Configuring SAML in Orchestrator

SAML configuration is only available for Orchestrator 3.1.0 and above.

Orchestrator supports one active SAML configuration at a time. If more than one SAML configuration is enabled, the first enabled configuration in the list becomes the active one.

Creating a new SAML configuration

Log in to Orchestrator.
On the top-right of the page, click the Admin dropdown and click Preferences.
In the left-side menu, click SAML Configuration.
On the SAML Configurations page, click New SAML Configuration.

Enter your information in the fields according to the table below.

New SAML Configuration Template

Field
Name	Enter a name for new configuration. This name is used by Orchestrator to differentiate between multiple SAML configurations.
Name ID format	Defaults to the following: `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` Customize as needed. The format must match format used with your IdP.
SSO target URL mapping	This is your IdP Single Sign-On URL.
Certificate	Obtained from IdP server admin.
Fingerprint	Obtained from IdP server admin. You can use this instead of the certificate to authenticate with SAML IdP.
Enable configuration	Select the checkbox to enable configuration and display the SAML option on the local login page.
Publicly visible	If selected, makes the SAML configuration publicly visible (performs the same function as "Enable configuration".
Login text	Enter message (welcome, instructions) that user sees at login
Fingerprint algorithm	Defaults to the following: `http://www.w3.org/2000/09/xmldsig#sha1` Customize as needed
Attribute for email	This value must map to the corresponding attribute in your SAML IdP's SAML response; see Configuring Your Identity Provider (IdP) for details.
Attribute for first name	This value must map to the corresponding attribute in your SAML IdP's SAML response; see Configuring Your Identity Provider (IdP) for details.
Attribute for last name	This value must map to the corresponding attributes in your SAML IdP's SAML response; see Configuring Your Identity Provider (IdP) for details.
Allowable clock drift	Optional. Enter milliseconds allowed for clock drift between Orchestrator and SAML IdP; default is `0`
Roles to be assigned	This assigns a default Orchestrator role to the SAML user. Click the plus sign () next to Group selection to expand the list. Select the checkbox next to the desired group. If, for example, you select Administrator, the `orchestrator` user created when logging in with SAML is assigned to the Orchestrator Administrator group.

When finished, click Save.
The configuration now appears in the list on the SAML Configurations page.

Finish the SAML configuration by adding the Orchestrator server metadata to the relying party file on the IdP server.

The following steps allow you to obtain the required Orchestrator metadata.

Click the Metadata button.

An XML file opens. For example:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://10.0.154.125/aspera/orchestrator/saml/metadata?=1" ID="_ab676d30-b03b-0135-65e4-0050569fd8f4">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.0.154.125/aspera/orchestrator/saml_response/1" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

Right-click the page and click Save as; save it as filename_metadata.xml.
Copy the XML file to the IdP server.

Important: You will need to add the SAML DNS to the list of accepted hosts.

Modifying an existing SAML configuration

To modify an existing SAML Configuration, click the More button (

) to the right of the desired configuration in the list. The context menu opens.

To edit the configuration, click Edit.\
To delete the configuration, click Destroy.