A SAML IDP server (Security Assertion Markup Language Identity Provider) allows authorizing users based on locally deployed Single Sign-On (SSO) systems, such as Microsoft Active Directory Federation Service. As a result, each user will be able to authorize in SSO once, and then transparently authorize on all resources that support SAML. UserGate can be configured as a SAML service provider and use SAML IDP servers for client authentication.
SAML IDP servers cannot provide UserGate with properties of users, and thus if no connection with AD domains is set up, then only users with Known (successfully authorized on a SAML server) or Unknown (failed to authorize) statuses will be eligible in filtering policies.
To set up authentication using SAML IDP servers, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a DNS record for the UserGate server. |
On a domain controller, create DNS records corresponding to your UserGate server for use as auth.captive domain, e.g. utm.domain.loc. As an IP address, provide the address of your UserGate interface connected to the Trusted network. |
|
Step 2. Set up DNS servers in UserGate. |
In the UserGate settings, provide IP addresses of the controller domain as the system DNS servers. |
|
Step 3. Change the address for Captive portal auth domain. |
Replace the address of the Captive portal auth domain in the General settings section with the DNS record created in the previous step. For more details on how to change the domain address of the Captive portal auth domain, please refer to General settings section. |
|
Step 4. Set up the SAML IDP server. |
Add a record about the UTM service provider on the SAML IDP server using the name that you have created in Step 1 FQDN. |
|
Step 5. Create a SAML IDP authentication server for users. |
Create a SAML IDP authentication server in UserGate. |
To create a SAML IDP authentication server, go to Users and devices-->Authentication servers, click Add, select Add a SAML IDP server and provide the following parameters:
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables a given authentication server. |
|
Server name |
Name of the authentication server. |
|
Description |
Description of the authentication server. |
|
SAML metadata URL |
URL on the SAML IDP server for downloading an XML file with the valid configuration for a SAML service provider (client). Clicking Download will fill in the mandatory server configuration fields with the data from this XML file. This a preferred configuration method for a SAML IDP authentication server. For more details on SAML servers, please refer to the corresponding documentation. |
|
SAML IDP certificate |
A certificate that will be used in a SAML client. Possible options:
|
|
Single sign-on URL |
URL used in the SAML IDP server as a single login point. For more details, please refer to the documentation of the SAML IDP server that you use. |
|
Single sign-on binding |
A method for handling SSO-based logins. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use. |
|
Single logout URL |
URL used in the SAML IDP server as a single logout point. For more details, please refer to the documentation of the SAML IDP server that you use. |
|
Single logout binding |
A method for handling SSO-based logouts. Possible options: POST or Redirect. For more details, please refer to the documentation of the SAML IDP server that you use. |