There are two ways to configure SAML in OpManager. You can either do it manually by providing the necessary credentials or you can upload the metadata file directly, if available.
If you opt to configure SAML manually, you will be provided with the following details: the Entity ID, Assertion Consumer URL, SSO Logout URL, and a link to download the SP certificate file. This information, available in the OpManager UI, can be used to add OpManager as a supported application in your IdP.
You can also download the SP metadata file directly from OpManager and import it on the IdP side. This metadata file will have all the above-mentioned details in XML format.
Similar to the SP details configuration, you can either configure the IdP details manually or upload the metadata file fetched from the IdP side.
If you have a metadata file from your IdP, upload it directly in OpManager.
You can also enter the IdP details manually in OpManager. For this, you will need the following details:
Enter the above details in the 'Configure IdP information manually' section under Settings -> General Settings -> Authentication.
To see the steps to configure SAML between OpManager and that IdP, click the corresponding IdP name.
Yes. Once SAML authentication is enabled, there will be a prompt to disable other authentications and you can disable other login methods, if necessary. Also, you will only be able to login locally via Super Admin.
No, currently only one IdP can be configured at a time.
At present, Email address, Transient, and Persistent are the Name ID formats supported for SAML authentication in OpManager.
In OpManager, you will not be able to use TFA when SAML authentication is enabled. This is because, the entire authentication flow is handled by the IdP when SAML authentication is enabled. TFA can be used only when signing in using Local, AD, or Radius authentication.
If the IdP is not reachable and the other authentication methods are disabled, you can log in locally via Super Admin. If other authentication methods are not disabled, you can login to OpManager by using the default method.
If the certificate is nearing expiry, OpManager will raise an alert after the user logs in. The Service Provider's certificate can be regenerated from the OpManager UI and uploaded to IdP and vice versa. After uploading, the lifetime of the certificates will be renewed.