SAML Authentication

Home » Features » SAML Authentication

SAML Authentication

Security Assertion Markup Language (SAML) is an XML-based standard that exchanges authentication credentials between a service provider (SP) and an identity provider (IdP). It eliminates the need for multiple passwords and, with the help of single sign-on (SSO) functionality, offers a secure, easy way to access multiple applications with common login credentials.

Service provider: The SP is an application or a third-party entity that provides service to an end user. SPs need authentication from the IdP to facilitate authentication for the user. Examples: ManageEngine OpManager and ManageEngine Desktop Central.

Identity provider: The IdP is an entity that stores user identities or resources such as usernames, passwords, and SSH keys. Examples: Okta, Microsoft ADFS, Auth0, CyberArk, and Azure SSO.

SAML authentication in OpManager

Users can now log into OpManager with SAML. During sign-in, a request is sent to the IdP and checked for the necessary authentication credentials for that particular user. The response is then communicated back to OpManager, and the user gains access.

SAML authentication in OpManager

For example, once SAML is configured, users will have an option on OpManager's login page to connect them to the SSO login page on the IdP side. Once signed in, the user will be redirected back to OpManager and logged in using the authentication given by the IdP, assuming the user account is available. If the user can’t be authenticated, their access will be denied and they will be returned to the OpManager login page.

Configuring SAML in OpManager

There are two ways to configure SAML in OpManager. You can either do it manually by providing the necessary credentials or you can upload the metadata file directly, if available.

Service provider details

If you opt to configure SAML manually, you will be provided with the following details: the Entity ID, Assertion Consumer URL, SSO Logout URL, and a link to download the SP certificate file. This information, available in the OpManager UI, can be used to add OpManager as a supported application in your IdP.

You can also download the SP metadata file directly from OpManager and import it on the IdP side. This metadata file will have all the above-mentioned details in XML format.

SAML authentication in OpManager

Click the corresponding IdP name to see the steps to configure SAML between OpManager and that IdP.

Identity provider details

Similar to the SP details configuration, you can either configure the IdP details manually or upload the metadata file fetched from the IdP side.

Uploading the IdP metadata file:

If you have a metadata file from your IdP, upload it directly in OpManager.

  1. Under Settings -> General Settings -> Authentication, navigate to the SAML Authentication tab.
  2. Under the 'Configure Identity Provider Details' section, choose Upload IdP metadata file and enter the IdP Name.
  3. Find the metadata file acquired from the IdP and click Upload.

SAML authentication in OpManager

Configuring IdP information manually:

You can also enter the IdP details manually in OpManager. For this, you will need the following details:

  1. IdP name
  2. IdP login URL
  3. IdP logout URL
  4. IdP certificate

Enter the above details in the 'Configure IdP information manually' section under Settings -> General Settings -> Authentication.

SAML authentication in OpManager

Note:

  1. OpManager also offers an option called Single Logout. Similar to SSO, users will be able to log out of OpManager and the configured IdP at once from the OpManager UI by clicking the logout URL provided.
  2. As of now, either transient or persistent name identifiers can be used for common IdPs like Okta and OneLogin, whereas only persistent name identifiers are supported for Azure.
  3. To authenticate AD users of OpManager through SAML authentication, the name ID value from the IdP should be in the format - <domainname>/<username>.
Frequently asked questions:
  1. Can we configure more than one IdP?
  2. What are all the different name identifier formats supported in OpManager?
  3. Can we use both SAML authentication and the 2FA feature in OpManager?
  4. Do we have the option to enable or disable AD and RADIUS authentication while using SAML?
  5. How do I access the product’s web client if the IdP is not reachable?
  6. How do I configure SAML if the certificate is expired?
  7. How do I configure Azure as the IdP?
  8. How do I configure Okta as the IdP?
  9. How do I configure OneLogin as the IdP?
  10. How do I configure JumpCloud as the IdP?
  11. How do I configure Microsoft ADFS as the IdP?
Video Zone
OpManager Customer Videos
Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
  
  •  IT Admin from "Royal flying doctor service", Australia
     Jonathan ManageEngine Customer
  •  Michael - Network & Tech, ManageEngine Customer
     Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
  •  David Tremont, Associate Directory of Infrastructure,USA
     Todd Haverstock Administrative Director
  •  Donald Stewart, IT Manager from Crest Industries
     John Rosser, MIS Manager - Yale Chase Equipment & Services
Related Products
 Pricing  Get Quote
 
n