Configuring SAML authentication

Administering NetIM : Configuring SAML authentication

NetIM supports integration with SAML 2.0-compliant identity providers. Many SAML 2.0-compliant identity providers are available on the market that may be configured differently in different environments. This section does not attempt to provide detailed instructions about integration with specific identity providers. Instead, it shows the basic steps for adding an identity provider.

To add a SAML 2.0-compliant identity provider, follow these steps, after gathering the requisite information from the SAML administrator for your site.

To add a SAML 2.0-compliant identity provider

1. Log in to the UI as admin.

2. Choose Configure > All Settings > Integrate > Identity Providers. The Identity Providers page appears.

3. (Optional) If your SAML administrator needs the NetIM metadata, click

, which saves the NetIM metadata to a file.

4. To add an identity provider, click the Add icon (

). The Create Identity Providers screen appears.

Add the following information, and when you are satisfied with your choices click Submit:

Your SAML administrator should provide you with the necessary information to fill out the screen.

– Activate—Whether or not the Identity Provider configuration should be set to Active. The default is inactive.

– Provider Name—Supply the name of the SAML provider.

– Attribute Mapping—The attribute provided in the SAML response that should be used by NetIM for role assignment.

– Username Attribute—The username attribute is usually a string such as UserID, EmailAddress, DisplayName, NameID, Email, and so on.

If you leave this field blank, NetIM will use NameID from the SAML identity provider’s response.

– Roles Attribute—The attribute provided in the SAML response that should be used by NetIM for role assignment.

– Global Lockout—Specify whether or not IdP should log out globally, that is log out of NetIM and the SAML server, or log out of NetIM only.

– Metadata—Supply the necessary metadata using a URL or an XML text file. Choose the appropriate metadata Source and then enter the URL or copy and paste the XML file source into the field.

– Authority Map—Map the SAML attribute values provided in the roles attribute to a NetIM role. You can add multiple attribute-to-role mappings using the authority map Add/Edit Authority dialog.

– Certificates—Specify how you want to import the provider’s certificate. You can provide it manually using an upload or have it automatically imported when the server is contacted during setup. Additionally, you need to indicate whether you want to allow the import of any certificate (including self-signed certificates).

In some cases, your SAML administrator may want you to import the server’s certificate before adding the identity provider. Should that be the case, see Step 4.

5. After successfully adding a SAML 2.0-compliant identity provider, all users will be able to authenticate; but if they do not have an assigned role, they will not be authorized to use NetIM. Authenticated users without an assigned role will be presented with an error when they attempt to log in and use NetIM:

To remedy this problem, either use the Authority Map section of the Create Identity Provider screen as described in Step 4 or the Configure > All Settings > Administer > User Management page as described in Step 2.

Enabling and disabling SAML using the CLI

Enable SAML in your installation by performing the following steps.

All app.sh commands must be run at the root of the installation directory.

1. Log in to NetIM core as netimadmin.

2. Change your working directory to the installation directory, by entering a command like the following:

cd /data1/riverbed/NetIM/latest

3. Invoke the bash shell by typing “bash” at the netimsh command prompt.

4. Use the CLI to enable SAML as follows:

– Stop Services by entering the following command:

./app.sh -c stop ALL

– Enable SAML by entering the following command:

./app.sh /saml_state enabled

– Import Certificate by entering the following command:

./app.sh CHECK_SAML_CERTIFICATE /importCertificate true <Metadata URL>

– Start Services by entering the following command:

./app.sh -c start ALL

5. Use the CLI to disable SAML by performing the following steps:

– Stop Services by entering the following command:

./app.sh -c stop ALL

– Disable SAML by entering the following command:

./app.sh /saml_state disabled

– Start Services by entering the following command:

./app.sh -c start ALL