Set Up SAML With a Generic Security Provider

The following steps show how to set up BeyondInsight with a generic security provider.

Configure SAML

To configure SAML, go to the Dashboard or Menu and click Configuration, then, under Multi-Factor Authentication, click SAML Configuration.

Screenshot of Identity Provider Settings for SAML configuration

Identity Provider Settings:

  1. Entity ID: The name of the identity provider (IdP) entry, normally supplied by the provider.
  2. Single Sign-on Service URL: The SSO URL, from the provider.
  3. Select SSO URL Protocol Binding type, Redirect or Post.
  4. Single Logout Service URL: The SLO URL, from the provider.
  5. Select SLO URL Protocol Binding type, Redirect or Post.
  6. Under Encryption and Signing Configuration, check applicable boxes as required by your service provider.
  7. Select the Signature Method from the dropdown list of methods. The correct method is as required by your IdP.
  8. Upload the identity provider certificate.

 

Screenshot of Service Provider Settings for SAML configuration

Service Provider Settings

  1. Entity ID: The fully qualified domain, followed by the file name:

    https://<serverURL>/eEye.RetinaCSSAML

    This is used for the audience restriction.

  2. Click SAVE SAML CONFIGURATION.

Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP, if required.

Update Host Name and SAML access URL

This is applicable to on-premises installations only. For PS Cloud or on-premises installations, Access URLs can also be set in the BI configuration.

  1. Open the BeyondInsight Configuration Tool.
  2. Scroll Down to SAML Access URL.
  3. Update it to the fully qualified domain, followed by the file name:

    https://<server>/eEye.RetinaCSSAML

  4. Scroll down to the Host Name field under the Web Site Information section.
  5. Update it to the fully qualified domain, for example, https://bidev.shines.test.cloud.
  6. Click Apply

The host name is the fully qualified domain name used to access BI/PS. If this is a load-balanced instance, the host name is the same on all servers.

Configure Identity Provider (IdP)

Below are some of the values an IdP might need:

  • Audience Restriction: https://<server>/eEye.RetinaCSSAML
  • SSO Service URL: https://<server>/eEye.RetinaCSSAML/SAML/AssertionConsumerService.aspx
  • SLO Service URL: https://<server>/eEye.RetinaCSSAML/SAML/SLOService.aspx
  • Service Provider Certificate: (generated when SAML configuration is saved)

Your identity provider needs to provide the following attributes in the assertion:

  • Group: (Required) This must match the group created in BeyondInsight or imported from Active Directory. If an Active Directory group is used, it must match the BI format Domain\GroupName.
  • Name: (Required) This should be the be in the format domain\username or UPN.
  • Email: (Optional).
  • Surname: (Optional).
  • GivenName: (Optional).