SAML 2.0 Authentication
About SAML 2.0
By configuring Security Assertion Markup Language (SAML) 2.0 authentication in MEP using a third-party Identity Provider (IdP), you can manage your user roles and groups on your client side. This enables you to manage your user authentications for all systems, including MEP, in one place.
Supported Identity Providers
MEP supports the following identity providers (IdPs):
-
Okta
-
OneLogin
-
Microsoft Entra ID
Activate SAML 2.0
Note:A system administrator account is required to perform the SAML setup process.
Log in to the MEP instance where your SAML 2.0 IdP was configured, then:
-
Select Configuration > Security Settings.
-
Select the SAML 2.0 tab.
-
Select the Enable SAML 2.0 option.
-
Select Choose File next to the IdP Certificate File field label.
-
Navigate to your IdP certificate file, select it, then select Upload.Expected ResultYour IdP certificate is loaded to the MEP database instance, and the IdP Certificate Thumbprint field populates with the appropriate information.
-
If you have a service provider certificate in addition to the IdP certificate, complete the following:
-
Select Choose File next to the SP Certificate File field label.
-
Navigate to your service provider certificate file, select it, then select Upload.Expected ResultYour service certificate is loaded to the MEP database instance, and the SP Certificate Thumbprint field populates with the appropriate information.
-
Enter the private key for your self-signed certificate in the SP Certificate Key field.
-
-
Select Save.
Activate single sign-off
Single sign-off functionality completely deletes all of the IdP's cached data for the SAML session when the user logs off from MEP.
To activate this functionality, enter the sign-off URL from your service provider in the IdP Single Sign-Off URL field.
Activate the decoupled IdP user synchronization
Decoupling the user synchronization functionality from the SAML 2.0 configuration accommodates systems that use distinct identity and SAML providers.
To enable the decoupled IdP user synchronization functionality, complete the following steps:
-
On the Admin > Configuration > Security Settings > SAML 2.0 page, select your IdP from the list in the IdP Type field.
-
Enter your IdP instance's base URL in the IdP API URL field.
-
Optional: To use a custom SAML response attribute value instead of the default value for your users' login IDs, select the Override User Login ID option.
-
Enter the custom SAML response in the Attribute Name field.
-
-
Select Save.
Map Groups and Roles
Set your IdP group and role mappings by selecting Platform > Admin > IdP Group/Role Mappings and following the instructions in the IdP Group/Role Mappings page.
SAML 2.0 Field Definitions
IdP Issuer ID
The unique identification string from the identity provider.
IdP Single Sign-On URL
The internet address used to connect to the single sign-on process from the identity provider.
IdP Single Sign-Off URL
The internet address users are directed to when they log out of the MEP system.
IdP Certificate Thumbprint
The signing certificate value. This field is read-only and populates when you upload the IdP certificate to your MEP instance.
IdP Certificate File
This function enables you to upload your IdP certificate directly to the MEP system rather than manually copying it into the instance.
SP Entity ID
Your MEP instance URL with the SAML route appended to the end of the string.
SP ACS URL
Your MEP instance URL with the SAML ACS route appended to the end of the string.
SP Certificate Thumbprint
The service provider certificate value. This field is read-only and populates when you upload the service provider certificate to your MEP instance.
SP Certificate File
This function enables you to upload your service provider certificate directly to the MEP system rather than manually copying it into the instance.
SP Certificate Key
The digital signature that validates your service provider's certificate.
JWT Signing Key
A randomly generated security key at least 16 characters in length.
SAML 2.0 IdP User Sync
IdP Type
Select your IdP from the list in this field.
IdP API URL
Your IdP's instance address.
IdP App ID
The unique identification for the SAML app created in the IdP.
IdP App Secret
The IdP SAML application's API token secret.
Override User Login ID
Select this option to override the default SAML response.
Attribute Name
When you choose to override the default SAML response, enter your custom message into this field.
Sync IdP Users
When selected, this option connects to the SAML app in the IdP, and syncs all users associated to the app into the MEP instance.
Loading...
There was a problem loading this topic