device42
diff --git a/‎docs/administration/saml-2-0-configuration.mdx‎
Lines changed: 103 additions & 101 deletions b/‎docs/administration/saml-2-0-configuration.mdx‎
Lines changed: 103 additions & 101 deletions
diff --git a/‎static/assets/images/enable-saml-2.0.png‎
352 KB b/‎static/assets/images/enable-saml-2.0.png‎
352 KB
diff --git a/‎static/assets/images/onelogin-enable-saml.png‎
358 KB b/‎static/assets/images/onelogin-enable-saml.png‎
358 KB
@@ -5,224 +5,226 @@ sidebar_position: 13
 
 Device42 integrates with SAML 2.0 in conjunction with AD or LDAP user synchronizations to provide Single Sign On (SSO) support in Device42. Once users are added to Device42 via Active Directory or LDAP, they will automatically be logged into Device42 when they load the site.
 
-_Note_ Since authorization is handled by Device42, the user needs to exist within Device42 before they can log in for single sign on functionality to work.
+:::note
+Since authorization is handled by Device42, the SSO functionality only works if the user account already exists within Device42 before the user logs in.
+:::
 
-SAML configuration varies between providers, but we'll provide the steps for configuration with Microsoft ADFS, Okta and Onelogin below as examples. Device42 SSO should also work with **any** SAML2.0 compatible Identity Provider, and has been confirmired working with IDaaS providers Centrify and PingIdentity's PingOne and PingFederate as well.
+SAML configuration varies between providers, but we'll provide the steps for configuration with Microsoft ADFS, Okta, and Onelogin below as examples. Device42 SSO should also work with **any** SAML 2.0 compatible Identity Provider and has been confirmed to work with IDaaS providers, Centrify, and PingIdentity's PingOne and PingFederate.
 
 Should you need further assistance, please contact [Support](mailto:[email protected]).
 
-### Microsoft ADFS Configuration
+## Microsoft ADFS Configuration
 
-Add new relying party trust.
+Add a new relying party trust.
 
 ![ADFS Party Trust](/assets/images/adfs-001.png)
 
-Next screen : Add data manually.
+Next screen: Add data manually.
 
 ![ADFS Party Trust](/assets/images/adfs-002.png)
 
-Next screen : Specify your app display name.
+Next screen: Specify your app display name.
 
-Next screen : Choose AD FS profile.
+Next screen: Choose **AD FS** profile.
 
-Next screen : Choose SAML 2.0 SSO and set proper D42 ACS url – https://\_\_\_device42\_\_\_url/saml2\_auth/acs/.
+Next screen: Choose **SAML 2.0 SSO** and set proper D42 ACS URL: `https://___device42___url/saml2_auth/acs/`.
 
 ![](/assets/images/SAML-admin_adfs-003.png)
 
-Next screen : Set identifiers access – https://\_\_\_device42\_\_\_url/saml2\_auth/acs/.
+Next screen: Set identifiers access: `https://___device42___url/saml2_auth/acs/`.
 
 ![](/assets/images/SAML-admin_adfs-004.png)
 
-Next screen : Permit all users
+Next screen: Permit all users.
 
-Next screen : In claims section ( click “edit claims” on relying party / automatic go to this section after initial setup ), add the following claims
+Next screen: In the claims section (click **Edit claims** on the relying party / automatically go to this section after initial setup), add the following claims:
 
-username claim
+- The `username` claim
 
-![ADFS Party Trust](/assets/images/adfs-005.png)
+    ![ADFS Party Trust](/assets/images/adfs-005.png)
 
-nameid claim
+- The `nameid` claim
 
-![ADFS Party Trust](/assets/images/adfs-006.png)
+    ![ADFS Party Trust](/assets/images/adfs-006.png)
 
-Copy metadata url from endpoints
+Then, copy the metadata URL from the endpoints.
 
 ![ADFS Party Trust](/assets/images/adfs-007.png)
 
-\*\* if you receive time synchronization error please write this command in powershell : Set-ADFSRelyingPartyTrust -TargetIdentifier "" -NotBeforeSkew 5
+If you receive a time synchronization error, please write this command in PowerShell: 
 
-### Azure AD Configuration
+```bash
+Set-ADFSRelyingPartyTrust -TargetIdentifier "" -NotBeforeSkew 5
+```
 
-1\. Navigate to Azure AD in the Azure portal _\> Enterprise Applications > New Application > Create your own application_. Give your app a name (the app shown in the screenshots is _Device42SAML_) and select the third option _Integrate any other application..._, then click _Create_.
+## Azure AD Configuration
 
-![](/assets/images/image-5.png)
+1. Navigate to Azure AD in the Azure portal via **Enterprise Applications > New Application > Create your own application**. Give your app a name (the app shown in the screenshots is `Device42SAML`) and select the third option **Integrate any other application...**, then click **Create**.
 
