Set up a SAML Relying Party within PortalGuard
You want to set up a SAML Relying Party within the PortalGuard Identity Provider
- Metadata from the Service Provider (the application that you are integrating with)
- Required Claims for the Service Provider
- Either from SAML Configuration Documentation OR from the Service Provider Support Contact
- PortalGuard Single Sign-On Pre-Requisites have been met
On the 'General' tab, provide a 'Name' and 'Description' for the new Relying Party
Click the 'Add' button next to the 'Identifiers' label
In the space the appears, add the 'entityID' value for the SP. Click 'okay' to add this identifier.
- Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.
- Navigate to the 'SAML Websites' tab and click 'Create' on the right-hand side
For the 'Assertion Consumer URL', you will need to search the SP Metadata again.
- This can be found in the metadata from the SP, usually near the top.
- In the screenshot below, the 'entityID' is 'https://saml.istation.com'
Your final result should resemble the following screenshot, based on the examples above:
Navigate to the 'Identity Claims' tab.
Ensure that the 'Attribute Store' dropdown is configured to the appropriate attribute store for this configuration. The attribute store is where PortalGuard will search for attributes to populate the claims.
Click the 'Create' button to configure your first claim.
- Search the file for 'AssertionConsumerService' and copy the URL listed as the 'Location'.
- If multiple lines are present for 'AssertionConsumerService', the appropriate location will come from the line with a 'binding' value of 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
The 'Name' value here is simply for you to use as a quick reference. This value is only used within the relying party configuration and is NOT sent along with the SAML.
If the claim needs to be sent as 'NameID', check the 'Send As NameID?' box here.
- For this example, we will be sending a single claim as 'NameID'. For your Relying Party, you will need to know what claims to configure prior to this step.
The 'Schema Type' corresponds to the attribute 'Name' value that the SP is looking for.
- Only one claim should be sent as 'NameID'
The 'Value Type' for a standard claim should remain as 'String Field'.
- Oftentimes, the SP will require the claim to be sent with an attribute 'Name' formatted with 'urn...'
- If you are unsure, click the 'Pre-defined Types' button and choose an option from the dropdown.
The 'Field Name' value should be set to the attribute that you wish to pull from the Attribute Store
- If you need to add static text to an attribute before it is sent to the SP as a claim OR you need to send Groups, you may update the 'Value Type' accordingly. Otherwise, leave it as a 'String Field'.
Navigate to the 'IdP-Initiated' tab.
Enter some 'Display Text' for this Relying Party.
- For this example, we will be sending the 'sAMAccountName' from AD as a NameID
Enter some 'Help Text' for this Relying Party.
- This is the label that users will see on the tile for this SP if they navigate to the PortalGuard SSO Jump Page.
Click 'Choose Image' next to 'Display Image' and then 'Browse' to choose a thumbnail to display on the PortalGuard SSO Jump Page.
- This text will appear next to the user's cursor if they hover over the tile but not click on it.
If the SP you are integrating with does not support IdP-Initiated Single Sign-On, click the 'IdP-Initiated SSO not directly supported by RP' box here and provide a 'Default URL' that will initiate SSO from the SP.
- You may add a custom thumbnail to the C:\inetpub\PortalGuard\SSO\img folder
- Ensure that the thumbnail sizes remain around 100 pixels by 100 pixels to prevent any slowdown when the server attempts to load the images. Larger images will be resized to fit, however.
- If you do not have a custom thumbnail, feel free to use one of the existing options included with the PortalGuard Install
Navigate to the 'Authorization' tab.
- If you are unsure, leave this box unchecked.
Save the Relying Party Configuration.
Apply and Sync the changes to test.
If you are unable to finalize the SAML, please submit a ticket (LINK) or reach out to firstname.lastname@example.org for additional assistance.
- By default, the Relying Party will be accessible to anyone who can authenticate via PortalGuard. If you would like to restrict access, simply click the 'Add' button here and search for an AD User, Group, or OU.
- As soon as an entry is defined here, only users that match the entries on the 'Authorization' tab will be allowed to access the Relying Party via SAML.
- When submitting a support request, please ensure that you have a screenshot of the error you are seeing, as well as the PG_Log and IdP_Log files from the PortalGuard Server. This information will ensure a rapid response to your support request!
REV. 09/2018 | PortalGuard