Configure SAML 2.0 Support Using the SSO Configuration Tool
Administrators can set parameters for SAML authentication.
As an Administrator, you can allow users to authenticate using Security Assertion Markup Language (SAML) 2.0 by enabling SAML2 authentication. With SAML authentication enabled,
NetOps Portaluses user identities and authorization from another authentication source. For example, users can log in to
DX NetOps Performance Managementusing their corporate credentials. To enable SAML2 authentication, you set the parameters for SAML authentication using the Single Sign-On Configuration tool.
You configure SAML 2.0 support using the Single Sign-On Configuration tool (SSOConfig). Complete these steps on all servers with a data source that has users who authenticate using SAML 2.0.
Multiple authentication schemes can be in use simultaneously. For example, users of a
DX NetOps Performance Managementdata source can use LDAP to log in while users of
DX NetOps Performance Managementare using SAML 2.0.
Follow these steps:
- Open a terminal session on theNetOps Portalhost (as root or with thesudocommand).
- Launch the Single Sign-On Configuration tool by running the./SsoConfigcommand in the following directory:<installation_directory>/PerformanceCenter/opt/CAis the default installation directory.You are prompted to select an option. The available options correspond to CA applications running on the local server.Use the following commands as needed while you are selecting settings:
- b(go back to the previous menu)
- Enter the value that corresponds to the data source that you want to configure. For example, enter1to configureNetOps Portal(CAPC).You are prompted to select a configuration option.
- Enter2to configure the SAML Authentication security settings.You are prompted to specify the priority.ThePriorityparameter only applies toNetOps Portal.
- Enteroneof the following options:
You are prompted to select a property to configure.
- 1. Remote ValuePropogates these settings to the data sources that are registered to this instance ofNetOps Portal, including the Event Manager service, which embeds theNetOps PortalURL.NetOps Portaluses these settings only if a correspondingLocal Overridevalue is not present.To configure the scheme or port to include the correctNetOps PortalURL in threshold event email messages, useRemote Value.
- 2. Local OverrideOverrides a setting on thisNetOps Portalinstance. This setting takes precedence over theRemote Valuesetting and the default settings.
- Enterone or moreof the following properties:When prompted, enteruto update the value and supply a new value.
- 1. Enable SAML2 AuthenticationSpecifies whether SAML is enabled to allow it to use user identities and authorization provided by another authentication source.Values:
- 1:SAML 2.0 authentication is enabled.
- 2:SAML 2.0 authentication is disabled.
- 2. Clone Default User AccountsDefines the user account to which authorized SAML users are mapped. The role and product privileges that are associated with the user account you specify are applied to all users who successfully authenticate.Default:BlankExample:Enteruserto require all users to log in with user-level privileges.An existing user account is required.The user accounts configured on the IdP are sent toNetOps Portalwhen the agreement is established. They appear in the User List on the Manage Users Admin page, where they can be edited.
- 3. SAML2 Signature and Encryption EnabledSpecifies whether security and encryption for communications betweenNetOps Portaland the IdP is enabled.Values:
Default:DisabledThis setting must match the setting on the IdP.
- 1:SAML2 Signature and Encryption is enabled.
- 2:SAML2 Signature and Encryption is disabled.
- 4. SAML2 Auto-ReauthenticationSpecifies whether the system keeps the IdP session for the user active. Enable this parameter to allowDX NetOps Performance Managementto perform a passive reauthentication (auto-reauthentication).Values:
- 1:SAML2 Auto-Reauthentication is enabled.
- 2:SAML2 Auto-Reauthentication is disabled.
- 5. Auto-Reauthentication Time PeriodSpecifies the period of time beforeDX NetOps Performance Managementperforms the passive reauthentication. If theSAML2 Auto-Reauthenticationparameter is disabled,NetOps Portalignores this parameter.Default:None
- Enterbandbagain to go back to the first set of options.
- Enter6to export the metadata file that establishes the agreement with the IdP. The metadata file supplies the identity provider with the parameters to use when authenticating users.You are asked to supply a directory path and filename.
- Enter the filename. For example, enter/tmp/CAPCMetadata.xml.The file is generated automatically, based on the settings you selected in the Single Sign-On Configuration tool. You see a printout of the XML if the export operation succeeds. If the operation fails, you see an error message.
The Single Sign-On Configuration tool closes.
NetOps Portaluses user identities and authorization by another authentication source using Security Assertion Markup Language (SAML) authentication.