Adding a SAML Enterprise identity source
You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity source. The identity provider authenticates the user identity against data in this identity source before it grants access to Verify.
About this task
Procedure
- Click Add Identity Source. The Add Identity Source dialog box is displayed.
- Select SAML Enterprise and click Next.
-
Specify the basic information.
Table 1. Basic information Information Descriptions Name The name that you assign to represent the user registry that is used by identity providers such as Microsoft Active Directory, Microsoft Azure Active Directory, or others.
If there is more than one identity source that is configured and enabled, the identity source name is displayed in the Verify Sign In page.
This information is also displayed in the Users & Groups > Users tab, Add User dialog box, when you select an Identity Source.
Realm It is an identity source attribute that helps distinguish users from multiple identity sources that have the same user name.
It must be a unique name across all other configured identity sources in your subscription. The name can contain any alphanumeric characters. Special characters are not allowed except for dot (.) and hyphen (-).
The maximum allowed string length is 253, similar to the maximum length of a domain name.Note: You cannot edit the name after you create it.Enabled Indicates whether the identity source is active and available.
When the identity source is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity source. If the identity source is not enabled, it is not displayed as an option in the Sign In page.Note:- There must be at least one identity source that is enabled to sign in to Verify.
- If only one identity source is enabled, it becomes the default sign-in option for the user.
Identity Linking Enabled
Turns on identity linking for a specific identity source. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity source. Note:- You cannot enable linking on the identity source that is set as your default identity source.
- You cannot disable or delete your default linking identity source.
Unique User Identifier The user attribute in the federated identity token that acts as the user name for the account in Cloud Directory. Enable JIT Provisioning Creates and updates the user account in the primary identity source realm that is associated with the SAML identity. -
Specify whether the single sign-on is initiated by the identity provider or the
service provider.
Table 2. Single sign-on flow Single sign-on is initiated by the Descriptions Service Provider Service provider-initiated (SP-initiated) sign on
In this scenario:- The user has an account at the service provider site.
- The user attempts to access the protected resource from the service provider.
- The service provider initiates a SAML authentication request to the identity provider. The service provider redirects the user's browser to the identity provider.
- The user signs in.
- The identity provider generates a SAML authentication response that asserts that the user is authenticated.
- The service provider validates the SAML authentication response.
- The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
Identity Provider Identity provider-initiated (IdP-initiated) sign on
In this scenario:- The user has an account at the identity provider site.
- The user signs in to the identity provider site or uses the identity provider single sign-on URL to access the protected resource from the service provider.
- The identity provider initiates a SAML authentication response that asserts that the user is authenticated.
- The service provider validates the SAML authentication response.
- The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
SSO URL This information is required only if single sign-on is initiated by the Identity Provider.
It is the URL that initiates the single sign-on from the identity provider to the service provider.
-
Browse for the identity provider metadata file (.xml) or drag
it in the drop area.
The name of the Selected File is displayed.
-
Provide the identity provider with the following service provider
metadata properties. You can either copy the information or download the metadata file.
Table 3. Service provider metadata properties Information Descriptions Entity ID Specifies the issuer in the SAML authentication request and the audience of any inbound SAML authentication response. Assertion Consumer Service URL Specifies the endpoint at the service provider that receives the SAML authentication response.
The identity provider redirects the SAML authentication response to this URL. This endpoint receives and processes the SAML assertion.