Adding a SAML Enterprise identity source

You can use any identity provider that supports the SAML protocol as a SAML Enterprise identity source. The identity provider authenticates the user identity against data in this identity source before it grants access to Verify.

About this task

Procedure

  1. Click Add Identity Source. The Add Identity Source dialog box is displayed.
  2. Select SAML Enterprise and click Next.
  3. Specify the basic information.
    Table 1. Basic information
    Information Descriptions
    Name

    The name that you assign to represent the user registry that is used by identity providers such as Microsoft Active Directory, Microsoft Azure Active Directory, or others.

    If there is more than one identity source that is configured and enabled, the identity source name is displayed in the Verify Sign In page.

    This information is also displayed in the Users & Groups > Users tab, Add User dialog box, when you select an Identity Source.
    Realm

    It is an identity source attribute that helps distinguish users from multiple identity sources that have the same user name.

    It must be a unique name across all other configured identity sources in your subscription. The name can contain any alphanumeric characters. Special characters are not allowed except for dot (.) and hyphen (-).

    The maximum allowed string length is 253, similar to the maximum length of a domain name.
    Note: You cannot edit the name after you create it.
    Enabled

    Indicates whether the identity source is active and available.

    When the identity source is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity source. If the identity source is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity source that is enabled to sign in to Verify.
    • If only one identity source is enabled, it becomes the default sign-in option for the user.
    Identity Linking

    Enabled

    		 Turns on identity linking for a specific identity source. Shadow accounts are not created in Cloud Directory at the realm that was specified for this identity source.
    Note:
    1. You cannot enable linking on the identity source that is set as your default identity source.
    2. You cannot disable or delete your default linking identity source.
    Unique User Identifier The user attribute in the federated identity token that acts as the user name for the account in Cloud Directory.
    Enable JIT Provisioning Creates and updates the user account in the primary identity source realm that is associated with the SAML identity.
  4. Specify whether the single sign-on is initiated by the identity provider or the service provider.
    Table 2. Single sign-on flow
    Single sign-on is initiated by the Descriptions
    Service Provider

    Service provider-initiated (SP-initiated) sign on

    In this scenario:
    1. The user has an account at the service provider site.
    2. The user attempts to access the protected resource from the service provider.
    3. The service provider initiates a SAML authentication request to the identity provider. The service provider redirects the user's browser to the identity provider.
    4. The user signs in.
    5. The identity provider generates a SAML authentication response that asserts that the user is authenticated.
    6. The service provider validates the SAML authentication response.
    7. The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
    Identity Provider

    Identity provider-initiated (IdP-initiated) sign on

    In this scenario:
    1. The user has an account at the identity provider site.
    2. The user signs in to the identity provider site or uses the identity provider single sign-on URL to access the protected resource from the service provider.
    3. The identity provider initiates a SAML authentication response that asserts that the user is authenticated.
    4. The service provider validates the SAML authentication response.
    5. The user's browser is redirected to the service provider target URL and the user is authorized to access the requested resource.
    SSO URL

    This information is required only if single sign-on is initiated by the Identity Provider.

    It is the URL that initiates the single sign-on from the identity provider to the service provider.
  5. Browse for the identity provider metadata file (.xml) or drag it in the drop area.
    The name of the Selected File is displayed.
  6. Provide the identity provider with the following service provider metadata properties. You can either copy the information or download the metadata file.
    Table 3. Service provider metadata properties
    Information Descriptions
    Entity ID Specifies the issuer in the SAML authentication request and the audience of any inbound SAML authentication response.
    Assertion Consumer Service URL

    Specifies the endpoint at the service provider that receives the SAML authentication response.

    The identity provider redirects the SAML authentication response to this URL. This endpoint receives and processes the SAML assertion.