Configure SAML Single Sign-on

Currently, SAML is only available to use to authenticate into the Asset Manager GUI, not the CLI.

Security Assertion Markup Language (SAML) is a standard for exchanging authentication and authorization data between an identity provider and a service provider in the form of XML-formatted messages—known as single sign-on (SSO). It also includes protocols, bindings and profiles. SAML2 is the most current version of the standard.

Required configuration information

In SAML terms, the SP is the service provider. In this case, that's the Asset Manager system. The IdP is the identity provider. That's Microsoft Entra ID or Okta or some other SAML provider.

At a minimum, the Asset Manager admin needs to supply the following information obtained from the IdP:

  • The IdP's entity ID

  • The IdP's sign-on service endpoint

  • The IdP's logout service endpoint (optional)

  • The IdP's x509 public certificate

The Asset Manager admin will also need to inform the IdP about Asset Manager with the following:

  • The Asset Manager entity ID ("Audience URI" in Okta – often a URL to the metadata)

  • The assertion consumer service URL (an Asset Manager API that handles the response from the IdP)

  • The logout service URL (an Asset Manager API that records the logout and perhaps redirects back to the login page)

  • Name ID Format – Email address or unspecified

  • Attributes to send to Asset Manager

Configure SAML using CLI

To use the CLI to configure SAML, the commands are:

authentication sso with no arguments shows the status as enabled or disabled. When enabled, there will be a link on the login screen to sign in using single sign-on.

authentication sso [ enable | disable ] You are only allowed to enable single sign-on if the configuration is complete.

authentication sso configure without arguments shows the current configuration values.

authentication sso upload url takes a URL pointing to a metadata file. Get this from your IdP. After uploading, you may still have to fill in some of the configuration parameters before you can enable.

authentication sso configure [ signOnService url ] [ signOnEndpoint url ] [ idpEntityID id ] [ idpPublicCertificate text ]

Each of these parameters can be entered on the same command line or multiple lines.

signOnService is the IdP’s sign-on URL that you get from your IdP administrator. It takes you to the login page.

logoutService is the IdP’s logout URL that you get from your IdP administrator. It makes sure the IdP is aware that you logged out.

SignOnEndpoint is the Asset Manager API URL that the IdP calls after authenticating the user. It must be of the form https://asset_manager_name_or_ip/api/rest/session/samlacs.

Other names for the SignOnEndpoint are redirect URL or Attribute Consumer Service (ACS).

idpEntityID is the unique identifier for the single-sign on application on the IdP. It is usually in the form of a URI.

idpPublicCertificate is the SSL certificate text (not file name) in PEM format that our system uses to decode the responses from the IdP.

SP entity ID is read-only and the value is always https://firemon.com/asset-manager/sp.

 

Once SSO is enabled, you'll see the option to use it when signing in to Asset Manager.