Document toolboxDocument toolbox

Authenticating Admins Using SAML

Owned by Panna .
Last updated: Jan 18, 2024
6 min read

NIOS uses SAML (Security Assertion Markup Language) 2.0 authentication support for Single-Sign-On in NIOS. SAML provides a standard vendor-independent grammar and protocol for transferring information about a user from one web server to another independent of the server DNS domains. SAML enables IT administrators to  manage user access rights in a single place. By enabling SAML, user management is delegated to an external application, thus relieving IT administrators the complexity of maintaining user accounts in all the applications (also known as Service Providers) being used by the organization. Instead, IT administrators need to maintain one account in the Identity Provider (IdP) which can be used across Service Providers (SPs). IdP is the application server that maintains the user accounts of the entire organization. IT administrators can manage users access rights at one place. User can login to the IdP directly and once logged in, they can be traverse towards the required SP without being prompted for the user ID and password. SAML helps NIOS delegate Identity Management to a third-party SSO application (IdP) and thereby eases administrative efforts.

Note

You need super user permissions to perform SAML-related configurations.

SAML Login Use Cases

The following is a list of use cases and the outcome of NIOS users attempting to log in when using SAML authentication and when not using SAML authentication:

  • If SAML is enabled and users have already logged in to the IdP account and the corresponding user account is present in NIOS, users can directly start using Grid Manager without logging in to NIOS.

  • If a user has logged in to the IdP account and the corresponding IdP account is not present in NIOS, if the Auto Create User checkbox is selected, the user can directly start using Grid Manager without logging in to NIOS. For information about the Auto Create User checkbox, see Auto Creating SAML Users in NIOS.

  • If a NIOS user who is not SAML-authorized tries to log in to NIOS using the SSO Login button, the login fails. However, the user can log in using the Login button.

Prerequisites for Configuring SAML Authentication  

Ensure that you meet the following prerequisites before you configure SAML for NIOS:

  • When adding the NIOS application in IdP,  specify the Grid Manager URL in the https://<Grid Manager IP address>:8765/?acs format. This is referred to as the Assertion Consumer Service URL or ACS URL. The 8765 port is opened for SAML services.

  • After you add NIOS to the IdP, either copy the metadata or the metadata URL or specify it in the SAML configuration screen.

  • Ports 443 (HTTPS) and 80 (HTTP) must be allowed on the firewall to allow NIOS to communicate with the IdP. 

  • Ensure that the group that you specify in the IDP also exists in NIOS with the same users as that in the IdP. If you did not specify a group attribute in the IdP, SAML authenticated users are added to the default SAML group: saml-group.

  • SAML authentication in NIOS requires configuring an Identity Provider (IdP) for authentication. Infoblox-verified named IdPs are listed in the IDP Type drop-down list. The IDP Type drop-down list also contains the Others option for users who wish to configure an IdP that is not listed.  Due to the lack of compliance to SAML standards and widely varying IdP vendor implementations, Infoblox is unable to provide configuration support if you select the Others option. Infoblox recommends that you contact the IdP vendor for support if you use this option.

Enabling SAML Authentication

To enable SAML authentication for NIOS users, perform the following steps:

  1. Login as a super user.

  2. Click the SAML Authentication Services tab.

  3. From the Toolbar, click Add -> SAML Service.

  4. In the Add SAML Authentication Service wizard:

    • Name: Enter a name for the authentication service.

    • IDP Type: Select the IDP type that you want to configure for the authentication service. NIOS supports the following IdP types: Azure SSO, Okta, Ping Identity, Shibboleth SSO, Others.

    • SSO Metadata URL: Enter the metadata URL of the IDP. Alternatively, copy the metadata into a file and upload the file. For information on obtaining the metadata, see Obtaining Metadata.

    • SSO Redirect IP Address/FQDN: Enter the IP address or the FQDN of Grid Master. If you enter a value other than the IP address or FQDN, the SAML service will not work. A best practice is to enter the FQDN because it is used by the IdP for the SAML response.

    • Session Timeout(s): Enter the amount of time that a SAML user can be idle after which the session must terminate. The time that you specify here supersedes the session timeout time specified in the Grid Properties - > Security - > Session Timeout(s) field. For more information about session timeout in the Grid, see Managing Security Operations.

    • IDP Group Attribute: Enter a group attribute name. The group attribute name that you enter must have the same value as the Group Attribute in your IdP configuration. If the value in NIOS is different from what is configured in the IdP, or if the value is missing, the incoming SAML user is placed in the default SAML group saml-group.  If the value matches, the IdP’s group attribute filter passes the user’s group membership to NIOS. If there is a NIOS group that exactly matches a group name from the list of groups from the IdP, and the NIOS group is configured for SAML, the user get placed into that NIOS group. If there is no matching NIOS group, the user gets placed in the default SAML group saml-group.

    • Comment: Enter additional comments if any.

  5. Click Save & Close.

Now, if you log out and try to relogin, the SSO Login button is displayed. 

When SAML authorized users try to login for the first time by clicking the SSO Login button, they are directed to their IdP login page. If the user credentials they specified exist in the IdP, they are redirected to the NIOS home page.  

Obtaining Metadata

This section explains how to obtain the metadata URL of the IdP. The procedures in this section may vary a little depending on the type of IdP that you select. The procedure in this section uses Okta as an IdP example. If you are using an IDP other than Okta, contact your IT administrator for the metadata URL.

To obtain the metadata URL of Okta:

  1. Log in to your Okta account.

  2. Go to My Applications and click the URL of your Grid Manager.

  3.  You can either copy the XML metadata for the Grid Manager into a file or use the URL of the metadata.

Auto Creating SAML Users in NIOS

After enabling SAML authentication, you can configure NIOS such that users who belong to a particular group in IDP are automatically created in NIOS. Once the users are automatically created in NIOS, if they log in to their IdP account, they can directly access Grid Manager.

  1. Login as a super user.

  2. Create a group by the same name as that of the group in the IdP account. For information about creating groups, see About Admin Groups.

  3. Click the Administration → Administrators tab.

  4. Select the group that you created and click the Edit icon. The out-of-the-box group for SAML authenticated users is saml-group.

  5. Click the SAML tab.

  6. Select Auto Create User for users in the IdP group to be automatically created in NIOS. When a new IdP user logs in to NIOS, that user is created in NIOS.

  7. Select Persist Auto Created User after logout if you want to retain the SAML user accounts in NIOS even after the session times out. The session timeout value is specified in the Session Timeout field when you enabled SAML authentication. For more information, see Enabling SAML Authentication. If you do not select the Persist Auto Created User after logout checkbox, if the session times out, users for whom the SAML Only option was selected in the Authentication Type field, are deleted from NIOS. Not selecting the Persist Auto Created User after logout checkbox also deletes the user account along with all the scheduled tasks associated with the user account when the user logs out of NIOS. For information about the Authentication Type field, see Creating Local Admins.

  8. Click Save & Close.

Note

If you select the Persist Auto Created User after logout checkbox and the session times out, you must manually verify whether the user account exists in IdP or not. If the user account is deleted from IDP, then you must manually delete the account in NIOS.

Authenticating SAML Users

When you create administrators, you can authenticate them either as a SAML-only administrator or as a SAML/local administrator. Depending on the authentication type, administrators can log in using either the SSO Login button or the Login button. For more information see Creating Local Admins.