SAML SSO authentication

This section describes how to use SAML 2.0 single sign-on (SSO) authentication instead of the default Windows authentication for remote access to SV Management.

Overview

Service Virtualization Management supports SAML 2.0 authentication for single sign-on providers such as Okta and ADFS.

Currently, you can use SAML 2.0 to log into SV Management only, which means you need a different authentication and authorization method inside SV Management to manage the SV Servers you added. You can use SAML 2.0 for authorization and authentication, or you can delegate authorization to LDAP, and use SAML 2.0 for authentication only.

For details on using LDAP, see LDAP authentication provider.

Back to top

SAML authentication

This section describes how to configure SAML SSO authentication to log on to SV Management.

To use SAML authentication:

  1. In an editor, open the SV Management configuration file, [INSTALLLOCATION]\Server\bin\SvmRoot\HP.SV.ServiceVirtualizationManager.exe.config (or HP.SV.ServiceVirtualizationManager.dll.config on Linux).

  2. Set the membershipProvider attribute of the membershipProviderConfiguration element to Saml2.

    Copy code
    <membershipProviderConfiguration membershipProvider="Saml2" ... />
  3. Open the HP.SV.ServiceVirtualizationManager.saml2.config file, and set the parameters of the SAML 2.0 provider.

    Note: Since SAML configuration is complex, the individual parameters are described here using the example of the Okta provider. The anonymized sample values below were taken from a functioning integration between SV Management and an Okta application.

    Attribute Description

    applicationId

    The Okta (or alternative provider) application identifier. This depends on the settings in Okta, or in an alternative provider.

    lspAssertionConsumerServiceUrl

    Instead of 'svm.mycompany.com:6086', provide the SV Management host name that the users will use when using their browsers.

    pipSvmGroupsAttribute

    The SAML attribute name which is used to retrieve the group names of which the logged user is a member. This depends on the settings in Okta, or in an alternative provider.

    pipCertificate

    Path to the downloaded certificate from Okta or an alternative provider.
    SAML group name mapping

    The SAML group name mapping to the built‑in Service Virtualization groups is specified via the following attributes:

    • pipSvmUsersGroupName: SAML2 group name for the SVM Users group.

    • pipSvOperatorsGroupName: SAML2 group name for the SV Operators group.

    • pipSvPublishersGroupName: SAML2 group name for the SV Publishers group.

    • pipSvRuntimeAdministratorsGroupName: SAML2 group name for the SV Runtime Administrators group.

    • pipSvServerAdministratorsGroupName: SAML2 group name for the SV Server Administrators group.

    For details, see Authenticate the SV Server.

    Other attributes

    The following attributes are generated by Okta or an alternative provider. You need to get them from there:

    • pipSamlIssuerId

    • pipSingleSignOnServiceUrl

    • pipSingleLogoutServiceUrl

    • lspResolveToHttps: the flag specifies whether local URLs should be resolved to HTTPS by default.

    • The following boolean attributes specify which types of requests and responses within the SAML2 communication schema should be digitally signed. This is a technical setting and we recommend using the value of "true" for all.

      • pipSignAuthnRequest

      • pipSignLogoutRequest

      • pipSignLogoutResponse

      • pipWantLogoutRequestSigned

      • pipWantLogoutResponseSigned

    Single Logout

    If you use SAML 2.0 Single Logout (SLO), you need to provide a path to a certificate acceptable by the SAML provider (such as Okta), with a private key and the valid password using the lspCertificateFileName and lspCertificatePassword attributes.

    For lspSingleLogoutServiceUrl ==, instead of 'svm.mycompany.com:6086' provide your SV Management host name that the users will use when using their browsers

    LDAP authorization (optional)

    If you use SAML for both authorization and authentication, keep the authorization and autorizationUserNameMappingAttribute attributes empty.

    To authenticate using SAML and authorize using LDAP, set the following:

    • authorization to 'Ldap'

    • autorizationUserNameMappingAttribute to the name of the SAML attribute you use for SAML to LDAP user mapping.

  4. Restart the SV Management service for the changes to take effect.

Back to top

SAML connection example

Below is an example of using SAML for both authorization and authentication:

Copy code
<saml2MembershipProviderConfiguration
applicationId="svm"
 
authorization=""
autorizationUserNameMappingAttribute=""
 
lspAssertionConsumerServiceUrl="https://svm.mycompany.com:6086/Account/Saml/AssertionConsumerService"
lspSingleLogoutServiceUrl="https://svm.mycompany.com:6086/Account/Saml/SingleLogoutService"
lspCertificateFileName="svm.p12"
lspCertificatePassword="password"
lspResolveToHttps="false"
pipSamlIssuerId="http://www.okta.com/youroktaidentifier"
pipSingleSignOnServiceUrl="https://mycompany.okta.com/app/mycompany_svm_1/youroktaidentifier/sso/saml"
pipSingleLogoutServiceUrl="https://mycompany.okta.com/app/mycompany_svm_1/youroktaidentifier/slo/saml"
pipCertificate="okta.cert"
pipSignAuthnRequest="true"
pipSignLogoutRequest="true"
pipSignLogoutResponse="true"
pipWantLogoutRequestSigned="true"
pipWantLogoutResponseSigned="true"
 
pipSvmGroupsAttribute="SvmMembership"
pipSvmUsersGroupName="SvmUsers"
pipSvOperatorsGroupName="SvOperators"
pipSvPublishersGroupName="SvPublishers"
pipSvRuntimeAdministratorsGroupName="SvRuntimeAdministrators"
pipSvServerAdministratorsGroupName="SvServerAdministrators"
/>

Back to top

See also: