Set Up SAML With a Generic Security Provider
The following steps show how to set up BeyondInsight with a generic security provider.
To configure SAML, go to the Dashboard or Menu and click Configuration, then, under Multi-Factor Authentication, click SAML Configuration.
Identity Provider Settings:
- Entity ID: The name of the identity provider (IdP) entry, normally supplied by the provider.
- Single Sign-on Service URL: The SSO URL, from the provider.
- Select SSO URL Protocol Binding type, Redirect or Post.
- Single Logout Service URL: The SLO URL, from the provider.
- Select SLO URL Protocol Binding type, Redirect or Post.
- Under Encryption and Signing Configuration, check applicable boxes as required by your service provider.
- Select the Signature Method from the dropdown list of methods. The correct method is as required by your IdP.
- Upload the identity provider certificate.
Service Provider Settings
- Entity ID: The fully qualified domain, followed by the file name:
This is used for the audience restriction.
- Click SAVE SAML CONFIGURATION.
Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP, if required.
Update Host Name and SAML access URL
This is applicable to on-premises installations only. For PS Cloud or on-premises installations, Access URLs can also be set in the BI configuration.
- Open the BeyondInsight Configuration Tool.
- Scroll Down to SAML Access URL.
- Update it to the fully qualified domain, followed by the file name:
- Scroll down to the Host Name field under the Web Site Information section.
- Update it to the fully qualified domain, for example, https://bidev.shines.test.cloud.
- Click Apply
The host name is the fully qualified domain name used to access BI/PS. If this is a load-balanced instance, the host name is the same on all servers.
Configure Identity Provider (IdP)
Below are some of the values an IdP might need:
- Audience Restriction: https://<server>/eEye.RetinaCSSAML
- SSO Service URL: https://<server>/eEye.RetinaCSSAML/SAML/AssertionConsumerService.aspx
- SLO Service URL: https://<server>/eEye.RetinaCSSAML/SAML/SLOService.aspx
- Service Provider Certificate: (generated when SAML configuration is saved)
Your identity provider needs to provide the following attributes in the assertion:
- Group: (Required) This must match the group created in BeyondInsight or imported from Active Directory. If an Active Directory group is used, it must match the BI format Domain\GroupName.
- Name: (Required) This should be the be in the format domain\username or UPN.
- Email: (Optional).
- Surname: (Optional).
- GivenName: (Optional).