- First Time Configuration
- Host Administration
- Organization Administration
- Accounts and Roles
- Licensing
Configuring SSO: SAML 2.0
You can enable SSO using any identity provider that supports the SAML 2.0 authentication protocol.
Enabling SAML SSO is a multi-step process and you must complete the following configuration:
- Configure your identity provider to recognize Automation Suite as a service provider.
- Configure Automation Suite as a service provider to recognize and trust your identity provider.
- Provision users to your organization to allow them to log in with SSO using the SAML 2.0 protocol from your identity provider.
Automation Suite supports multiple identity providers.
In this section, we exemplify how to find the specific configuration and obtain the certificates for each of the following identity providers:
-
ADFS
-
Google
-
Okta
-
PingOne
Configure a machine to support ADFS and make sure you have access to the ADFS Management software. Work with your system administrator if needed.
To enable Automation Suite as a service provider that recognizes your identity provider:
- Log in to the Automation Suite host portal as a system administrator.
- Go to Security Settings.
- In the External Providers section, click Configure for the appropriate identity provider and follow the applicable instructions to configure SAML:
- Click Save to save the changes to the external identity provider settings.
- Restart the 'identity-service-api-*' pod. This is required after making any changes to External Providers.
The following configuration is optional and is only required if you want to use one or both advanced security features for your Automation Suite installation.
ADFS, Google, and Okta all use the email address as a SAML attribute. This section handles custom SAML mapping based on either the user name or an external provider key.
The following parameters need to be configured in the SAML 2.0 settings in the External Providers section of the Security Settings page:
-
External user mapping strategy - Defines the mapping strategy. The following options are available:
By user email
- Your email address is set as the attribute. This is the default value.By username
- Your user name is set as the attribute.By external provider key
- An external provider key is set as the attribute.
- External user identifier claim name - Defines the claim to be used as an identifier for the mapping. This is only required if you set your username as the attribute.