Configure Identity Providers

The Software AG My Cloud Identity Provider functionality enables you to configure identity providers that can authenticate Software AG My Cloud users. Software AG supports SAML 2.0.

Overview

Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications by using a single ID and password.

Software AG My Cloud supports SSO that allows you to authenticate against an Identity Provider (IdP) rather than obtain and use a separate username and password. After the IdP authenticates, Software AG My Cloud is updated, enabling you to access the applications IdPs authenticate through Software AG My Cloud, which updates Software AG My Cloud about it, allowing you to access the applications without signing in using your Software AG My Cloud credentials. This makes the login process easier, faster, and more secure.

Configuring Identity Providers

  1. Log on to Software AG My Cloud as a user with Cloud-Tenant-Administrator privileges.
    In Software AG My Cloud, you can grant access to external identity provider users by assigning the default Software AG My Cloud roles to the users, or by assigning Software AG My Cloud roles to the users based on external identity provider group membership. If you want to do the latter, go to Administration > Roles and note the role names.

  2. Create the URI for connecting the external identity provider to Software AG My Cloud:

    a. Go to Administration > Single-sign on > Add identity provider.

    b. Specify the identity provider display name and unique identifier.

    c. Copy the auto-created URI that appears in the Software AG My Cloud redirect URI field to the clipboard. You can use the icon at the far right of the field to copy.

  3. Configure your identity provider using the following examples:

  4. Complete the configuration in Software AG My Cloud:

    a. Return to the Metadata page and complete the fields. If you copied the external identity provider metadata URI or saved the metadata to file, choose to import and then specify the URI or file.

    b. Click Next.

    c. Go to the Configuration page and complete the fields as necessary. If you imported the external identity provider metadata, some of the fields are pre-populated with that corresponding metadata. If you did not import metadata, the Software AG My Cloud fields map to external identity provider attributes as follows:

Tab Name Field Name Description Identity Provider Attribute or Field
Metadata Single Sign-On Type SAML 2.0 ——–
Metadata Identity provider display name Friendly name of the identity provider. ——–
Metadata Identity provider unique identifier for use in Software AG My Cloud redirect URI Unique identifier for the identity provider. ——–
Metadata Software AG My Cloud redirect URI URI that redirects external identity provider users to Software AG My Cloud. Copy the Software AG My Cloud redirect URI to these fields:
  • Okta: Single sign on URL and Audience URI fields.
  • Azure: Reply URL and Sign on URL fields.
  • ADFS: Auto-populated with the Relying Party > Endpoints > SAML Assertion Consumer Endpoints on importing the My Cloud descriptor to ADFS while adding the relying party.
  • Configuration NameID policy format Format to use for the subjects of SAML assertions.
  • Okta: Set the Name ID format attribute.
  • Azure: Set the Name identifier attribute.
  • ADFS: Auto-populated with the NameID format set as the Outgoing name ID format while adding claim rules in the relying party in ADFS.
  • Configuration Single sign-on service URL URL for the identity provider endpoint/service to which applications must submit service requests (SAML AuthnRequests). If you are creating the identity provider from scratch in Software AG My Cloud (as opposed to importing a configuration), copy the value from this identity provider field to the Software AG My Cloud field:
  • Okta: Identity Provider Single Sign-On URL field.
  • Azure: Login URL field.
  • ADFS: Copy the Location value under the SingleSignOnService tag in https://HOST NAME/FederationMetadata/2007-06/FederationMetadata.xml.
  • Configuration(SAML advanced settings) HTTP-POST binding response Whether the identity provider uses HTTP-POST binding to respond to authentication requests instead of the default HTTP-Request rebinding. Default value is true. ——–
    Configuration (SAML advanced settings) HTTP-POST binding for AuthnRequest Whether the identity provider expects applications to use HTTP-POST binding to submit authentication requests instead of the default HTTP-Redirect binding. Default value is true. ——–
    Configuration (SAML advanced settings) Assertions signed (on/ off) Whether the identity provider signs SAML assertions and send the signed assertion. If you set the Software AG My Cloud field to On, set this attribute as follows:
  • Okta: Set the Assertion Signature attribute to Signed.
  • Azure: Set the Signing Option attribute to Sign SAML assertion.
  • ADFS: Assertion is signed by default.
  • Configuration (SAML advanced settings) Assertions encrypted Whether Software AG My Cloud expects an encrypted assertion from the identity provider. If you set the Software AG My Cloud field to ON, create the certificate as follows:

    i. Copy the Service Provider Descriptor URL from the Configuration tab in Software AG My Cloud and open it in a browser.

