To integrate UAG (service provider) with the identity provider, you must configure the identity provider with the service provider information such as entity ID and assertion consumer endpoint URL. In this case, UAG is the service provider.
- Log into the identity provider's Admin console.
- To create a SAML application, follow the appropriate steps on the identity provider's Admin console.
If the identity provider has an encrypt assertion feature, ensure that the feature is disabled in the SAML settings for the application that you create on the identity provider.
- Configure the identity provider with the UAG information in one of the following ways:
Option Description Download SAML service provider metadata from the UAG.
To import the SAML metadata into the identity provider, ensure that the identity provider supports import functionality.
- In the Configure Manually section of the UAG Admin UI, click Select.
- In the General Settings section, for Edge Service Settings, click Show.
- Click the Horizon Settings gearbox icon.
- On the Horizon Settings page, click More.
- Select the Auth Methods.
The Auth Methods can be
SAML and Passthrough, or
SAML and Unauthenticated.Note: If you choose
SAML and Unauthenticated, ensure that you configure the Horizon Connection Server setting as mentioned for this Auth Method in Configure Horizon Settings on Unified Access Gateway for SAML Integration.
- Click Download SAML service provider metadata.
- On the Download SAML service provider metadata window, select the Identity Provider and enter the external host name.
- Click Download.
- Save the .xml metadata file to a location on your computer that you have access to.
- Log into the identity provider's admin console.
- Import the downloaded metadata file into the identity provider.
Configure the following SAML settings on the identity provider's Admin console.
For more information about the authentication methods for Unified Access Gateway and third-party identity provider integration, see Authentication Methods for Unified Access Gateway and Third-Party Identity Provider Integration.
- Set up the entity ID as https://<uagIP/domain>/portal
- Set up the assertion consumer endpoint URL as https://<uagIP/domain>/portal/samlsso.
- (Optional) Configure the custom attribute with a user name.
In the Unified Access Gateway Admin UI, when
SAML and Unauthenticatedis selected as the authentication method, if SAML Unauthenticated Username Attribute is configured with the same attribute name as specified here and when the SAML assertion is validated, Unified Access Gateway provides unauthenticated access to the user name configured for this custom attribute.
To understand how Unified Access Gateway provides unauthenticated access to this user name, see Authentication Methods for Unified Access Gateway and Third-Party Identity Provider Integration.