Configure authentication via SAML

This topic describes how EPM integrates with SAML to manage authentication, and how you can manage that integration.

Overview

As resources move to the cloud, users experience a proliferation of credentials - the usernames, passwords and, sometimes, devices they use to log in (or authenticate) to cloud-based services. Single sign-on (SSO) technologies come to the rescue, and enable users to authenticate at a single location and access a range of services without re-authenticating.

Since its release in 2005, the Security Assertion Markup Language version 2.0 (SAML 2.0) has established itself as the dominant standard for cross-domain web single sign-on in the enterprise space.

SAML 2.0 defines several roles for parties involved in single sign-on:

Users authenticate (log in) to the Identity Provider (or IdP), and are .then able to access a resource at one or more Service Providers, also known as 'relying parties', without needing to log in at each Service Provider (SP).

EPM integration with SAML is implemented using the industry standard SAML 2.0 and works with any Identity Provider that supports SAML 2.0, including Oracle Access Manager, Azure AD, and Microsoft Active Directory Federation Services.

Additional specific environments can be tested on customer demand for SAML integration with specific environments.

Enable SP-initiated login

EPM integration with SAML provides an SP-initiated login when a user clicks a direct link to a special EPM URL (for example, https://login.epm.cyberark.com/SAML).

  1. Establish a trust relationship between EPM (SP) and the customer’s SSO facilities (IdP).

  2. Create the EPM users who will log in using SAML, and configure the customer’s SAML facilities to map the AD users to the EPM users.

How it works

The following steps describe the process of the SP-initiated login into EPM:

  1. A user clicks a direct link to a special EPM URL. The browser connects and EPM automatically submits a SAML request to the IdP SAML endpoint.

  2. When the user is authenticated by the IdP as an Active Directory user, the IdP creates a SAML response containing the corresponding EPM user name.

  3. The browser submits the SAML response to the EPM SAML endpoint, which verifies the SAML response, logs in the EPM user provided in the SAML response and redirects the browser to the starting page of a logged in EPM user.

Set up SAML integration

  1. In the EPM Management console, select SAML Integration to display the SAML 2.0 Integration page.

  2. Under EPM Server Certificate, you can see the number of days until the certificate expires.

    1. To download a new certificate and update it on the IdP server, click Download EPM Certificate.

    2. To start using the new certificate, click Switch to new EPM certificate.

     

    You must download a new EPM certificate before you can start using it.

    A message indicates that you need to replace the certificate. If you don’t see this message, you have already clicked Switch to the new EPM certificate and replaced the certificate..

  3. Under EPM Service Provider, do the following. This is specifically if your IdP does not accept XML.

    1. Specify the following values.

      Parameter Description

      Audience (Entity ID)

      The unique identifier of the entity.

      Single Logout Service

      Your IdP Server URL, where EPM sends the SAML requests for the service provider initiated logout.

      Assertion Consumer Service

      The URL that the Identity Provider uses to verify that the SAML messages can be serviced.

    2. Click Save to ensure that these properties are updated.

    3. Download the configuration XML to provide to your IdP.

  4. Under IDP Server Configuration, do the following:

    1. Specify the following values, which ensure message integrity when the requests/assertions/responses are delivered to the relying party (IdP).

      • When you set the value to true, the corresponding setting on the IdP must be turned on.

      • When you set the value to false, the corresponding setting on the IdP must be turned off.

      Parameter

      Default value

      Signed Authentication Request

      True

      Signed Login Request

      True

      Signed Assertion

      True

      Encrypted Assertion

      False

      Signed SAML Response

      False

      Signed Logout Response

      False

      The Encrypted Assertion enables an extra level of security for when the SAML assertion contains particularly sensitive user information or the environment dictates the need. It is recommended to always use HTTPS, so that SAML assertion encryption is on top of the security provided at the transport layer. If there are intermediate network nodes, the HTTPS traffic may be decrypted, but this setting ensures that the SAML assertion remains encrypted from IdP through to SP regardless of any intermediate network nodes.

    2. In addition, specify the following IdP values:

      Parameter Description

      IDP Issuer URL

      The URL of the IdP issuer.

      This value is case-sensitive.

      IDP Server Certificate

      The IdP server certificate file in DER encoded binary X.509 format.

      IDP Single Sign On URL

      The IdP server URL where EPM sends the SAML request for login.

      IDP Single Logout URL

      The IdP Server URL where EPM sends the SAML request for logout.

  5. Under EPM Login Configuration, do the following:

    1. Specify the following values:

      Parameter Description

      Organization Identifier

      A segment that is added to the EPM service provider Entity ID and turns it into a unique EPM login URL for your organization. The recommended value is your organization's shortened name or abbreviation.

      This value is case-sensitive.

      EPM Login URL

      The URL where users log into the EPM server.

    2. Select which users will be denied access to the standard EPM login page, and will be redirected to IdP authentication.

       

      Update this option after you have successfully logged in with your service provider.

Important integration requirements

When you configure your IdP with the XML generated by the SAML endpoint of EPM:

  • Change the Security hash algorithm of the Relying Party Trust to be SHA-1 or SHA-256 (more secure).

  • Use a signed assertion.

  • Create rules to match the Active Directory users to EPM users defined in the Account Management page. Name ID is the only accepted LDAP attribute to map EPM users.

Automatic SAML user provisioning

SAML integration with Identity Providers enables automatic user provisioning for Set administrators, which reduces administrative overhead and facilitates seamless authentication.

When SAML user provisioning is enabled, Set Administrators can only log into EPM if the EPM-User-Binding attribute is part of the SAML assertion.

This procedure describes how to configure your Identity Provider and EPM to enable this functionality.

Configure users in the Identity Provider

In the Identity Provider, configure the properties for users who will be provisioned automatically in EPM when they authenticate with SAML.

  1. Log onto the Identity Provider that will provision and authenticate users.

  2. In the Additional attributes, add a new custom attribute, called EPM-User-Binding.

  3. Add the EPM-User-Binding attribute for all users who will log into EPM using SAML.

Generate the bind value in EPM

In EPM, generate a SAML attribute value that will authenticate Identity Provider users to EPM when they sign in with SAML authentication.

  1. Log onto the EPM Management console, and go to the SAML Integration page.

  2. Under SAML User Provisioning, click Create SAML attribute value.

  3. Select the sets and roles for the users to provision, then click Generate SAML attribute value.

    If a user is assigned a specific role for all Sets, you do not need to update this value when creating new Sets. However, if a user is assigned specific sets, you must update this value each time a new Set is created.

  4. EPM generates the value that binds the Identity Provider user to the Sets and roles, and displays it. Click Copy to clipboard.

  5. In the Identity Provider where you created the custom attribute, locate the user that needs access to the EPM console and paste this in the value of the additional attribute, then save the attribute value.

    Whenever you update the value of the custom attribute, the corresponding value is updated in the EPM console.

  6. In the EPM Management console, go to the SAML Integration page and select Enable SAML user provisioning.

Log in to EPM

Users can log into EPM through either of the following ways:

Log in method

Description

SP-initiated login

When users authenticate to the URL specified in EPM Login URL, they are redirected to EPM and a user is transparently created for them. They are assigned to the Sets and roles you selected when you generated a SAML attribute value in EPM.

Identity Provider initiated login

In the Identity Provider portal, create an application link to EPM. Users who authenticate to the Identity Provider can access EPM without additional authentication.