SAML Single Sign-On
SAML Single Sign On set up and configuration
The following instructions demonstrate how to install and configure the following SAML2.0 authentication processes using third-party Identity Providers (IdP):
-
Okta
-
Microsoft Entra ID
-
OneLogin
Establish Okta SAML IdP integration
-
Access the Okta Dashboard and navigate to Applications, then select the Create App Integration button.
-
Select the SAML 2.0 option, then select Next.
-
On the General Settings page, complete the App name field. With one exception (explained below), choose any descriptive name that is appropriate for the application you are creating.Step InformationNote:If you are configuring OneLogin-specific integration, you must start your name with MEP_ in order for the single sign on process to work correctly.
-
Optional: Use the upload button in the App logo field to upload a specific image for additional application identification.
-
Select the Next button to configure your SAML settings.
Configure Okta SAML settings
Once you've completed the General Settings, complete the fields in the Configure SAML page.
-
In the Single sign on URL field, enter your SAML Assertion Consumer Service URL (ACS) for your MEP instance.ExampleThe ACS URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/acs
-
In the Audience URI (SP Entity ID) field, enter the SAML URL for your MEP instance.ExampleThe SAML URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml
-
Leave the Default RelayState field empty.
-
In the Name ID format field, select Unspecified.
-
Select the Show Advanced Settings link to open more options.
-
In the Response field, select Signed.
-
In the Assertion Signature field, select Signed.
-
Generate a self-signed X.509 certificate on your MEP install server and upload the certificate to the Signature Certificate field.
-
In the Single Logout URL field, enter the logout URL for your MEP instance.ExampleThe logout URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/slo
-
In the SP Issuer field, enter the SAML URL for your MEP instance.ExampleThe SAML URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml
-
Enter the three following attributes that return their values with the SAML response: POST.Example
Name Name format Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname URI Reference user.firstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname URI Reference user.lastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI Reference user.email -
Enter the following group attribute that return the values with the SAML response: POST.Example
Name Name format Filter groups Unspecified Starts with MEP_ -
Select Next to move to the Feedback page.
Create Okta feedback options
Select the Feedback page and complete the following steps.
-
Enable the I'm an Okta customer adding an internal app option.
-
Select the This is an internal app that we have created option.
-
Select Finish, then navigate to the Sign On settings page.
Designate the Okta Sign On settings
Once the initial configurations are set for the SAML SSO, you create the sign-on settings.
Note:For these steps, you need the following information from above:
-
Identity Provider Single Sign-On URL
-
Identity Provider Single Logout URL
-
Identity Provider Issuer value
-
A downloaded copy of the X.509 Certificate
-
Scroll to View SAML setup instructions in the right sidebar and select the button.
-
In the How to Configure SAML2.0 for Okta SAML 2.0 IdP - UAT Application page, load the Identity Provider Single Sign-On URL, the Identity Provider Single Logout URL, the Identity Provider Issuer, and the X.509 Certificate into the appropriate fields.
-
In the left sidebar, navigate to Directory > Groups to create MEP security role groups.
-
Select Add Group, then enter an identifier in the Name field. You also have the option to enter a description of the role in the appropriate field.
-
Repeat this process for the MEP security roles listed below:Example
-
MEP_AlertManager
-
MEP_ApplicaitonAdministrator
-
MEP_ApplicationDeveloper
-
MEP_DeviceTracker
-
MEP_InstanceAdministrator
-
MEP_MobileClientAdministrator
-
MEP_MobileClientUser
-
MEP_ProductivityMonitor
-
MEP_RegisterTableDataViewer
-
MEP_RuleAdministrator
-
MEP_RuleEditor
-
MEP_SecurityAdministrator
-
MEP_StyleDesigner
-
MEP_SystemAdministrator
-
MEP_SystemMonitor
-
MEP_TransactionManager
-
MEP_UserAdministrator
-
MEP_UserPasswordReset
-
MEP_WebAPIUser
-
Your Okta IdP setup is complete. Further information about Okta can be found on the Okta site.
