificate for SOLVE and save it in a location that your IdP can access.
Now you can return to your chosen IdP and create an endpoint for SOLVE using the values provided and the downloaded certificate.
Use Case Example - Active Directory Federated Service (ADFS)
Read here to get the basic details of how to configure secure SAML authentication if your Identity Provider (IdP) is ADFS.
- Open your ADFS interface.
- Under the Service folder, click Certificates. Copy one of the certificates to a location accessible to the user configuring the SAML settings for SOLVE.
This is step 1 of the procedure above, and you upload this certificate in step 7 above.
- In the ADFS interface, select Relying Party Trusts. Right-click to open the Properties dialog.
- In the Properties dialog, select the Endpoints tab and click Add SAML... The Edit Endpoint dialog opens.
- Under the Trusted URL field, copy the Assertion URL you retrieved from the SOLVE Settings page in step 9 of the procedure above.
Endpoint type is SAML Assertion Consumer
Binding is POST
- Click OK and this Endpoint is added.
- In the same Properties dialog, select the Signature tab, click Add and upload the SOLVE certificate you downloaded in step 10 of the procedure above.
- In the same Properties dialog, select the Identifiers tab, and under the Relying party identifier: field, enter the Relying Party Trust Identifier value you retrieved from the SOLVE Settings page in step 9 of the above procedure. Click Add next to the field and you'll see the URN added to the list of Relying party identifiers in the dialog.
Your SOLVE users should now be able to authenticate through your ADFS identity provider.