Security Assertion Markup Language (SAML) single sign-on (SSO) uses third-party authentication service providers to provide access to users. SAML SSO works by transferring the user's identity from the identity provider (IDP) to the authentication service provider, through the exchange of digitally signed XML metadata. To configure the SAML SSO settings for your organization, perform the following steps:
You must be an Organization Administrator to perform this operation.
- From the VMware Pulse IoT Center UI, go to Settings and select Identity and Access.
The Identity and Access Settings page for your organization is displayed.
- To use an external identity provider to manage authentication for your organization, select Enable External Identity Provider.
- From the IDP Type drop-down menu, select SAML.
- By default, Enable JIT user creation is enabled. With this option enabled, VMware Pulse IoT Center creates a shadow user if the user does not exist in any of the organizations. If you disable this option, the user cannot access VMware Pulse IoT Center even though the user credentials are configured in the external IDP. All valid IDP users can log in to VMware Pulse IoT Center when this option is enabled. To disable Just In Time (JIT) user creation, deselect Enable JIT user creation.
Note: If you decide to update the JIT user creation settings at a later stage, you must reconfigure the SAML settings.
- Under SAML Settings, perform the following steps:
- Step 1: SAML Certificates
Note: If you do not provide a certificate, VMware Pulse IoT Center generates a self-signed certificate. To skip this step, click NEXT.
- Signing Key- Click Choose File and select the custom certificate from your local folder. This certificate is used as a signing key to access the VMware Pulse IoT Center metadata.
- Signing Key Password - If the certificate is password protected, enter the password to access it.
- Encryption Key - Click Choose File and select the encryption key for the certificate.
- Encryption Key Password - Enter the password for the encryption key.
- Step 2: Service Provider Metadata Download - To download the metadata of VMware Pulse IoT Center, click DOWNLOAD. Alternatively, you can copy the metadata content from the SAML Service Provider Metadata text box.
- Step 3: Identity Provider Setup - Navigate to your IDP and configure VMware Pulse IoT Center as a service provider.
Copy the downloaded service provider metadata to a text file and save it with the .xml extension. For example, pulseSP_metadata.xml. Use the saved service provider (SP) metadata to configure the service provider settings on the IDP. To authenticate the user, you must assign the user to the IDP. This authenticates the user to log in to VMware Pulse IoT Center for the particular organization.Note: To set the SAML SSO authentication for your user on multiple suborganizations, you must register the service provider in the IDP for each of the suborganizations. Use the suborgnanization's SP metadata to register.
- Step 4: SAML Setup
- SAML Authentication URL - The external IDP's authentication URL to which you post the request to.
- SAML Metadata XML - The URL or the metadata of the external IDP. You can access the metadata by sending a GET request to the external IDP.
- Attribute Mapping - Add the attribute keys for creating the user. UserName, DisplayName, and Email are mandatory keys. These keys must be mapped to the UserName, DisplayName, and Email keys in the IDP.
- Step 1: SAML Certificates
- To save the changes, click SAVE.