The first step in setting up a SAML configuration is to be setup a certificate on that will be used to encrypt the identity assertion that GridGuard sends back to the service provider.
Administrators can use the same certificate for all service providers, or choose to create separate ones per service provider(s). The choice is entirely up to the administrator. There might be instances where you have some service providers that support only DSA certificates, and others that support only RSA certificates. In those cases, you will need to generate separate certificates for the service providers.
Select the SAML Configuration Option
- Launch the GridGuard Administration & Configuration Console (ACC) and select the SAML Configuration option
- The Identity Provider (IdP) Configuration screen is displayed. IdP certificates can be managed on this page.
Setting Host Name
Set the host name to the fully qualified domain name (FQDN) that the service provider will use to refer to the GridGuard server. Typically this will be a value like 'gridguard.company.com'.
This host name is used to generate the GridGuard IdP metadata that will be imported into the service provider's site.
Note: If GridGuard is configured in a cluster, then the host name should not be set to the name of the node; rather it should be the name of the load balancer. For example, if the nodes in a cluster are named grid1.company.com and grid2.company.com and the load balancer is referred to as gridguard.company.com, then the host name should be set to 'gridguard.company.com'.
Generate New Certificate
Steps to generate a new certificate
- Click on 'Generate New Certificate' button
- The 'Generate Certificate' dialog is displayed
- Assign a label to the certificate. This is a simple name that can be used to refer to the certificate
- Set the Issuer value. This value is used to set the saml:Issuer tag in the assertion. It can be set to any string. Typically, this is set to a value like https://grid.company.com
- Set the certificate format. GridGuard supports both DSA and RSA certificate format. Some service providers support only one or the other. Check with the service provider to ensure that the right format of certificate is being used.
- Click 'OK' to complete certificate generation