Integration Cloud 6.1.0 | Settings | Single Sign-On | Configuring SAML Settings for Single Sign-On
 
Configuring SAML Settings for Single Sign-On
Note:
This page is not applicable if you have created your account using the Software AG Cloud sign-up page.
The Single Sign-On Configuration screen allows you to configure SAML 2.0 settings for single sign-on (SSO). To prevent modifications to the SSO configurations, the SSO settings may not be enabled in your organization.
Note:
You can access or edit the single sign-on configuration page only if you can edit the Company Information, that is, have the Manage Company Capabilities permission under Settings > Access Profiles > Administrative Permissions > Account Controls.
Note:
If you have configured SSO, the SSO Login option appears in the login page. You can click the SSO Login option to log in to Integration Cloud without providing your Username and Password.
*To configure SAML 2.0 settings for single sign-on
1. From the Integration Cloud navigation bar, click Settings > Single Sign-On.
2. Click Edit.
3. On the Update Single Sign-On Configuration screen, select SAML 2.0 in the Sign-On Using field and make the necessary modifications. Required fields are marked with an asterisk on the screen.
Field
Description
Choose Single Sign-On Type
Sign-On Using
Select the sign-on type from the drop-down list. Default is None.
Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based standard for exchanging authentication and authorization data between security domains. Integration Cloud (Service Provider) must enroll with an Identity Provider (IdP) and obtain an Identity Provider URL.
Requestor Details
Authentication Service URL
This URL is the SAML SSO link and is used to trigger the SAML based single sign-on. Use this link to login to Integration Cloud using your Identity Provider.
To login to API Gateway Cloud, add done=apiGatewayUIHome parameter to the Authentication Service URL.
To login to API Portal Cloud, add done=apiPortalUIHome parameter to the Authentication Service URL.
Assertion Consumer Service URL
This is the URL which consumes the SAML response from the Identity Provider. You need to apply this URL in the relevant field in the Identity Provider SAML configuration page.
For Oracle Access Manager (OAM), apply it in the Assertion Consumer Service URL field.
For Microsoft Azure, apply it in the Reply URL field.
For Okta, apply it in the Single sign on URL field.
RelayState for Identity Provider initiated SSO
RelayState is a parameter used by SAML protocol implementations to identify the specific resource at the resource provider, in an Identity Provider initiated single sign-on scenario. In an Identity Provider initiated single sign-on scenario, you must set the RelayState value in the Identity Provider. Test the Identity Provider initiated SSO only after configuring the RelayState.
For Oracle Access Manager (OAM), apply the RelayState value as the Return URL in the Identity Provider initiated URL.
For Microsoft Azure, send the RelayState value to Microsoft Azure AD to configure the RelayState for your application instance. See Microsoft Azure website for more information.
For Okta, apply it in the Default RelayState field.
Identity Provider Configuration
SAML Request Issuer URL
This is the Integration Cloud (Service Provider) URL used to access this tenant. This URL acts as the Service Provider ID.
For Oracle Access Manager (OAM), apply it in the Provider ID field.
For Microsoft Azure, apply it in the Identifier field.
For Okta, apply it in the Audience URI (SP Entity ID) field.
Identity Provider Details
Specify how you want to define the Identity Provider details.
Select Enter Manually if you want to manually enter the URL that uniquely identifies Integration Cloud in your SAML Identity Provider in the Issuer field.
Select Load From Identity Provider Metadata and select the metadata file to upload the IdP details.
Issuer
A URL that uniquely identifies Integration Cloud in your SAML Identity Provider. Integration Cloud (Service Provider) must enroll with an Identity Provider and obtain an Issuer URL.
If you have selected Enter Manually for Identity Provider Details, copy the URL provided by the IdP here after setting up Integration Cloud configuration in the IdP.
If you have selected Load From Identity Provider Metadata for Identity Provider Details and uploaded the IdP file, the Issuer field will be automatically populated.
For Microsoft Azure, copy the URL from the Issuer URL field.
For Oracle Access Manager (OAM), copy the URL from the Provider Id field under Federation Settings.
For Okta, copy the URL from the Identity Provider Issuer field.
Identity Provider Certificate
This is the authentication certificate (a valid x509 issuer certificate) issued by your Identity Provider and is required to sign and verify SAML messages.
If you have selected Enter Manually for Identity Provider Details, select Browse and upload a file that contains the Identity Provider’s certificate.
If you have selected Load From Identity Provider Metadata for Identity Provider Details and uploaded the IdP file, the IdP certificate will be automatically uploaded.
Identity Provider Login URL
This is the URL used to log in to the Identity Provider.
If you have selected Enter Manually for Identity Provider Details, type the URL that will be used to log in to the Identity Provider.
If you have selected Load From Identity Provider Metadata for Identity Provider Details and uploaded the IdP file, the IdP login URL will be automatically populated.
For Oracle Access Manager (OAM), the URL is http://<oamserverhost name>:14100/oamfed/idp/samlv20.
For Microsoft Azure, copy the URL from the Single sign-on service URL field.
For Okta, copy the URL from the Identity Provider Single Sign-On URL field.
User ID Type
Determines the type of identifier.
Assertion contains user's Integration Cloud username - Select this option if your Identity Provider passes the username > User Profile > Basic tab) in the SAML assertion to identify the user.
Assertion contains the Federation ID from the User Object - The Federation ID acts as a user's authentication across multiple IT systems or organizations. A federated identity means linking a person's electronic identity and attributes stored across multiple distinct identity management systems. Select this option if your Identity Provider passes the Federation ID ( > User Profile > Basic tab), to identify the user. You can add the Federation ID ( > User Profile > Basic tab) to each user’s profile after you have configured single sign-on.
User ID Location
Specifies an attribute tag that defines the location of the User ID. This is the location in the assertion where a user should be identified.
Select Subject if the User ID is located in the <Subject> statement of the assertion.
Select Attribute if the User ID is specified in an <AttributeValue>, located in the <Attribute> of the assertion. If you have selected Attribute, specify the attribute that contains the User ID in the Attribute for User ID field. If the User ID attribute is empty or does not match an existing user, then either login fails or a new user is created, depending on the Create Users setting.
Attribute for User ID
This field appears if you have selected Attribute in the User ID Location field. Specify the attribute that contains the User ID. If the User ID attribute is empty or does not match an existing user, then either login fails or a new user is created, depending on the Create Users setting.
Create Users
Select this option to create a new user when the User ID is not recognized. When selected, additional options appear where you can specify the attribute to use for the First Name, Last Name, Email, and Access Profile.
Attribute for First Name - The name of the SAML attribute that designates the user's first name.
Attribute for Last Name - The name of the SAML attribute that designates the user's last name.
Attribute for Email - The name of the SAML attribute that designates the user's email address.
Default Access Profile - This field is used to specify the default Access Profile for the created user.
Attribute for Access Profile - The name of the SAML attribute that designates the user's access profile. The attribute must contain the ID of the Access Profile. You can get the ID of the Access Profile from the Access Profiles screen (Settings > Access Profiles).
Note:
You must select Email Address as the NameID Format in the Identity Provider SSO Configuration screen.