Enabling SAML authentication

You can enable Security Assertion Markup Language (SAML) authentication so that remote users are authenticated by a secure identity provider (IdP) before they can access the Unified Manager web UI.

Before you begin

About this task

After you have enabled SAML authentication from Unified Manager, users cannot access the graphical user interface until the IdP has been configured with the Unified Manager server host information. So you must be prepared to complete both parts of the connection before starting the configuration process. The IdP can be configured before or after configuring Unified Manager.

Only remote users will have access to the Unified Manager graphical user interface after SAML authentication has been enabled. Local users and Maintenance users will not be able to access the UI. This configuration does not impact users who access the maintenance console, the Unified Manager commands, or ZAPIs.

Note: Unified Manager is restarted automatically after you complete the SAML configuration on this page.

Steps

  1. In the toolbar, click , and then click Authentication in the left Setup menu.
  2. In the Setup/Authentication page, select the SAML Authentication tab.
  3. Select the Enable SAML authentication checkbox.
    The fields required to configure the IdP connection are displayed.
  4. Enter the IdP URI and the IdP metadata required to connect the Unified Manager server to the IdP server.
    If the IdP server is accessible directly from the Unified Manager server, you can click the Fetch IdP Metadata button after entering the IdP URI to populate the IdP Metadata field automatically.
  5. Copy the Unified Manager host metadata URI, or save the host metadata to an XML text file.
    You can configure the IdP server with this information at this time.
  6. Click Save.
    A message box displays to confirm that you want to complete the configuration and restart Unified Manager.
  7. Click Confirm and Logout and Unified Manager is restarted.

Result

The next time authorized remote users attempt to access the Unified Manager graphical interface they will enter their credentials in the IdP login page instead of the Unified Manager login page.

After you finish

If not already completed, access your IdP and enter the Unified Manager server URI and metadata to complete the configuration.

Important: When using ADFS as your identity provider, the Unified Manager GUI does not honor the ADFS timeout and will continue to work until the Unified Manager session timeout is reached. When Unified Manager is deployed on Windows, Red Hat, or CentOS, you can change the GUI session timeout using the following Unified Manager CLI command: um option set absolute.session.timeout=00:15:00

This command sets the Unified Manager GUI session timeout to 15 minutes.