Skip to main content

SAML Single Sign-On (SSO) Authentication for User Portal

You may set up SAML Single Sign-On (SSO) for User Portal users. This allows users with valid SAML logins to access the User Portal GUI without needing additional credentials.

Setting Up SAML SSO

  1. Run the following to install the required packages to all User Portal servers that you want to enable SAML authentication on:

    ~# yum install libffi-devel xmlsec1 xmlsec1-openssl

  2. Configure User Portal as a Service Provider in your Identity Provider. Allow HTTP POST and HTTP Redirect for SAML binding. Consult your vendor documentation for more instructions about configuring your Identity Provider.

    Your IdP must provide the following attribute statements for matching User-Portal accounts:

    • Statement matching User Portal users' username
    • Statement matching User Portal users' email
    • Statement matching User Portal users' UPN
    • Assertion Consumer Service URL as POST: /api/provider/saml2/acs
    note

    The attributes passed by the Identity Provider need to be signed, and the SAML response must not be encrypted.

    Establish a trust relationship between your Identity Provider and User Portal: export the TLS signing certificate from your Identity Provider and add it to the trusted certificates on all User Portal servers that will use SAML authentication.

  3. Configure the SAML SSO settings in User Portal Management Portal GUI.

    Navigate to Settings→SAML Settings and set the Attribute mapping in the following format:

    {attribute_statement1:up_attribute1,attribute_statement2:up_attribute2,...}

    You must provide a mapping for the User Portal users' username, email, and UPN.

    note

    If you want to block a user from accessing User Portal, you must restrict the user access using the Identity Provider's settings.

    Set the Entity ID that the Identity Provider will use to recognize User Portal. User Portal also needs XML formatted metadata from the Identity Provider. Either provide the Metadata auto conf URL or Metadata local file path. If both metadata settings are provided, the local setting takes precedence.

Testing SAML SSO

You can test your SAML-SSO setup as follows:

Log in to User Portal using the SAML SSO button. You will be required to authenticate against your IdP.

Upon successful login you will be logged into User Portal.

Troubleshooting SAML Setup

In case of issues related to SAML authentication, you may gain additional information about potential causes as follows:

  • If the Use Single Sign On with SAML button is missing from the User Portal login page, ensure that the Entity ID is set in User Portal Management UI under SAML Settings. If more than one User Portal is used, this setting must be configured separately for each one where SAML support is needed.

  • To see what the SAML assertion includes, consider using a browser extension that traces SAML requests. This can be particularly useful for confirming what your IdP sends to User Portal.

  • Ensure using browser-developer tools that the request sent to /api/provider/saml2/acs is of POST type.

  • Ensure that the User Portal time is within margins of date and time allowed by the SAML IdP.

  • For detailed logs about SAML authentication, run the following on the User Portal where SAML is being attempted:

    # supervisorctl tail -f user_portal