You can configure the SAML authentication method to authenticate the users with administrator access to the admin UI. This delegates authentication and authorization to an external SAML 2.0 identity provider (IdP) with Unified Access Gateway admin acting as the SAML Service Provider (SP). When a user accesses Unified Access Gateway admin UI with https://<<uag-fqdn>>:9443/admin
they are redirected to the external IdP where they are prompted to enter their credentials. If they are authenticated correctly and authorized, they are redirected back to Unified Access Gateway and automatically logged on.
A SAML application must be created on the IdP specifically for Unified Access Gateway admin. SAML metadata exported from this IdP application is used to configure the SAML trust on Unified Access Gateway. This is a fully federated SAML integration so there is no need to separately add admin users to Unified Access Gateway.
The IdP SAML application can be assigned to specific users or user groups to grant admin access, and the authorized administrator's username is received in the signed SAML assertion NameID field. If the IdP encrypts SAML assertions, Unified Access Gateway must be configured with an encryption certificate while uploading Identity Provider metadata. IdP uses the public key of this certificate to encrypt the assertion. The AuthNRequest generated by Unified Access Gateway is signed using public facing TLS certificate.
- In the admin UI Configure Manually section, click Select.
- Under Advanced Settings, select the Account Settings gearbox icon.
- In the Account Settings window, click SAML Login Configuration and then complete the settings
- Turn on the Enable SAML Authentication toggle to enable the setting.
- Select the Identity provider from the drop-down menu.
Note:
- The identity provider is available for selection in the drop-down menu if you have previously uploaded the identity provider metadata file.
- Use the following settings for the SAML configuration on the identity provider's admin console.
Option Description Single sign on URL Enter the assertion consumer service URL as https://<<uag-fqdn>>:9443/login/saml2/sso/admin
Audience URI (SP Entity ID) Enter the audience URL as https://<<uag-fqdn>>:9443/admin
SP Issuer If required, enter the SP issuer as https://<<uag-fqdn>>:9443/admin
For information about configuring the identity provider and uploading the identity provider metadata file to UAG, see Configure the Identity Provider with Unified Access Gateway Information and Upload Identity Provider's SAML Metadata to Unified Access Gateway.
- Click Save.
The authentication changes are applied, and the admin user automatically logs out of the admin UI. On the next login, Unified Access Gateway redirects the admin's login request to the identity provider, and on successful authentication, the identity provider provides access to the admin.
Note: To revert the admin configuration settings and restore the default password authentication, use theadminrest
command. For more information, see Recover the Admin using the adminreset Command.