Configure SAML 2.0 Support Using the SSO Configuration Tool

Administrators can set parameters for SAML authentication.
As an Administrator, you can allow users to authenticate using Security Assertion Markup Language (SAML) 2.0 by enabling SAML2 authentication. With SAML authentication enabled,
NetOps Portal
uses user identities and authorization from another authentication source. For example, users can log in to
DX NetOps Performance Management
using their corporate credentials. To enable SAML2 authentication, you set the parameters for SAML authentication using the Single Sign-On Configuration tool.
You configure SAML 2.0 support using the Single Sign-On Configuration tool (SSOConfig). Complete these steps on all servers with a data source that has users who authenticate using SAML 2.0.
Multiple authentication schemes can be in use simultaneously. For example, users of a
DX NetOps Performance Management
data source can use LDAP to log in while users of
DX NetOps Performance Management
are using SAML 2.0.
Follow these steps:
  1. Open a terminal session on the
    NetOps Portal
    host (as root or with the
    sudo
    command).
  2. Launch the Single Sign-On Configuration tool by running the
    ./SsoConfig
    command in the following directory:
    <installation_directory>
    /PerformanceCenter
    /opt/CA
    is the default installation directory.
    You are prompted to select an option. The available options correspond to CA applications running on the local server.
    Use the following commands as needed while you are selecting settings:
    • q
      (quit)
    • b
      (go back to the previous menu)
    • u
      (update)
    • r
      (reset)
  3. Enter the value that corresponds to the data source that you want to configure. For example, enter
    1
    to configure
    NetOps Portal
    (CAPC).
    You are prompted to select a configuration option.
  4. Enter
    2
    to configure the SAML Authentication security settings.
    You are prompted to specify the priority.
    The
    Priority
    parameter only applies to
    NetOps Portal
    .
  5. Enter
    one
    of the following options:
    • 1. Remote Value
      Propogates these settings to the data sources that are registered to this instance of
      NetOps Portal
      , including the Event Manager service, which embeds the
      NetOps Portal
      URL.
      NetOps Portal
      uses these settings only if a corresponding
      Local Override
      value is not present.
      To configure the scheme or port to include the correct
      NetOps Portal
      URL in threshold event email messages, use
      Remote Value
      .
    • 2. Local Override
      Overrides a setting on this
      NetOps Portal
      instance. This setting takes precedence over the
      Remote Value
      setting and the default settings.
    You are prompted to select a property to configure.
  6. Enter
    one or more
    of the following properties:
    When prompted, enter
    u
    to update the value and supply a new value.
    • 1. Enable SAML2 Authentication
      Specifies whether SAML is enabled to allow it to use user identities and authorization provided by another authentication source.
      Values:
      • 1:
        SAML 2.0 authentication is enabled.
      • 2:
        SAML 2.0 authentication is disabled.
      Default:
      Disabled
    • 2. Clone Default User Accounts
      Defines the user account to which authorized SAML users are mapped. The role and product privileges that are associated with the user account you specify are applied to all users who successfully authenticate.
      Default:
      Blank
      Example:
      Enter
      user
      to require all users to log in with user-level privileges.
      An existing user account is required.
      The user accounts configured on the IdP are sent to
      NetOps Portal
      when the agreement is established. They appear in the User List on the Manage Users Admin page, where they can be edited.
    • 3. SAML2 Signature and Encryption Enabled
      Specifies whether security and encryption for communications between
      NetOps Portal
      and the IdP is enabled.
      Values:
      • 1:
        SAML2 Signature and Encryption is enabled.
      • 2:
        SAML2 Signature and Encryption is disabled.
      Default:
      Disabled
      This setting must match the setting on the IdP.
    • 4. SAML2 Auto-Reauthentication
      Specifies whether the system keeps the IdP session for the user active. Enable this parameter to allow
      DX NetOps Performance Management
      to perform a passive reauthentication (auto-reauthentication).
      Values:
      • 1:
        SAML2 Auto-Reauthentication is enabled.
      • 2:
        SAML2 Auto-Reauthentication is disabled.
      Default:
      Disabled
    • 5. Auto-Reauthentication Time Period
      Specifies the period of time before
      DX NetOps Performance Management
      performs the passive reauthentication. If the
      SAML2 Auto-Reauthentication
      parameter is disabled,
      NetOps Portal
      ignores this parameter.
      Default:
      None
  7. Enter
    b
    and
    b
    again to go back to the first set of options.
  8. Enter
    6
    to export the metadata file that establishes the agreement with the IdP. The metadata file supplies the identity provider with the parameters to use when authenticating users.
    You are asked to supply a directory path and filename.
  9. Enter the filename. For example, enter
    /tmp/CAPCMetadata.xml
    .
    The file is generated automatically, based on the settings you selected in the Single Sign-On Configuration tool. You see a printout of the XML if the export operation succeeds. If the operation fails, you see an error message.
  10. Enter
    q
    .
The Single Sign-On Configuration tool closes.
NetOps Portal
uses user identities and authorization by another authentication source using Security Assertion Markup Language (SAML) authentication.