Configuring SAML: Procedures

Edit online

This article contains step-by-step procedures for configuring SAML authentication for your organization, including default SAML workspaces and shared inboxes, SAML metadata on the IdP, and SAML groups. Also included is how to configure the AoC login page with specific instructions to guide SAML users and avoid improper login actions.

For an overview of SAML authentication in Aspera on Cloud, including IdP requirements and details on default SAML workspaces, SAML groups, and SAML users, refer to Configuring SAML authentication: Overview.
Note: When you use SAML, you may consider disabling IBMid as an authentication method. Before you do, review the information in Avoid lockout when disabling IBMid.

Configuring SAML authentication

Edit online

To configure SAML authentication for your Aspera on Cloud organization, do the following:

  1. In the Admin Management console, select Admin > Authentication > SAML.
  2. Click Create new.
  3. Select the checkbox labeled Enable SAML authentication.
  4. In the Name field, enter a name for this SAML configuration. The name you configure here appears in the Type column for individual SAML users ( Users & Groups > Users). The name is also used in the label for the login button presented to users when they log in; see "Labeling the user login button" below.
  5. In the SSO target URL field, enter your IdP single sign-on URL.
  6. In the SAML login button label field, enter the button label to display to users on the login page.
  7. In the Instructions field, if desired, enter text to help your users select the proper login method, or any other useful message.
  8. In the allowable clock drift field, enter the maximum allowable drift, in seconds, between Aspera on Cloud and the SAML IdP.
    If the actual drift exceeds the configured value, Aspera on Cloud does not accept the SAML response and does not execute the operations attempted by SAML users.
  9. Select Fingerprint or Certificate; only one is required to authenticate with the SAML IdP.
    1. If you select Fingerprint, enter the fingerprint of the IdP.
      Note: The fingerprint must be generated from the certificate using the SHA-1 algorithm.
    2. If you select Certificate, enter the certificate of the IdP.
  10. To prevent users who are not assigned to a mapped SAML group from logging in to your Aspera on Cloud organization, select Restrict login to mapped SAML group members.
  11. To apply domain-based login restrictions, do the following in the Login restrictions area of the window (for details on login restrictions, see Configuring SAML: Overview:
    1. Select Exclude domains or Include domains from the Login restrictions menu.
    2. In the field that displays, enter one or more domains (example.com).
    3. To remove a domain from the restriction list, click X on the domain row.
  12. In the Attribute mapping fields, enter the IdP attribute labels that correspond to the Aspera on Cloud field labels. For example, in the First Name field, enter given_name if your IdP uses that label for the user first name attribute. Note: These fields are not optional, even if the IdP labels are identical with Aspera on Cloud labels.
    1. In the Email field, enter your IdP attribute label for user email addresses.
    2. In the First name field, enter your IdP attribute label for user first or given name.
    3. In the Last name field, enter your IdP attribute label for user last name or surname.
    4. In the Member of field, enter your IdP attribute label for user SAML group membership.
  13. Click Create.

Configuring default SAML workspaces and shared inboxes

Edit online

After the SAML instance is created you can configure workspaces and shared inboxes for your SAML users.

  1. Click the row of the SAML instance to open the record, then click Workspace memberships > Add workspaces.
  2. Select the role for these SAML users in this workspace: Member or Workspace manager.
  3. Enter the workspace name.
  4. Click Add.
  5. To add a shared inbox, do the following:
    1. Click the row of the workspace.
    2. Select the intended shared inboxes.
    3. Click Add.

Configuring SAML metadata on the IdP

Edit online

Once SAML authentication configuration is complete, Aspera on Cloud generates the SAML metadata and displays it in the SAML Metadata panel. You must copy this metadata and apply it to your SAML IdP. Once the metadata generated by Aspera on Cloud is applied to the IdP, Aspera on Cloud and the IdP negotiate a trusted relationship. Only then can SAML users authenticate at their IdP to gain login access to Aspera on Cloud.

Configuring Aspera on Cloud SAML groups

Edit online

To configure an Aspera on Cloud SAML group, do the following:

  1. Go to Groups > Create new.
  2. Enter a group name and optional description.
  3. Select Make this group a SAML group.
  4. Enter the Distinguished Name (DN) of the IdP group, exactly as defined at the IdP, to map to this Aspera on Cloud group.
  5. Click Create.

Labeling the user login button

Edit online

Once you complete SAML configuration, a button for your SAML instance displays on the Aspera on Cloud login page. You can configure the label for that button to ensure users authenticate against the proper authentication instance.

By default, the login button for your SAML instance displays the text "Sign in with <saml_instance_name>". To customize this label, do the following:

  1. Go to Admin > Authentication > SAML, then click the row of the intended SAML instance.
  2. In the SAML login button label field, customize the label as desired.
  3. To provide additional guidance to users about this login method, enter text in the Instructions field.
    To change the order of authentication options presented on the login page, go to Organization > Profile and branding > Login options.
  4. Click Save.