6.3.4. SAML IDP authentication server

A SAML IDP server (Security Assertion Markup Language Identity Provider) allows authorizing users based on locally deployed Single Sign-On (SSO) systems, such as Microsoft Active Directory Federation Service. As a result, each user will be able to authorize in SSO once, and then transparently authorize on all resources that support SAML. UserGate can be configured as a SAML service provider and use SAML IDP servers for client authentication.

SAML IDP servers cannot provide UserGate with properties of users, and thus if no connection with AD domains is set up, then only users with Known (successfully authorized on a SAML server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.

To set up authentication using SAML IDP servers, perform the following steps:

Name

Description

Step 1. Create a DNS record for the UserGate server.

On a domain controller, create DNS records corresponding to your UserGate server for use as auth.captive domain, e.g. utm.domain.loc. As an IP address, provide the address of your UserGate interface connected to the Trusted network.

Step 2. Set up DNS servers in UserGate.

In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers.

Step 3. Change the address for Captive portal auth domain.

Replace the address of the Captive portal auth domain in the General settings section with the DNS record created in the previous step. For more details on how to change the domain address of the Captive portal auth domain, please refer to General settings section.

Step 4. Set up the SAML IDP server.

Add a record about the UTM service provider on the SAML IDP server using the name that you have created in Step 1 FQDN.

Step 5. Create a SAML IDP authentication server for users.

Create a SAML IDP authentication server in UserGate.

To create a SAML IDP authentication server, go to Users and devices-->Authentication servers, click Add, select Add a SAML IDP server and provide the following parameters:

Name

Description

Enabled

Enables or disables a given authentication server.

Server name

Name of the authentication server.

Description

Description of the authentication server.

SAML metadata URL

URL on the SAML IDP server for downloading an XML file with the valid configuration for a SAML service provider (client). Clicking Download will fill in the mandatory server configuration fields with the data from this XML file. This a preferred configuration method for a SAML IDP authentication server. For more details on SAML servers, please refer to the corresponding documentation.

SAML IDP certificate

A certificate that will be used in a SAML client. Possible options:

  • Create a new certificate from the downloaded one --- if you have performed configuration through downloading the XML file, the certificate will be automatically created and provided with the SAML IDP role (see the Certificates section).

  • Use the existing certificate. The certificate must be created or imported to the Certificates section and does not have any role. Once the authentication server will be up and running, this certificate will be assigned the SAML IDP role.

  • Do not use certificates

Single sign-on URL

URL used in the SAML IDP server as a single login point. For more details, please refer to the documentation of the SAML IDP server that you use.

Single sign-on binding

A method for handling SSO-based logins. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use.

Single logout URL

URL used in the SAML IDP server as a single logout point. For more details, please refer to the documentation of the SAML IDP server that you use.

Single logout binding

A method for handling SSO-based logouts. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use.