Configure Control Room as a service provider

You can set up Control Room to handle external user authentication and manage identity services. This section provides information on how you can configure the Control Room as a service provider in Identity Provider (IdP).

Prerequisites

  • This action is performed by an administrator with necessary privileges on IdP.
  • Check with your network team to enable communication between the Control Room and the IdP.

Procedure

  1. Create an application on IdP to configure Control Room as a service provider.
    For information on commonly used authentication, see Automation 360 - Change control room authentication to SAML based SSO.
  2. Set the SAML Assertion Consumer Service or service provider URL to <Enterprise Control Room URL>/v1/authentication/saml/assertion.
    Note: Ensure that you do not configure the SAML assertions for single logout (SLO).
  3. Configure the application you have created to map to the key user attributes defined in the IdP for use in the Control Room.
    Key attributes include: UserID, FirstName, LastName, and EmailAddress.

    These values are required as part of authentication workflow.

    Important: Ensure that the Control Room's key attributes are defined correctly for the configuration to work properly. For IdP configuration examples, see Examples: Configure IdP applications for Control Room.
  4. Provide access to users on the application created on IdP.
    Note:
    • Download the IdP metadata and share it with the Control Room administrator for setting up the Control Room.
    • The SAML assertion includes an authentication statement that must include the SessionIndex attribute. As per the SAML specifications, the assertion ID is used as the session index. The purpose of the SessionIndex attribute is to identify which sessions to logout during SAML logout.
      <saml2:AuthnStatement AuthnInstant="authenticated_instance" SessionIndex="index_value_required">
    • Create a user in IdP to match one of your Control Room Admin users. This user tests the Control Room configuration as the last step in the configuration. We recommend that you do not test SAML login with a non-Admin Control Room user access, or you risk having a Control Room that has no Admin user.

Next steps

Set up SAML authentication on the Control Room