Samanage SAML Single Sign-On (SSO)

Samanage offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the Samanage web application). You can configure Samanage for either or both types of SSO.

Requirements for Samanage SSO

  • An active Samanage administrator account
  • A signed certificate.

    You can either download one from the Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file on the application’s Trust page in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure Samanage for SSO

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the IdaptiveAdmin Portal, see Configure optional application settings.

Specifications

Each SAML application is different. Here are the Samanage features and functionality that you need to know when configuring the application for SSO.

Feature

Description

Available versions and clients

web, Samsung KNOX (Android)

The Samanage agent that you install on Windows, Mac, and UNIX systems does not need any login.

SP-initiated SSO works?

Yes

When you enable SSO for Samanage, they generate your SP-initiated SSO login URL automatically, and the URL has the following format:

https://app.samanage.com/saml_login/<Samanage_Account_Name>

IdP-initiated SSO works?

Yes

Is there a separate login for administrators after SSO is enabled?

Administrators and users can continue to log in with their Samanage user name and password after SSO is configured and enabled.

Lockout possibility and how to recover after lockout

no lockout, regular login after SSO is allowed for all users.

User provisioning

You can configure Samanage to automatically create user accounts for users when they launch the application from the user portal.

User types

User types are defined by role, which are user, administrator, and portal user.

Can users reset their own passwords? Can administrators reset a user’s password?

Users can reset their own passwords, and administrators can reset users’ passwords for them.

IP range

Although you can specify an IP range for a Samanage site, you don’t assign SSO access by IP range in the application itself. You can restrict application access by IP range from the Admin Portal.

Support for other web applications

Can do SSO from Google Apps for Work.

Salesforce integration is also available.

Samanage provisioning

Before configuring the Samanage application for provisioning, you must install, configure, and deploy the app.

Prepare your Samanage account for provisioning

You need your custom Samanage domain, such as acme.samanage.com, and a Samanage user account with administrator permissions. You don’t have to configure Samanage outside of the Admin Portal.

If your user account isn’t in the Samanage Administrator role, the role that your account is assigned to must have the following permissions:

  • Users: Manage
  • Setup: Read; this permission also grants permission to read roles.
  • Scope: Do not set this option.
  • Role: When you edit or create a Samanage role, do not select the option entitled Users associated with this role can only access the Self-Service Portal. The user account that you use to configure provisioning in the Admin Portal must have access to the Samanage dashboard and other components.

Configure Samanage in the Admin Portal for automatic provisioning

In this section, you use your Samanage account name, and your Samanage administrator credentials to configure automatic provisioning.

To configure Samanage in the Admin Portal for automatic provisioning:

  1. Click the Provisioning tab.
  2. Select Enable provisioning for this application.
  3. Select either Preview Mode or Live Mode.
    • Preview Mode: Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren’t saved.
    • Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.
  4. Enter the following information for the main provisioning details:

    Field

    Description

    Admin Name

    Enter your Samanage Administrator user name. This user can either be a member of the Administrator role in Samanage, or have the required permissions. (For details about which permissions, see Prepare your Samanage account for provisioning.

    Admin Password

    Enter the password for the user account name that you entered.

  5. In the Region drop down menu, select either Non-European or European.

    • Non-European: select if your Samanage Account Data Center is not based in Europe.
    • European: select if your Samanage Account Data Center is based in Europe.
  6. Click Verify to have the CyberArk Identity verify the connection and save the provisioning details.

Provision users for Samanage based on roles

Here you specify a CyberArk Identity role and specify that users in that role will be matched to existing or new accounts in Samanage with the roles that you specify.

When you change any role mappings, the CyberArk Identity synchronizes any user account or role mapping changes immediately.

For Samanage, there are two types destination roles: Portal roles and non-Portal roles. A user in a Portal role (a role with the prefix “Portal -”) has a view of the Samanage self-service portal only. A user in a non-Portal role can see all of Samanage. You can provision a user to a Portal role only if the user has an email address that matches one of the domains you’ve specified in Samanage. You can provision any user to a non-Portal role. To specify the domains in Samanage, log in to Samanage as an administrator and go to Setup > Self-Service Portal > Allowed Domains.

How the CyberArk Identity determines duplicate user accounts:
If the user accounts in the CyberArk Identity and the target application match for the fields that make a Samanage user unique, then the CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that the CyberArk Identity uses to match user accounts.

To automatically provision users with Samanage accounts:

  1. First, make sure that you’ve entered and verified the provisioning credentials.

    In the Provisioning page, go to the Sync Options section. 

  2. Specify how the CyberArk Identity handles situations when it determines that the user already has an account in the target application.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the CyberArk Identity).
    • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.
    • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.
    • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

      If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

  3. Scroll to the Role Mappings section.
  4. To add role mappings and specify which users get provisioned to this application, click Add.

    The Role Mapping dialog box opens.

  5. To map user accounts in the Admin Portal to Samanage user accounts, select a Role (the roles in the Admin Portal) and a Destination role (the ones in Samanage).
    For best results, assign roles where users are only in one role.
  6. Click Done to save the role mapping and return to the Provisioning page.
  7. Continue adding role mappings, as desired.
    • To change a mapping, select the role mapping and click Modify.
    • To remove a mapping, select the role mapping and click Delete.
    • To change the order of the role mappings, click and drag the role mapping to the desired location.

      Provisioning assigns users access and assignments based on the top-most role mapping. The order in which the roles display in the Role Mappings section matters. The role at the top of the list has priority when provisioning users. For instance, if a user is in multiple roles that you’ve mapped for provisioning, the CyberArk Identity provisions the user based on the role nearer the top of the list. Also note that if users are in multiple roles, such as Administrator and Portal User, make sure Administrator is the top-most role in Role Mappings. For best results, assign roles where users are only in one role. If users are in multiple roles, rearrange the order of role mappings as desired. For more details, see Set up app-specific provisioning.

    The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code. The Samanage provisioning script supports the system attributes that are listed in the Destination folder in the Script Help section of the Provisioning Script Editor.
  8. When you’re done, click Save to save the provisioning details.

    Anytime that you make changes to the provisioning role mapping, the CyberArk Identity runs a synchronization automatically. You can also run a preview synchronization or a real synchronization, if desired.