Configure Control Room as a service provider

A valid SAML IdP setup must be configured before the Control Room can be switched to a SAML-authentication environment.

Prerequisites

This task is performed by a network administrator on SAML IdP. You must have the necessary privileges to complete this configuration.

Create a user in Active Directory to match one of your Control Room Admin users. This user tests the Control Room configuration as the last step in the configuration. We recommend that you do not test SAML login with a non-Admin Control Room user access, or you risk having a Control Room that has no Admin user.

Complete the necessary network-side preparations to switch the Control Room to act as the service provider in the SAML IDP setup.

Procedure

  1. Create an application on a SAML IdP.
    For information on commonly used SAML IdPs, see Automation 360 - Change control room authentication to SAML based SSO.
  2. Set the ACS or service provider URL to <Enterprise Control Room URL>/v1/authentication/saml/assertion.
    Note: Ensure that you do not configure the SAML assertions for single logout.
  3. Configure the application that is created in the SAML IdP to map the key user attributes defined in the IdP to be used in the Control Room.
    Key attributes include: UserID, FirstName, LastName, and EmailAddress.
    This value is required when setting up the Control Room to use SAML IdP.
  4. Optional: Provide access to users on the application created on SAML IdP.
    Note:
    • Download the SAML IdP metadata and share it with the Control Room administrator for setting up the Control Room.
    • The SAML assertion includes an authentication statement that must include the SessionIndex attribute. As per the SAML specifications, the assertion ID is used as the session index. The purpose of the SessionIndex attribute is to identify which sessions to logout during SAML logout.
<saml2:AuthnStatement AuthnInstant="authenticated_instance" SessionIndex="index_value_required">

Next steps

Set up SAML authentication on the Control Room