How to manage SAML providers

This document describes how to register, update, and disable SAML providers on the Segura® Platform.

Requirements

• Permission to manage SAML providers on the Segura® Platform.
• Identity provider (IdP) configuration information, such as EntityID, login and logout URLs, and SAML certificate.

:::(warning) (Attention) All SAML provider configurations must be compatible with those configured in the Identity Provider (IdP). Divergences may result in authentication failures. :::

Register a SAML provider

1. On the Segura® Platform, in the navigation bar, hover over the Products menu and select Settings.
2. In the side menu, select Authentication > SAML > Providers.
3. In the Providers report, click Add.
4. In the SAML provider registration screen, complete the following fields.

Main information section

1. Type *: select the SAML provider from the dropdown menu. If it is not listed, select SAML provider.
2. Enable *: select Yes.
3. Environment *: to grant access to Segura® Domum users, select Domum Remote Access. To grant access to local users only, select Local.
4. Provider Name: enter the provider name that will be displayed on the login screen button.
5. Icon: select the icon that will be displayed on the login screen button.
6. Entity ID *: enter the ClientID or EntityID of the SAML application.
7. SAML provider metadata URL *: enter the URL that manages the SAML metadata.
8. Domain or public IP for URL redirection *: enter the Segura® Platform domain or public IP.
9. Redirect URL *: use this field as a reference for the SAML configuration.
10. Comments: enter any relevant observations about the provider.

URLs configuration section

1. SSO Login URL (Sign-in URL) *: enter the URL used for login.

2. SSO Logout URL (Sign-out URL): enter the URL used for logout.

3. Redirect Binding Type: select the type of Redirect Binding. The options are: REDIRECT and POST.

4. SAML SSO force auth *: select Yes or No to define whether the ForceAuthn attribute will be included in the AuthnRequest.

5. Send AuthnContext in SAML request *: select Yes or No to define whether the RequestedAuthnContext element will be included in the AuthnRequest.

   Attention

   When the Send AuthnContext in SAML request * parameter is disabled, the identity provider determines the authentication method based on its own policies. For scenarios with passwordless or MFA app authentication, such as Microsoft Authenticator or Windows Hello, it is recommended to disable Send AuthnContext in SAML request * to allow the IdP to define the authentication method.

6. If the Send AuthnContext in SAML request * field is enabled, in Accepted authentication methods, select 1 or more options:

• Password.

• Certificate (X509).

• Unspecified.

  Info

  When multiple methods are selected in Accepted authentication methods, the AuthnRequest sends all values as AuthnContextClassRef and sets the Comparison attribute to minimum.

Security SAML section

1. Certificate (PEM format) *: paste the content of the .pem certificate.
2. Click Save.

Update a SAML provider

1. On the Segura® Platform, in the navigation bar, hover over the Products menu and select Settings.
2. In the side menu, select Authentication > SAML > Providers.
3. Locate the record you want to update.
4. In the Actions menu, click Edit.
5. In the SAML provider registration screen, edit the necessary fields.
6. Click Save.

Disable a SAML provider

1. On the Segura® Platform, in the navigation bar, hover over the Products menu and select Settings.
2. In the side menu, select Authentication > SAML > Providers.
3. Locate the record you want to disable.
4. In the Actions menu, select Disable.
5. In the confirmation modal, click Yes.

Related links

• SAML providers.