Introduction
This article provides the prerequisites to ask to Customer in regards to SAML integration.
Then, we will focus on the Ping Identity integration.
Part 1 - Preparation for SAML integration
In order to integrate SAML, the following needs to be provided by Customer :
1.1) Common "Identity Provider Issuer" (or Application ID or partner ID) defined on Customer's IDentity Provider side. This defines the Systran SPNS application on Customer side.
1.2) "Identity Provider Entrypoint". This is the URL, on Customer side, to reach for SAML SSO authentication.
1.3) On Customer IDP side, the reply URL needs to be set to :
https://<SPNS_URL>/signin/callback
This information needs to be communicated to Customer.
1.4) Request Customer for the XML IDP metadata file.
That file will contain useful information :
1.4.1) The SSO entry point, through field "SingleSignOnService"
1.4.2) Identity provider signature public key, through field "X509Certificate"
Proper formatting of the certificate may be needed, please check https://help.systrangroup.com/hc/en-us/articles/360018136919--SPN9-SAML-flow-configure-from-metadata-xml-tips-examples.
1.4.3) The claims. These are the mappings between SAML IDP and Systran SPNS.
Part 2 - Integration on SYSTRAN SPNS
Configuration of SAML on your SYSTRAN Server
In SYSTRAN User Interface, go to "Administration > Settings > Authentication Settings", set the "Authentication mode" to "SAML".
Go to "SAML settings" and configure all the fields as indicated below:
2.1) "Identity Provider Entrypoint": paste the value from paragraph 1.2) or 1.4.1), see above.
2.2) "Identity Provider Issuer": paste the value from paragraph 1.1), see above.
2.3) "Certificates > Identity provider signature public key": certificates/saml/saml.crt : paste value from 1.4.2), see above.
2.4) "SAML Mapping":
2.4.1) "Mapping of identifier": inherited from the claim XML IDP metadata file : "userid", see above
2.4.2) "Mapping of given name": inherited from the claim XML IDP metadata file : "First Name", see above
2.4.3) "Mapping of family name": inherited from the claim XML IDP metadata file : "Last Name", see above
2.4.4) "Mapping of email": inherited from the claim XML IDP metadata file : "Email", see above
2.5) "Signature algorithm": sha256
2.6) "Do not request specific authentication context": enabled
2.7) "Authentication Context > Name identifier format for form authentication": urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
For this last SPNS field, please also refer to field "IDPSSODescriptor" in XML IDP metadata file.
Importing certificate
In the command line interface of your SYSTRAN server, copy the Azure AD certificate downloaded earlier (saml.crt) into /opt/systran/apps-node/enterprise-server/certificates/saml
If the folder "saml" is not created, you can create with the command:
mkdir saml
Applying all the settings
Then restart the SYSTRAN SES Console service to apply all those new parameters:
systemctl restart systran-ses-console
Part 3 - Testing SAML
3.1 After restarting the console, opening the web page on
https://<SPNS_URL>/auth/saml
will redirect to client's SAML SSO. This can be performed by SYSTRAN.
If not, troubleshooting needs to be performed on Systran SPNS IDP fields, certificates, ...
If redirection occurs, you proceed with testing the client login.
3.2) Proceed with the testing of Customer's login within Systran's SPNS. This can only be performed by Customer as Systran usually does not have a SAML login.
If needed, troubleshooting needs to be performed at SAML mapping level.