Establish Entra SAML IdP integration
-
In the Microsoft Azure portal, navigate to Azure Active Directory > Enterprise applications.
-
Navigate to the Browse Azure AD Gallery and select +Create your own application.
-
In the right sidebar, enter the name of your application in the What's the name of your app? field.Step InformationNote:Entra has no restrictions on the name of your application. Choose the most appropriate name and format for your needs.
-
Ensure the Integrate any other application you don't find in the gallery (Non-gallery) option is selected.
-
Select Create to begin building your application.
Create the Entra single sign on application
-
Select Get started in the Set up single sign on tile.
-
Select the SAML option.
-
In the Basic SAML Configuration section, select Edit.
-
Select Add identifier and enter the SP Entity ID for your MEP instance.ExampleThe SP Entity ID follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml
-
Select Add reply URL and enter the Assertion Consumer Service (ACS) URL for your MEP instance.ExampleThe SP Entity ID follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/acs
-
In the Logout URL (Optional) field, enter the logout URL for your MEP instance.ExampleThe logout URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/slo
-
Select Save and close the Basic SAML Configuration sidebar.
Configure the Entra attributes and claims
-
In the Attributes & Claims section, select Edit, then select +Add a group claim.
-
in the Group Claims sidebar, select the Security group option and ensure the Source attribute field contains Group ID.
-
Expand the Advanced options section and enter the following values:
-
Select the Filter groups option.
-
In the Attribute to match field, enter Display name.
-
In the Match with field, enter Prefix.
-
In the String field, enter MEP_.
-
-
Select Save.
The groups claim attribute is added and gets returned with the SAML Response POST.
Download SAML certificate and prepare MEP configuration
Before you configure the MEP attributes, you need to download or copy SAML information for the next phase of setup.
-
In the SAML Signing Certificate section, copy and save the value in the Thumbprint field and download and save the Certificate (Raw) component.
-
In the Set up Azure SAML 2.0 IdP – QA section, copy and save the following values:Example
-
Login URL
-
Azure AD Identifier
-
Logout URL
-
Create Entra MEP security role groups
-
Navigate to Groups, then select New Group.
-
Ensure the Group type is Security, then enter a Group name (required) and Group description (optional) for each group listed below. Select Create after entering each group to move to the next group.Example
-
MEP_AlertManager
-
MEP_ApplicaitonAdministrator
-
MEP_ApplicationDeveloper
-
MEP_DeviceTracker
-
MEP_InstanceAdministrator
-
MEP_MobileClientAdministrator
-
MEP_MobileClientUser
-
MEP_ProductivityMonitor
-
MEP_RegisterTableDataViewer
-
MEP_RuleAdministrator
-
MEP_RuleEditor
-
MEP_SecurityAdministrator
-
MEP_StyleDesigner
-
MEP_SystemAdministrator
-
MEP_SystemMonitor
-
MEP_TransactionManager
-
MEP_UserAdministrator
-
MEP_UserPasswordReset
-
MEP_WebAPIUser
-
Your Entra IdP setup is complete. Further information about Entra can be found on the Microsoft site.
Establish OneLogin SAML IdP integration
-
Log in to the OneLogin administrator portal and navigate to Applications.
-
Select Add App, search for "saml custom," and select SAML Custom Connector (Advanced) from the results.
-
In the Display Name field, enter a name for your application.Step InformationNote:Your application name must begin with MEP_.
-
Optional: Upload an image for your application.
-
Select Save.
Configure OneLogin SAML settings
-
Navigate to Configuration.