    Note: This field is visible only after the Single sign-on profile is saved.

    ii. Copy the content of the X509Certificate attribute from the response to a file, add the header —–BEGIN CERTIFICATE—– and the footer —–END CERTIFICATE—–, and save the file with the extension .cert.

    Set this attribute and upload the certificate:

  • Okta: Set the Assertion Encryption attribute to On and then upload the certificate.
  • Azure: Token Encryption section of the application’s page - upload the certificate and then set the Activate token encryption attribute to On.
  • ADFS: Auto-popluated on importing the My Cloud descriptor to ADFS while adding the relying party. If updated later, in ADFS navigate to > Encryption and add the new certificate.
  • Configuration (SAML advanced settings) Validate signature Whether Software AG My Cloud validates SAML assertion signatures. If you set the Software AG My Cloud field to On, copy the public certificate from the identity provider to the Validating X509 Certificates field in Software AG My Cloud. You can obtain the certificate as follows:

  • Okta:
    i. Copy the X.509 Certificate from the View Setup Instructions link in the Sign-on tab of the application and remove the —–BEGIN CERTIFICATE—– header and the —–END CERTIFICATE—– footer.
    ii. Copy the X.509 Certificate by downloading the metadata file provided at the Identity provider Metadata link in the Sign-on tab of the application.

  • Azure:
    Go to Azure Active directory > Enterprise applications > Symantec Web Security Service (WSS) > Single sign-on > SAML Signing Certificate and download the certificate provided at the Certificate (Base64) link.

  • ADFS:
    Auto-populated if the federation metadata was imported using a file. If the Create from scratch option was used, then copy the content inside the tag in https://HOST NAME/FederationMetadata/2007-06/FederationMetadata.xml.
  • Attributes Username Name of the SAML attribute that identifies the user. Always the NameID attribute value in the Identity provider (for example, an email address or user name).
    Attributes Work email Name of the SAML attribute that provides the user’s email address.
  • Okta: Set the user.email attribute.
  • Azure: Set the user.mail attribute.
  • ADFS: In ADFS navigate to > Add Rule. In the Add Transform Claim Rule window, select LDAP Attribute as “E-Mail-Address” and set Outgoing claim type as the same value provided in My Cloud.
  • Attributes First name Name of the SAML attribute that provides the user’s first name.
  • Okta: Set the user.firstName attribute.
  • Azure: Set the user.givenname attribute.
  • ADFS: In ADFS navigate to Relying Party > Add Rule. In the Add Transform Claim Rule window, select LDAP Attribute as “Given Name” and set Outgoing claim type as the same value provided in My Cloud.
  • Attributes Last name Name of the SAML attribute that provides the user’s last name.
  • Okta: Set the user.lastName attribute.
  • Azure: Set the user.surname attribute.
  • ADFS: In ADFS, navigate to > Add Rule. In the Add Transform Claim Rule window, select LDAP Attribute as “Surname” and set Outgoing claim type as the same value provided in My Cloud.
  • Roles Software AG My Cloud Roles Roles set in the Identity provider. The values are reflected in the SAML assertion. In the SAML assertion response, Software AG My Cloud looks for a key named “roles” to get the list of roles.
  • Okta: Add a new key named “roles” under Group Attribute Statements and set the value to the name of the groups.
  • Azure: In the User Attributes & Claims section add a new key named “roles” and set the value to user.assignedroles.
  • ADFS: In ADFS, navigate to > Add Rule. In the Add Transform Claim Rule window, select Send Claims Using a Custom Rule and update the Custom rule section.
  • c. Click Next.

    d. On the Attributes page, type the user attribute names you specified in identity provider.

    e. Click Next.

    Notes:

  • Whenever a user logs in, all user attributes are updated from the external identity provider.
  • You cannot use an external identity provider user as a technical user for API authentication. Instead, use an internal user for technical API calls.
  • f. On the Roles page, you can grant access to identity provider users as follows:

    g. Save the identity provider configuration.