How to Set Up SSO Using Centrify

Step

Screenshot

To access the SSO settings, click the button in the top right corner of the User view.

Click the green “Single Sign-On (SAML 2.0) button Settings Dialog screen.

The SSO view contains all settings needed to connect a user account with a SAML provider account.

Configuration

Enable

The Enabled section contains a setting for enabling or disabling Single Sign-On for the account.

The Enabled setting applies to the current account only.

Identity Provider (SAML Metadata URL)

The Identity Provider section contains settings for connection to the SAML provider.

If the SAML provider has a SAML metadata URL, you can use that. ASM will extract the needed login URL and certificate automatically.

Identity Provider (Specify Settings)

For other SAML providers, you may need to specify settings manually.

Sign-in URL (The IdP Login URL, which you can find in the provider's settings.)

Signing Certificate (Certificate for sign-in, which you can download from the provider app settings.)

SERVICE PROVIDER

Use this information about ASM as a Service Provider to set up your Identity Provider.

• Service Provider Entity ID

  • Use this URL to identify ASM to your IdP uniquely and get the Service Provider’s (Apica’s) Metadata.

    • https://wpm.apicasystem.com/AuthServices

• Assertation Consumer Service URL

  • Set your IdP to post SAML responses to this URL.

    • https://wpm.apicasystem.com/AuthServices/Acs

SAML ATTRIBUTE STATEMENTS MAPPING

ASM requires several attributes to be presented in SAML assertion. Note that attribute names may include namespaces.

• User Name (A UNIQUE SAML attribute statement name for user name.)

• Full Name (SAML attribute statement name for user's full name.)

• Email (SAML attribute statement name for user's full name.)

• Identity Provider Roles (SAML attribute statement name for user's roles list provided by your IdP.)

• Set Default (Apply default settings for Centrify.)

• Reset (Clear the settings.)

ROLES MAPPING

The Identity Provider User roles/groups must map to User Roles and Monitor Groups to access Apica Synthetic Monitoring.

Make sure that SAML roles you use already exist in Centrify.

Identity Provider Roles Mapping (Associate roles used in the IdP with User Roles and Monitor Groups in ASM)

• IdP Role / Group (Name of user role (or group) in the IdP.)

• User Roles (List of User Roles in ASM to associate with the IdP role.)

• Monitor Groups (List of Monitor Groups in ASM to associate with the IdP role.)

• Co-Owned Monitor Groups (List of Monitor Groups for the Customer Power User Role to associate as co-owner with the IdP role.)

• Comment (Additional information about the mapping.)

Overwrite Access Settings for Monitor Groups (Access settings for Monitor Groups will be overwritten every time the user logs in.)

• Check = Yes to Override with each login.

• Uncheck (default) = Accept default Access permissions

VARIOUS SETTINGS

• Default Regional Setting (Choose a Standard Language/Region to apply to all users.)

• Default Time Zone (Choose a Standard Timezone to apply to all users.)

• Session Time (Duration of the web session in minutes.)

  • Defaults to 720 minutes/12 hours

Cancel/Test/Save

To Cancel any Changes or Test to verify that your settings work, you can use the corresponding buttons.

• This page will display any resulting test problems with the configuration.

• Don’t forget to Save your changes when satisfied

Step

Screenshot

With the setup used in the examples above, go to http://alpha.foo.com, log out.

On the log in page, choose "Sign in using SSO"

Insert customer name SSOTestA, and press "Continue."

You will be redirected to the Centrify log-in page.