Authentication: SAML

How to Authenticate SAML

About the Page

Authentication: SAML allows you to configure authentication for Security Assertion Markup Language (SAML). SAML is an open standard you can use to communicate between Access Server and identity providers (IdP) to pass credentials for user authentication.

SAML Settings

In this section, you can enable SAML authentication, use the information provided to configure your IdP with Access Server as the service provider and configure the timeout, hostname, certificate, and key.

Enable SAML authentication

Set the toggle to Yes to enable SAML as the default authentication or for assigned users and groups. For example, you can create administrators for Access Server that use local authentication and use SAML authentication for VPN users.

With the toggle set to No, SAML authentication isn’t used as an additional authentication method.

Note: You can’t set SAML as the default authentication on the Authentication: Settings page until you’ve configured SAML and set this toggle to Yes.

Send ForceAuthn flag to IdP to require user interaction

When set to yes, this forces users to authenticate with the IdP regardless of any authenticated state with the IdP.

Send custom AuthnContext to IdP

Include specific methods in the authentication request sent to the IdP, such as Password, PasswordProtectedPassword, TLSClient, X509, Kerberos, and others. The default (when set to No) is PasswordProtectedTransport.

AuthnContexts to include in the AuthNRequest. This is a space separated list of AuthnContext to request.

Enter the authentication methods as a space-separated list in this text field after setting the AuthnContext flag to Yes.

Service Provider (SP) identity and URL

Provide this information for Access Server as your service provider to the IdP.

VPN Authentication Timeout (seconds)

This timeout determines how long the SAML session is valid. The default is 180 seconds.

Hostname

The hostname is the Access Server hostname as a service provider. The default is the hostname of the server. You can optionally set this as a different, SAML-specific hostname.

SP Certificate

The SP certificate is the service provider certificate for your Access Server. It is a PEM-formatted SAML certificate. By default, Access Server generates the certificate provided here. Optionally, you can change it to a custom certificate.

SP Private key

The SP private key is the service provider private key for your Access Server. It is a PEM-formatted SAML private key. By default, Access Server generates the private key provided here. Optionally, you can change it to a custom private key.

Configure Identity Provider (IdP) Automatically via Metadata

SAML IdP screenshot

In this section, you can use a metadata URL or metadata file to configure the connection with your IdP automatically.

  1. IdP Metadata URL: Enter the metadata URL from your IdP and click Get to configure IdP settings automatically.
  2. Select IdP Metadata File: Select a file from your IdP and click Upload to configure IdP settings automatically.

Configure Identity Provider (IdP) Manually

SAML IdP screenshot

In this section, you can provide the values needed to configure the connection with your IdP manually.

  1. IdP EntityID: Enter the identity provider issuer or identifier.
  2. Sign-on Endpoint: Enter the identity provider single sign-on URL or login URL.
  3. Log-out Endpoint (optional): Enter the optional log-out URL.
  4. Certificate (PEM) format: Enter the IdP certificate as text.

Ensure you click Save Settings and Update Running Server to commit your changes for any updates on this page.

Summary

Authentication: SAML allows you to configure the settings for authenticating users with an IdP using SAML. Refer to How SAML authentication works with Access Server for more information and documentation to connect with SAML authentication services.