Configuring SAML in Orchestrator

SAML configuration is only available for Orchestrator 3.1.0 and above.

Orchestrator supports one active SAML configuration at a time. If more than one SAML configuration is enabled, the first enabled configuration in the list becomes the active one.

Creating a new SAML configuration

  1. Log in to Orchestrator.
  2. On the top-right of the page, click the Admin dropdown and click Preferences.
  3. In the left-side menu, click SAML Configuration.
  4. On the SAML Configurations page, click New SAML Configuration.
  5. Enter your information in the fields according to the table below.
    New SAML Configuration Template
    Field  
    Name Enter a name for new configuration. This name is used by Orchestrator to differentiate between multiple SAML configurations.
    Name ID format Defaults to the following:
    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    Customize as needed. The format must match format used with your IdP.
    SSO target URL mapping This is your IdP Single Sign-On URL.
    Certificate Obtained from IdP server admin.
    Fingerprint Obtained from IdP server admin. You can use this instead of the certificate to authenticate with SAML IdP.
    Enable configuration Select the checkbox to enable configuration and display the SAML option on the local login page.
    Publicly visible If selected, makes the SAML configuration publicly visible (performs the same function as "Enable configuration".
    Login text Enter message (welcome, instructions) that user sees at login
    Fingerprint algorithm Defaults to the following:
    http://www.w3.org/2000/09/xmldsig#sha1
    Customize as needed
    Attribute for email This value must map to the corresponding attribute in your SAML IdP's SAML response; see Configuring Your Identity Provider (IdP) for details.
    Attribute for first name This value must map to the corresponding attribute in your SAML IdP's SAML response; see Configuring Your Identity Provider (IdP) for details.
    Attribute for last name This value must map to the corresponding attributes in your SAML IdP's SAML response; see Configuring Your Identity Provider (IdP) for details.
    Allowable clock drift Optional. Enter milliseconds allowed for clock drift between Orchestrator and SAML IdP; default is 0
    Roles to be assigned This assigns a default Orchestrator role to the SAML user. Click the plus sign () next to Group selection to expand the list. Select the checkbox next to the desired group. If, for example, you select Administrator, the orchestrator user created when logging in with SAML is assigned to the Orchestrator Administrator group.
  6. When finished, click Save.
    The configuration now appears in the list on the SAML Configurations page.
  7. Finish the SAML configuration by adding the Orchestrator server metadata to the relying party file on the IdP server.
    The following steps allow you to obtain the required Orchestrator metadata.
    1. Click the Metadata button.
      An XML file opens. For example:
      <?xml version="1.0" encoding="UTF-8"?>
      <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://10.0.154.125/aspera/orchestrator/saml/metadata?=1" ID="_ab676d30-b03b-0135-65e4-0050569fd8f4">
      <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
          <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://10.0.154.125/aspera/orchestrator/saml_response/1" index="0" isDefault="true"/>
      </md:SPSSODescriptor>
      </md:EntityDescriptor>
    2. Right-click the page and click Save as; save it as filename_metadata.xml.
    3. Copy the XML file to the IdP server.
    Important: You will need to add the SAML DNS to the list of accepted hosts.

Modifying an existing SAML configuration

To modify an existing SAML Configuration, click the More button () to the right of the desired configuration in the list. The context menu opens.
  • To edit the configuration, click Edit.\
  • To delete the configuration, click Destroy.