Home » What is SAML and how it works?
 

Note: All the SAML configuration and authentication steps discussed for Desktop Central also applies to Patch Manager Plus and Vulnerability Manager Plus.

What is SAML Authentication?

Security Assertion Markup Language (SAML) is the de facto open standard used for exchanging authentication and authorization details between the Service Provider and the Identity Provider. The exchange of details is done through digitally signed XML documents containing user data. Desktop Central offers support for SAML 2.0 authentication. By enabling this feature, users can login to Desktop Central via a Single Sign-On (SSO) service, which supports SAML authentication.

Terms to know:

Service Provider - The application providing a specific service which authenticates and authorizes users by security assertions requested by SSO. For example: CRM, Desktop Central, etc..

Identity Provider - The entity which maintains and manages the user's credentials. For example: Okta, OneLogin, etc..

Single Sign-On service - A service provided by Identity Provider, that has a centralized login system in which the user enters the credentials once, after which, the authentication and authorization details are passed to different service providers to grant access to the user.

The main advantage of SSO is that it has centralized authentication, thereby eliminating the need for users to remember multiple passwords to access different applications.

How SAML authentication works?

When a user tries to login to access the Service Provider, the user will be redirected to SSO login page. Upon entering the credentials, the SSO will pass the information to the Service Provider. Further, the Service Provider will decide based on the authentication and authorization details provided by the SSO, whenther or not to grant access to the user.

Prerequisites:

  • Since, the IdP redirection happens via HTTPS port, the HTTPS port must be kept open. The ACS URL is generated using HTTPS only.
  • Identity Provider should support HTTP POST binding.
  • Certificates from the Identity Provider should not have been tampered with, encrypted or expired and should be encoded in base 64 format.

Click below for configuring SAML authentication settings between Desktop Central and

Data provided by Desktop Central that has to be entered in IdP

After logging into Desktop Central, go to the Admin tab, and select SAML Authentication. Here, you can find the details that are provided by Desktop Central to be entered in IdP's side.

  • Entity ID
    Entity ID is a Globally-Unique Identifier used to represent your Desktop Central instance.
  • Assertion Consumer Service URL (ACS URL)
    The ACS URL or Reply URL is an endpoint pointing to your Desktop Central instance that tells the IdP where to send the SAML response.

    Note: Steps to change the default ACS URL in Desktop Central:
    1. Open <Installation_directory>/Desktop Central server/conf/websettings.conf
    2. In a new line, type saml.fqdn.name=<FQDN_Name>
    3. Save the websettings.conf file
    4. Restart the Desktop Central server
    5. Reconfigure SAML Authentication

    where FQDN_Name is the new FQDN, without the port.

Note: Both Entity ID and the Assertion Consumer URL will be present in the Metadata XML.

Data required by Desktop Central from IdP

After logging into Desktop Central, go to the Admin tab, and select SAML Authentication. At the bottom, you have to enter the IdP's details.

  • Name ID
    The Name ID is used to uniquely identify the user who is trying to sign in- it can be either the username or the email ID.
    Note: For domain users, the Username should be in this format: domain\username. This may not be supported in some IdPs.
  • Login URL
    The Login URL is an endpoint pointing to your IdP that tells Desktop Central where to send the SAML request.
  • Certificate
    A certificate from the IdP, used by Desktop Central to verify future SAML requests from the IdP.
Note: The Federation Metadata XML file from IdP, that contains the information mentioned above, can be uploaded to Desktop Central.
 
 
Note:
  • To successfully log in using SAML, the user must be present both in the IdP and Desktop Central.
  • SAML authentication may not work in browsers that are not supported by the Identity Provider.
  • SAML Single logout is not supported currently.
  • If FQDN changes, the ACS URL changes. This implies that the ACS URL should be again updated manually in the Identity Provider.
  • In SAML Authentication settings of Desktop Central, the Name ID  can be either chosen as Username or Email ID. The same option should be selected in the Identity Provider for authenticating users.
  • All accounts should have a unique email ID associated with them in Desktop Central.
  • The metadata file while configuring Identity Provider, must have these three parameters- SSO URL, SSO Signing Certificate; SSO Binding Protocol