You can configure the SAML authentication method to authenticate the users with administrator access to the admin UI. This delegates authentication and authorization to an external SAML 2.0 identity provider (IdP) with Unified Access Gateway admin acting as the SAML Service Provider (SP). When a user accesses Unified Access Gateway admin UI with https://<<uag-fqdn>>:9443/admin they are redirected to the external IdP where they are prompted to enter their credentials. If they are authenticated correctly and authorized, they are redirected back to Unified Access Gateway and automatically logged on.

A SAML application must be created on the IdP specifically for Unified Access Gateway admin. SAML metadata exported from this IdP application is used to configure the SAML trust on Unified Access Gateway. This is a fully federated SAML integration so there is no need to separately add admin users to Unified Access Gateway.

Note: Starting with Unified Access Gateway 2209, a user having MONITORING role (low privilege administrator) can access the APIs using basic authentication when Admin SAML Authentication feature is enabled. When SAML authentication for Admin is enabled, default admin (with ADMIN role and basic credentials) is automatically disabled. Alternatively, when SAML authentication for Admin is disabled, default admin is automatically enabled. If the admin is configured with SAML authentication, ensure to turn off the Password-Pre Login toggle for the MONITORING user.

The IdP SAML application can be assigned to specific users or user groups to grant admin access, and the authorized administrator's username is received in the signed SAML assertion NameID field. If the IdP encrypts SAML assertions, Unified Access Gateway must be configured with an encryption certificate while uploading Identity Provider metadata. IdP uses the public key of this certificate to encrypt the assertion. The AuthNRequest generated by Unified Access Gateway is signed using public facing TLS certificate.

  1. In the admin UI Configure Manually section, click Select.
  2. Under Advanced Settings, select the Account Settings gearbox icon.
  3. In the Account Settings window, click SAML Login Configuration and then complete the settings
    1. Turn on the Enable SAML Authentication toggle to enable the setting.
    2. Select the Identity Provider from the drop-down menu.
      Note:
      • The identity provider is available for selection in the drop-down menu if you have previously uploaded the identity provider metadata file.
      • Use the following settings for the SAML configuration on the identity provider's admin console.
        Option Description
        Single sign on URL Enter the assertion consumer service URL as

        https://<<uag-fqdn>>:9443/login/saml2/sso/admin
        Audience URI (SP Entity ID) Enter the audience URL as

        https://<<uag-fqdn>>:9443/admin
        SP Issuer If required, enter the SP issuer as

        https://<<uag-fqdn>>:9443/admin

      For information about configuring the identity provider and uploading the identity provider metadata file to UAG, see Configure the Identity Provider with Unified Access Gateway Information and Upload Identity Provider's SAML Metadata to Unified Access Gateway.

  4. Turn on the Sign with Admin certificate toggle to sign the SAML authentication request using admin interface TLS certificate. When turned off, SAML authentication request is signed using internet facing TLS certificate.
  5. (Optional) Enter the Static SP Entity Id if there are multiple Unified Access Gateways to be configured with admin SAML. This option is useful when there are multiple Unified Access Gateway to be configured with admin SAML because it eliminates the need to create individual SAML application on IdP for each Unified Access Gateway.
    1. Create a SAML application in IdP with a static entity Id.
    2. Configure the SAML application to verify the incoming SAML authentication request signature. When the request verification succeeds, IdP sends the SAML assertion response to the assertion consumer URL of the SAML authentication request.
    3. Configure each Unified Access Gateway with the same static entity Id.
    Note: When you do not enter any Static SP Entity Id, the value of Issuer in the SAML authentication request originating from UAG is defaulted to the admin portal's URL. For example, https://<uagip>:9443/portal. However, when the Static SP Entity Id is provided, the value of Issuer is the Static Entity Id.
  6. Click Save.

    The authentication changes are applied, and the admin user automatically logs out of the admin UI. On the next login, Unified Access Gateway redirects the admin's login request to the identity provider, and on successful authentication, the identity provider provides access to the admin.

    Note: To revert the admin configuration settings and restore the default password authentication, use the adminreset command. For more information, see Recover the Admin using the adminreset Command.