Setup GridGuard SAML URL
- Hostname : Enter the externally accessible hostname.
- IdP Certificates: Generate a self-signed certificate or Import a PKCS12 file for SAML signing or SAML encryption.
Click on "Apply Changes"
Adding SimpleSAMLPHP as a SAML Service Provider
Right click on "SAML Configuration" and click on "+Add" to add a new SAML Service Provider. Then fill out the new form with the appropirate following data
- Service Provider Name : Admin generated identifier
- Signing Certificate : Select an installed x509 certificate for SAML assertion signing
- Import SP Metadata: Upload XML Metadate for the SP. In this case it is the SimpleSAMLPHP.
- Import SP Metadata URL : Directly download XML Metadata from the SP. This requires the GGVA device to have direct access to the SimpleSAMLPHP server. This URL was provided in the Validate SP Metadata section.
- Entity Id : <Filled in by metadata>
- ACS URL : <Filled in by metadata>
- Validity Time : Set appropriately
- Realm : Select Realm identifier to associate with this SAML SP.
- Name Identifier : Select 'sAMAccountName' or 'uid' depending LDAP backend
- Sign Encryption : Check
- Encrypt Assertion : <Optional>
- Attribute Mapping : See below
Attibute mapping is used to map a user's LDAP attribute value from the LDAP directory to the SAML Assertion. Here are the mapping you need to make from SAML attribute name to the LDAP attribute value
- cn => cn
- mail => mail
- sAMAccountName => sAMAccountName (Active Directory)
- uid => uid (OpenLDAP)
- memberOf => memberOf
Click on "Service Provider" and then press "Apply Changes"