Locating SSO Service Providers in CloudManager
- Using the left hand menu select Global Settings
- Then select Global Login Controls
- Scroll down and locate SSO Service Providers
Setting up Service Providers
Note: The security of SSO with CloudManager can be improved by only responding to SAML authentication requests from a set of specified Service Providers.
In addition it can verify digitally signed authentication requests from these known Service Providers (also known as "Trusted Issuers").
The "Deny unknown SSO Service Providers" checkbox controls how restrictive CloudManager is to the Service Providers.
If it is checked CloudManager will respond with urn:oasis:names:tc:SAML:2.0:status:RequestDenied to all requests from Service Providers that aren't specified.
If it is unchecked then the behavior of CloudManager will be the same for both trusted and untrusted issuers.
To configure a new trusted Service Provider you must first add it to the list by clicking the Add button.
A new row appears where you should type a desired name for this new service provider and the Issuer.
The Service Provider should supply you with this value, which must be unique.
Now you can save the Service Provider by clicking the Save button on that row.
CloudManager can be configured to only allow digitally signed requests that can be verified by a certificate (public key) supplied by the Service Provider.
This protects against malicious software that could send requests faking the unique issuer of the Service Provider.
The Service Provider's certificate can be uploaded using the "Upload" button in the "Certificate" column for the Service Provider's row.
Check the checkbox in the "Verify" column to only allow requests with that issuer that are digitally signed and can be verified using the uploaded certificate.
CloudManager supports simple keys, certificates and SAML metadata files.
If a specified trusted Service Provider needs to consume more information from CloudManager SSO than the user ID, administrators can configure which attributes from the user's profile should be exposed.
This configuration is done by clicking the Configure button for the Service Provider's row.
Each attribute that needs to be exposed to the Service Provider can be defined by clicking the Add button.
You must define a name that is known to the Service Provider and optionally a human readable "Friendly" name.
In the third column you must specify which property of the logged in user's profile should be exposed with the specified name.
A constant may be specified instead of a profile attribute.
If a profile attribute is specified then a default value can be specified in case it is empty.
Please note that the profile attributes are prefixed by a dollar sign ($). A list of available profile attributes is shown when the value field is clicked. Once all the attributes required for the Service Provider have been specified click the save button to make the changes take effect immediately.