-
In the Audience (EntityID) field, enter your SAML URL for your MEP instance.ExampleThe SAML URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml
-
In the Recipient field, enter your SAML Assertion Consumer Service URL (ACS) for your MEP instance.ExampleThe ACS URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/acs
-
In the ACS (Consumer) URL Validator field, enter your SAML Assertion Consumer Service URL (ACS) for your MEP instance as a regular expression.ExampleThe ACS expression follows this format: ^https:\/\/[MEP_INSTANCE_DOMAIN_NAME]\/saml\/acs\/$
-
In the ACS (Consumer) URL field, enter your SAML Assertion Consumer Service URL (ACS) for your MEP instance.ExampleThe ACS URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/acs
-
In the Single Logout URL field, enter the logout URL for your MEP instance.ExampleThe logout URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME/saml/slo
-
In the Login URL field, enter the URL for your MEP instance's main login page.ExampleThe login URL follows this format: https://MEP_INSTANCE_DOMAIN_NAME
-
In the SAML initiator field, select Service Provider.
-
In the SAML nameID format field, select Unspecified.
-
In the SAML signature element field, select Both.
-
Leave all other fields as their default values.
Add OneLogin custom parameters
-
Navigate to Parameters and enter the following attributes:Example
Name Format Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname URI Reference First Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname URI Reference Last Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI Reference Email groups Unspecifiec MemberOf -
Navigate to SSO and save the following values:Example
-
Issuer URL
-
SAML 2.0 Endpoint (HTTP)
-
SLO Endpoint (HTTP)
-
-
Download the X.509 certificate by selecting View Details > Download.
Note:You need these values and the certificate to configure MEPPOST
Create OneLogin MEP security groups
-
Navigate to Users > Groups, then select New Group.
-
Enter a Group Name (required) and set the Security policy to Default policy for the following group roles. Select Save after entering each group to move to the next group.Example
-
MEP_AlertManager
-
MEP_ApplicaitonAdministrator
-
MEP_ApplicationDeveloper
-
MEP_DeviceTracker
-
MEP_InstanceAdministrator
-
MEP_MobileClientAdministrator
-
MEP_MobileClientUser
-
MEP_ProductivityMonitor
-
MEP_RegisterTableDataViewer
-
MEP_RuleAdministrator
-
MEP_RuleEditor
-
MEP_SecurityAdministrator
-
MEP_StyleDesigner
-
MEP_SystemAdministrator
-
MEP_SystemMonitor
-
MEP_TransactionManager
-
MEP_UserAdministrator
-
MEP_UserPasswordReset
-
MEP_WebAPIUser
-
Your OneLogin IdP setup is complete. Further information about OneLogin can be found on the OneLogin site.
Configure MEP
In order to configure your MEP instance for single sign on, you must have system administrator privileges.
-
In the MEP instance your SAML 2.0 IdP was configured on, navigate to Configuration > Security Settings > SAML 2.0.
-
Select the Enable SAML 2.0 option.
-
Complete the configuration fields with the values you saved from earlier steps.
-
Uploade the X.509 certificate.
-
In the JWT Signing Key field, enter an alpha-numeric string of your choosing (at least 16 characters long).
-
Select your IdP type from the list.
-
Enter your IdP API URL.
-
In the IdP App ID field, enter the client app ID.
-
In the IdP App Secret field, enter the secret for your IdP that has user and group read access granted to it.Step InformationNote:If your IdP's nameID SAML response assertion is configured to use something other than the user's email address, select the Override User Login ID and specify the SAML assertion attribute it should use.
-
Select Save and Stay, then select Sync Users to import the IdP users into MEP.
-
Navigate to IdP Group/Role Mappings and select Add to display the IdP Mappings.
-
In the Issuer field, select the SAML 2.0 option and choose whether to assign a default license type of Full Access User to the imported IdP users.Step InformationNote:If you leave the Default License Type field as None, then no licenses are assigned to the imported users.
-
Select Add Group/Role to create a new mapping record for the IdP issuer.
-
In the IDP Group field, enter the group attribute value returned with the IdP SAML response, then select the corresponding MEP security role value.
-
Select Save.
Loading...
There was a problem loading this topic