SSO sub-tab

With Single Sign-On (SSO), users authenticate once to gain access to multiple secured systems without resubmitting credentials. Nodegrid currently supports multiple identify providers. 

Add SSO

1. Go to Security :: Authentication :: SSO.
2. Click Add (displays dialog). 
3. Enter Name.
4. On Status drop-down, select one (Enabled, Disabled).
5. Enter Entity ID (globally unique name).
6. Enter SSO URL.
7. Enter Issuer.
8. On X-509 Certificate menu, select one:
   • Local Computer radio button (expands dialog). Click Choose File to locate and select file. 
   • Local System radio button (expands dialog). On Certificate Name drop-down, select one. 
   • Remote Server radio button (expands dialog). 
     • Enter URL (URL can be the IP address or hostname/FQDN. If using IPv6, use brackets [ ... ]. Supported protocols: FTP, TFTP, SFTP, and SCP.).
     • Enter Username and Password.
       
     • (optional) Select The path in url to be used as absolute path name checkbox.
   • Text Input radio button (expands dialog). Enter in Certificate text box. 
9. Select Force Re-authentication checkbox.
10. Select Sign Request checkbox.
11. Select Enable Single Logout checkbox (expands dialog). Enter Logout URL. 
12. (optional) Icon, click Select Icon (expands dialog). Click on a logo to set as 2-Factor icon. 
13. Click Save.

The following fields are required to configure a successful SAML flow for each Identity Provider:

SAML Requirements

IdP configuration fields:

• Entity ID (globally unique name for the SP URL)
• ACS URL (Assertion Consumer Service URL in which the Identity Provider redirects the user and sends the SAML assertion after its authentication process.)
• Attributes (attributes that IdP sends back with the SAML assertion. SP can have more than one attribute, nameID is the most common.)
• SAML Signature Algorithm (either SHA-1 or SHA-256. Used with X.509 certificate. Default: SHA-256.)

SP configuration fields:

• X.509 Certificate (certificate provided by the IdP to allow the SP to verify that the SAML assertion is from the IdP)
• Issuer URL/Entity ID (unique identifier of the IdP)
• Single Sign On URL (IdP endpoint that starts the authentication process)
• RelayState: (optional) (deep linking for SAML for <ip>/direct/<device>/console)
• For more information on SSO, please see https://support.zpesystems.com/portal/kb/articles/single-sign-on-sso

Import Metadata

1. Go to Security :: Authentication :: SSO.
2. Click Import Metadata (displays dialog). 
3. Enter Name.
4. On Status drop-down, select one (Enabled, Disabled).
5. Enter Entity ID (globally unique name).
6. On Metadata menu, select one:
   • Local Computer radio button (expands dialog). Click Choose File, locate and select. 
   • Local System radio button (expands dialog). On Metadata File drop-down, select one. 
   • Remote Server radio button (expands dialog): 
     • Enter URL (URL can be the IP address or hostname/FQDN. If using IPv6, use brackets [ ... ]. Supported protocols: FTP, TFTP, SFTP, and SCP.)
     • Enter Username and Password.
       
     • (optional) Select The path in url to be used as absolute path name checkbox.
7. (optional) Icon, click Select Icon. Click on a logo to set as 2-Factor icon.
8. Select Force Re-authentication checkbox.
9. Select Sign Request checkbox.
10. Select Enable Single Logout checkbox.
11. Click Save.