6.11 SAML v2 Integration

You can log in to the Indeni web application using the Security Assertion Markup Language (SAML) v2.0 single sign-on (SSO) protocol . SAML is an open standard protocol for authenticating users to web applications. The SAML v2 protocol is used for exchanging authentication and authorization data between the Identity Provider (IdP) and the Service Provider (the Indeni Web application). 

Please Note: This feature is available in version 7.7 or later, and only a single integration is supported. 

SAML v2 Setup

Before you begin the setup, obtain Identity Provider SSO URL, Identity Provider Issuer and the X.509 Certificate from the Identity Provider.  

Step 1: Configure SAML v2 integration

  1. Navigate to Settings > Integrations, select SSO from the ADD NEW INTEGRATIONS drop down menu.
  2. Provide the Identity Provider SSO URL. This is the endpoint on the Identity Provider side where Indeni posts SAML requests to.
  3. Provide the Identity Provider Issuer. 
  4. Provide the X.509 Certificate. Indeni needs to obtain the public certificate from the IdP to validate the signature. 
  5. Select the default role for users who log in to the Indeni Web Application using SAML v2 authentication.

Step 2: Configure the Identity Provider for Single Sign-on login to Indeni 

Provide the information below to be copied and pasted into the configuration of the Identity Provider. 

Provide this Assertion Consumer Service URL to your Identity Provider. Use this URL in your identity provider to begin the setup. 

Step 3: Login to Indeni using SSO 

You can sign in to Indeni from the Identity Provider user portal. This is known as the IdP-initiated sign-in flow. Alternatively, a user can sign in to Indeni using the Indeni login page with SAML authentication by hitting the SSO LOGIN button. This is known as the SP-initiated sign-in flow.

Assigning a Different Role other than the default

Once the user is signed in as an SSO user, a new username will be created in the user database. To associate a role other than the default role for an SSO user, navigate to Settings > Users, locate the user and modify the role.

If you cannot locate the SSO user from the user database, have the user login using SSO authentication. In order to change the role, an SSO user must already exist in the user database. 

Migration Considerations

If SSO is mandated in your environment and you want to disable local users, remove existing users from the local database as part of the migration process. Unlike LDAP & Radius, Indeni never directly interacts with the IdP. A browser acts as the agent to carry out all the redirections. Since Indeni doesn’t interact with the IdP, there is no easy way we can easily test the setup like we do with Radius and LDAP. You should first validate the SAML authentication for one user before removing remaining users from the local database.