Setting up a SAML Integration

SAML integrations facilitate the authentication and authorization between providers. If required, multiple SAML providers can be created and utilized in a SAML integration.

Currently, IBM Security does not support Identity Provider (IDP) initiated connections. Only Service Provider (SP) initiated connections are supported.

For the purpose of this procedure, we use Okta as the identity provider example. All SAML Foreign Systems integrations follow these same principle steps.

Refer to related Okta topics for nuances associated with Using GSuite as a SAML Provider and Using Verify Privilege Manager Mobile App with Hybrid SSO Logins.

1. Set up the identity provider. Refer to Managing Authentication Providers.
2. Enable authentication for the SAML identity provider on the Authentication tab.

Ensure that authentication for the SAML identity provider is enabled or the configuration will fail. Refer to Authentication Tab.

3. Use data from the identity provider setup for setting up the Verify Privilege ManagerForeign Systems.

   

Create a new Application

An application is a definition for integration with an external application (in this case, Verify Privilege Manager).

In Okta, create a new application. Don’t select one of the existing:

1. In the top right of the app page, click Create New App.

2. From the Platform drop-down, select Web.

3. From the Sign on method options, select SAML 2.0.

   

4. In the App name field provide an Application Name. Depending on your use case, provide an application logo and select App visibility settings.

5. Click Next.

Enter Application SAML Settings

On the next pages, you’ll configure the SAML settings.

1. Enter the Single sign on URL. The Single sign on URL is the root Verify Privilege Manager URL plus saml2/acs. For most systems this is https://servername/Tms/saml2/acs.

2. Enter the Audience URI, which can be anything as long as it matches what you put in Verify Privilege Manager. The default value in Verify Privilege Manager is PrivilegeManagerServiceProvider.

3. The Default RelayState can be left blank.

4. The Name ID format drop-down set to Unspecified.

5. From the Application username drop-down, select Okta username.

   The rest of the settings can be ignored.

6. Proceed via Next.

7. On the last page for the Are you a customer or partner? prompt, select I'm an Okta customer adding an internal app.

8. Click Finish.

View Setup Instructions

After the app is created, you’ll want to click View Setup Instructions and leave the instructions open in the browser. You’ll want to copy and paste some of this info into Verify Privilege Manager in the next section.

Save Certificate

Start with the certificate data.

1. Click Download certificate and save the certificate as .cer. Okta will try to save it as .cert.
2. Once it’s saved, you should be able to open and view the certificate in Windows:

   

Verify Privilege ManagerForeign Systems Setup

Create SAML Identity Provider

1. Navigate to Admin | Configuration and select Foreign Systems.

2. Click SAML Identity Providers.

3. Click Create.

   

4. Enter a name for the Foreign System.

5. For Identity Provider Entity Id, enter the issuer name from the setup instructions. For example:

   

6. Click Create.

   

7. Under Identity Provider | Single Sign On URL enter the URL from the setup instructions.

   

8. Under Certificate, select the certificate you saved earlier.

9. From the Binding drop-down, select HTTP Post.

10. Under Privilege Manager Entity ID match what you entered in the app setup for Audience URI (SP Entity ID), for example PrivilegeManagerServiceProvider, if you went with the default suggestion.

11. Under Privilege Manager URL, enter your instance URL, for example https://myprivilegemanger/Tms/.

12. Click Save Changes.

    

After saving the identity provider, Verify Privilege Managershows the certificate thumbprint in the UI. It should match what Windows shows for the thumbprint on the certificate downloaded from Okta:

Configure User Options

Normally you need to create a new Federated user that matches an Okta username. But you can optionally have Verify Privilege Managermatch AD users by DOMAIN\username and/or create new Federated users automatically.

Match Active Directory Users

If you select this option, you must configure Okta to send users in the format DOMAIN\username or username@domaindnsname. You should import users (and groups if desired) from AD, and add the desired user(s) to one or more Verify Privilege ManagerRoles before attempting to sign in.

Create Users Automatically

When this option is selected, Verify Privilege Managerwill create a new Federated user whenever a username cannot be matched to an existing Federated user (or AD User if the option above is selected).

You’ll still need to add the user to a Verify Privilege Managerrole before they’ll have any meaningful access. Support for group/role assertions is planned for a future release.

Managing Users

Create New Okta Users

If you don’t have any Okta users, you’ll need to go to the Okta Directory section and add them.

Okta requires the usernames be in the format of an email address. These are the usernames your users are going to use when they log into Verify Privilege Manager. You can configure Okta to send Verify Privilege Managera different username (like domain\username, or a short name like yoda).

Add Okta Users to Application

Before you can login, users must be assigned to the application in Okta.

1. Go to Applications | Applications.
2. Select your application.
3. Select Assignments.
4. Click assign and select one or more users.

After assigning a user, you can change the username to be whatever you want. Click the edit (pencil), and enter the username for your user (this only changes the username for this specific application).

Setup Active Directory Users

You can use Active Directory users that you’ve already imported into Verify Privilege Manager.

After you’ve imported from Active Directory, you still need to add the AD users (or AD groups) to Verify Privilege Managerroles.

Match by DOMAIN\username

Ensure the username in Okta matches the Global Identity data for the user in Verify Privilege Manager.

Match by username@dnsdomainname

Ensure the username in Okta matches the Global Identity UserId in Verify Privilege Manager, and the domain name part of the username matches the DNS domain name of the domain in Verify Privilege Manager. We don’t import this directly from AD, so we have to get it from the Global Identity and AD foreign system data.