- First Time Configuration
- Host Administration
- Organization Administration
- Accounts and Roles
- Licensing
- Notifications
Configuring SSO: SAML 2.0
You can enable SSO using any identity provider that supports the SAML 2.0 authentication protocol.
Enabling SAML SSO is a multi-step process and you must complete the following configuration:
- Configure your identity provider to recognize Automation Suite as a service provider.
- Configure Automation Suite as a service provider to recognize and trust your identity provider.
- Provision users to your organization to allow them to log in with SSO using the SAML 2.0 protocol from your identity provider.
Automation Suite supports multiple identity providers.
In this section, we exemplify how to find the specific configuration and obtain the certificates for each of the following identity providers:
-
ADFS
-
Google
-
Okta
-
PingOne
Configure a machine to support ADFS and make sure you have access to the ADFS Management software. Work with your system administrator if needed.
To enable Automation Suite as a service provider that recognizes your identity provider:
- Log in to the Automation Suite host portal as a system administrator.
- Make sure that Host is selected at the top of the left pane and then click Security.
-
Click Configure under SAML SSO and follow the instructions for the identity provider that you use:
- Click Save to save the changes and return to the previous page.
- Click the toggle to the left of SAML SSO to enable the integration.
-
Restart the 'identity-service-api-*' pod. This is required after making any changes to External Providers.
The following configuration is optional and is only required if you want to use one or both advanced security features for your Automation Suite installation.
ADFS, Google, and Okta all use the email address as a SAML attribute. This section handles custom SAML mapping based on either the user name or an external provider key.
The following parameters need to be set in the SAML SSO configuration in the Security page at the host level.
-
External user mapping strategy - Defines the mapping strategy. The following options are available:
-
By user email
- Your email address is set as the attribute. This is the default value. -
By username
- Your user name is set as the attribute. -
By external provider key
- An external provider key is set as the attribute.
-
- External user identifier claim name - Defines the claim to be used as an identifier for the mapping. This is only required if you set your username as the attribute.