SAML SSO works by transferring the user’s identity from one identity provider to another service provider. This transfer is done through an exchange of digitally signed XML documents. Sectona PAM uses OneLogin SAML Authentication to allow access for their users. This section covers:
Before you begin
The user should have admin access to the OneLogin developer portal.
The user must have admin access to Sectona PAM.
Configuring OneLogin SAML Authentication
To configure SAML authentication for One Login with Sectona PAM instance, follow the below-recommended steps:
Configuring OneLogin Developer Account
Log on to the OneLogin developer account as admin.
Go to Users and click on New User.
Fill in all the details and click on Save user.
After you save the user, click on the saved user.
Click on Add Privilege on the user detail page.
Select the saml test connector (Advanced) App to access login One Login SAML and save the user.
Click on Send invitation button so that the user will get an URL for Password creation.
If no App is present to add as a privilege, go to Application and click on Add App.
Search for “saml test connector (Advanced)” and click on it.
Click on the configuration tab and configure ‘ACS (Consumer) URL Validator’ and ‘ACS (Consumer) URL.’
After the user who has access is visible, click on Save. The SAML Metadata (Configuration XML file) will be downloaded on your machine.
Configuring OneLogin SAML Authentication in PAM
Login to Sectona PAM as admin, Go to Configuration -> AD & Directory Store -> Click on add Ad & Directory Story.
Fill in the following details:
Directory Name: Provide a suitable name.
Authentication Type: Select ‘Generic SAML’ from the drop-down list
Directory Store Type: Select ‘SAML’ from the drop-down list
Issuer: Provide the URL where your PAM is installed
Logon URL: This is present in the metadata file. You will find four SingleSignOnService Location tags in the metadata file. Choose the URL which is distinctive for the HTTP-POST method. Copy that URL and paste it into this field.
Logout URL: This is present in the metadata file. You will find four SingleLogoutService Location tags in the metadata file. Choose the URL which is distinctive for the HTTP-POST method. Copy that URL and paste it into this field.
Logon Binding: This will be auto-filled in PAM
Upload the certificate (.crt) file that has been downloaded with the metadata file. In case the certificate file is not downloaded with the metadata file, then open your metadata file. Copy the text present in <ds:X509Certificate> tag. Paste it in a notepad and save it as a .crt file. Upload that file and then click Save.
Go to Manage → User → Assign the created directory store to the user to complete the configuration.
To show Logon with SAML option on Sectona logon screen, Go to System → System Defaults → User Logon Show SAML Option → Set the config value as 1.