SAML 2.0 Integration

Last updated July 15, 2024

Access Anywhere supports integration with many directory services through the SAML and LDAP protocols providing authentication and authorization services including single-sign on, identity and group synchronization, auto-add and permission synchronization.

This document describes integration with SAML 2.0 using a number of popular providers. For LDAP see LDAP Integration and for Active Directory see Active Directory Integration. The Access Anywhere identity and access management features are summarized here.

The following flows are supported:

• Service Provider Initiated Flow
• Identity Provider Initiated Flow

For specific details on configuring a specific identity provider follow a specific guides below:

• Microsoft Entra ID
• Configuring with Okta
• Google Workspace SAML App
• Duo Access Gateway
• Configuring with AD FS - Local AD

Once you have completed the configuration you can use the Test Settings button, and complete this by clicking Add Auth System.

If you are looking for how to set up SAML integration with the SMB or Nasuni Connector please refer to this page.

To begin configuring the SAML 2.0 connection, you will need to ensure that SAML is enabled in your Package. To do this login as the ApplAdmin user, visit the User Packages screen, find the package that your organization uses, and ensure that SAML 2 Login System is highlighted in the “Extra options” section

Next, login as the Organization Administrator, visit the Auth Systems screen from the Organization menu.

Under Add Auth System, select SAML from the dropdown beside Auth System.

On this screen, you are now required to enter details about your particular SAML 2.0 identity provider. The following list describes the meaning of each field, including one which will be populated automatically when the authentication system has been added.

• Auth System Name - Each authentication system has a name that is provided for your reference. Enter a name you can use to identify this authentication system later on.
• Identifier (Entity ID) - Unique ID that identifies your application to the SAML Identity Provider. This value must be unique across all applications in your SAML Identity Provider. The default identifier will be the audience of the SAML response for IDP-initiated SSO. (New in release 2301).
• Reply URL (Assertion Consumer Service URL) - This field will hold a URL that can be shared with the SAML system so SAML can deliver authentication tokens to the Access Anywhere server. Access Anywhere will generate the URL and fill in the field when the authentication system has been created. The generated value cannot be overwritten.
• Login button label - Users who are associated with this authentication system will be shown a button on the login page for them to click to perform the login. The text you supply here will be used on the button, for example, you may wish to enter “Login with AcmeCorp AD”
• The Service provider entity ID - Your identity provider will either ask you to supply an Entity ID or will generate one for you. In either case ensure that the values match between the identity provider and Access Anywhere.
• SSO entry point - Your identity provider will provide you with a URL that begins the login flow for your users with the Access Anywhere service. This can commonly be referred to as the SSO URL or SSO Login Endpoint. Enter it here.
• The logout service endpoint - Your identity provider will provide you with the Logout URL, where the Access Anywhere server will send users to when they wish to logout. Enter it here.
• x509 Certificate - Your identity provider will provide you with a certificate when you configure it for SAML. You should download that certificate and paste its entire contents into this field.

• Force authentication - When this option is enabled users to whom this authentication system has been assigned will not be allowed to reuse existing sessions and will have to re-authenticate to login.
• Sign AuthnRequest and LogoutRequest - If this option is enabled then authentication and logout requests will be signed.
• Fetch user Role\Group Name by id (for Azure AD) - If you are using Azure Active Directory Federation Services, you will need to tick this option. Otherwise, leave it unchecked.

• Auto create user on login - When SAML is being used manual user import is not supported so this option should always be checked.
• Refresh role/group membership on login - When this option is enabled each user's groups/roles membership will be refreshed each time the user logs in.
• Auto create new roles/groups on login - When this option is enabled if the server discovers new roles or groups associated with a user it will automatically create corresponding Access Anywhere roles.
• Update user info on login - When this option is enabled, when a user logs in the server will compare the user's name, email address, and phone number returned by the SAML provider with the corresponding values in Access Anywhere and update the database if differences are discovered.

The Access Anywhere server requires certain pieces of information when mapping an authentication system user to a user. Since the names of the fields used by identity providers to hold these values are not standardized, you will need to supply the mappings.

• Unique User Attribute Field - Enter the name of the identity provider field containing this information.
• User Login Field - Enter the name of the identity provider field containing this information.
• User Name Field - Enter the name of the identity provider field containing this information.
• User Email Field - Enter the name of the identity provider field containing this information.
• Role\Group Name Field - Enter the name of the identity provider field containing this information.
• User Phone Field - Enter the name of the identity provider field containing this information.

• NAA Administrator role maps to - Provide the name of a SAML group whose members should automatically be assigned the Administrator role by Access Anywhere.
• Restrict import of SAML users from the following roles\groups - If this field is left empty then Access Anywhere will import users with all roles and groups. To prevent users with specific roles and groups from being imported, list those roles and groups here, one per line. A user will be excluded if she has at least one of the roles or groups listed here regardless of other roles or groups she may have.

As described here, Access Anywhere implements the SCIM 2.0 protocol, allowing identity providers to automatically provision users. If your SAML system supports SCIM and you wish to make use if it, set and use the details as described in this section.

• Enable SCIM 2.0 Server - This switch turns SCIM integration on and off for the SAML authentication system that is being configured. When it is set to Yes the SCIM configuration details will be visible.
• Tenant URL - This value is pre-set by Access Anywhere. You cannot change it. You will need to include it in your identity provider's SCIM configuration.
• Secret Token - This value needs to be included in your identity provider's SCIM configuration. Access Anywhere will generate a default value, but you can overwrite.