Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

For SAML authentication, you provide specific NetMRI and IDP server information and map your organization's remote user groups to the NetMRI user roles. Groups should contain users intended to log in to NetMRI via SSO.

Prerequisites for configuring SAML authentication:

  • You have enabled ports 443 (HTTPS) and 80 (HTTP) on the firewall to allow NetMRI to communicate with the IDP SAML server.

  • In NetMRI, you have specified the eth0 main MGMT IP address on the Settings > General Settings > Advanced Settings > Configuration Management > Fully Qualified Domain Name page.

  • You have downloaded a valid SSL certificate and private key files from the IDP SAML server and copied them onto your SAML server. You can generate a self-signed certificate and key using OpenSSL at https://www.openssl.org/docs/manmaster/man1/openssl-req.html.

  • On the IDP SAML server, you have configured the following attributes that NetMRI expects in the SAML assertion:

NetMRI SAML Attribute Key

SAML Attribute Value

Description

Example

uid

username

User name as specified in the IDP user record.

jdoe

urn:oid:1.2.840.113549.1.9.1 or mail

mail

This is the person’s Email ID in the IDP user record.

jdoe@example.com

urn:oid:2.5.4.42 or givenName

givenName

Given name (first name) as specified in the IDP user record.

john

urn:oid:2.5.4.4 or surname

surname

Surname (last name) as specified in the IDP user record.

doe

Group Attribute

Custom group attribute

User's relation to the organization or group.

memberOf

eduPersonAffiliation

To configure a NetMRI SAML authentication service, complete the following:

  1. Go to the Settings icon > General Settings  > Authentication Services.

  2. Click the New icon. The Add Authentication Service dialog box opens.

  3. Name: Enter the name of the SAML authentication service. This name will appear on the NetMRI login form. For example, Okta, Azure SSO, and so on.

  4. Description: Enter a textual description for the SAML authentication service.

  5. Priority and Timeout: These settings do not apply to the SAML authentication type.

  6. Service Type: Choose SAML.

  7. In the Service Specific Information section, specify the following:

    • Entity ID: Enter the unique identifier of the SP entity (i.e. NetMRI) for the IDP.

    • IdP Metadata Url: Enter the IDP metadata URL.

    • IdP Group Attribute: User's relation to the organization or group. For example, memberOf.

    • IdP CA Certificate: Choose the certificate file.

    • Key: Choose the private key file.

  8. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form.

  9. Disable authorization: By default, this setting is turned on until remote groups are specified.

  10. Click Save. You can now proceed to remote group mapping or close the window.

When you save a SAML service configuration, NetMRI generates an SP Metadata link based on the data that you provided. To access the link, close the Add Authentication Service window and, in the Actions menu for the configured SAML service, select Edit. Click the SP Metadata link to open an XML document with the NetMRI metadata in a new window. Use this metadata to configure the connection between your IDP and NetMRI.

To map the SAML service’s remote groups to NetMRI local roles, complete the following:

  1. In the Add Authentication Service dialog, click the Remote Groups tab.

  2. Click New (the plus icon). The Add Remote Group dialog opens.

  3. In the Remote Group field, enter the name of a new remote users group for the SAML authentication service. The name must match the group name in the SAML server metadata. Here you map this group name to the NetMRI role(s) and device group(s).

  4. Description: Enter a textual description for the remote group.

  5. Click Save.

  6. Click Add Role and select a role from the drop-down list. For more information, see Defining and Editing Roles.

  7. In device groups: Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.

  8. Click OK to complete the configuration.

  9. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple roles for the remote group.

  • No labels