-2\. Open your newly created enterprise app _\> Option 2- Set up Single sign on_, or select _Single sign-on_ under Manage in left-hand toolbar.
+    ![](/assets/images/image-5.png)
 
-![](/assets/images/image2.png)
+2. Open your newly created enterprise app. Then, under the **Getting Started** section, select the second option, **Set up Single sign on**. Alternatively, select **Single sign-on** under **Manage** in the left-hand toolbar.
 
-3\. Enter `https://<D42-FQDN-or-IP>/saml2_auth/acs/` in Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) in Section 1 Basic SAML Config.
+    ![](/assets/images/image2.png)
 
-![](/assets/images/image3.png)
+3. In the first section, **Basic SAML Configuration**, enter `https://<D42-FQDN-or-IP>/saml2_auth/acs/` in the **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)** fields.
 
-4\. Navigate to the Device42 Appliance Manager > Global Settings > SAML 2.0 Settings. Copy the App Federation Metadata URL in the SAML Signing Certificate section from the enterprise app you created in Azure AD and paste into Metadata auto conf url in the D42 Appliance Manager.
+    ![](/assets/images/image3.png)
 
-![](/assets/images/image4.png)
+4. Navigate to the Device42 Appliance Manager and go to **Global Settings > SAML/SSO Settings**. Copy the **App Federation Metadata URL** in the **SAML Signing Certificate** section for the enterprise app you created in Azure AD, and paste the URL into the **Metadata auto conf url** field in the Device42 Appliance Manager.
 
-5\. While still in the SAML 2.0 settings of the Appliance Manager, enter `username` or other appropriate SAML attribute.
+    ![](/assets/images/image4.png)
 
-Save and restart the appliance from the VM console menu with option 4. You may wish to complete steps 6 and 7 before saving/restarting so that you can still login to D42 and create users with the local admin account you've used so far. The SAML attributes tested successfully are listed below:
+5. While still in the **SAML 2.0 Settings** of the Appliance Manager, enter `username` or another appropriate SAML attribute in the **Username field**. Unless you have signed responses configured on your Azure AD provider side, keep the **Require signed response** box unchecked; otherwise, you'll get an unavailable page message. 
 
-- **emailaddress** - Email address associated with user account in Azure AD
-- **name** - User Principal Name (UPN) associated with user account in Azure AD 
+    Azure's built-in claims like `emailaddress` may not work with Device42, even though they appear in the Azure interface, because the built-in claim uses a namespace URI format. The solution is to create a new claim for `emailaddress` in your Azure AD enterprise app, map the claim to the user attribute, and use the custom claim name in the Device42 SAML **Username field**.
 
-![Enter SAML username](/assets/images/saml-username.png)
+    Save and restart the appliance from the VM console menu. You may wish to complete steps 6 and 7 before saving or restarting, so that you can still log in to Device42 and create users with the local admin account you've used so far. 
 
-6\. Assign users/groups to the SAML enterprise app you created in Azure AD. These should be users/groups that you want to allow authentication into Device42 via this SAML integration.
+    ![Enter SAML username](/assets/images/enable-saml-2.0.png)
 
-7\. For any users associated with the enterprise app in Azure AD, create the user in Device42 using the appropriate Azure AD value with a dummy password. The integration does not pull and create users directly from Azure AD, so the users must be created within Device42 prior to any attempt to authenticate via Azure AD.
+6. Assign users or groups to the SAML enterprise app you created in Azure AD. These should be users or groups that you want to allow authentication into Device42 via this SAML integration.
 
-8\. Once the above has been completed, you should be able to login to your D42 instance with your Azure AD credentials.
+7. For any users associated with the enterprise app in Azure AD, create the user in Device42 using the appropriate Azure AD value with a dummy password. The integration does not pull and create users directly from Azure AD, so the users must be created within Device42 prior to any attempt to authenticate via Azure AD.
 
-### Okta Configuration
+8. Once the above has been completed, you should be able to log in to your Device42 instance with your Azure AD credentials.
 
-In Okta, click the "Admin" button:
+## Okta Configuration
+
+In Okta, click the **Admin** button:
 
 ![Okta Admin Link](/assets/images/saml-001.png)
 
-Click “Applications” button
+Click the **Applications** button.
 
 ![Okta Applications Link](/assets/images/saml-002.png)
 
-In the “Applications” page find “Add application” button and click it.
+On the Applications page, find and click the **Add Application** button.
 
 ![Okta Admin Link](/assets/images/saml-003.png)
 
-Choose “Create new app”
+Choose **Create New App**.
 
 ![Okta Admin Link](/assets/images/saml-004.png)
 
-Select platform as Web and sign on method as SAML 2.0.
+Select **Web** as the **Platform** and select **SAML 2.0** as the **Sign on method**.
 
 ![Okta Admin Link](/assets/images/saml-005.png)
 
-Set application preferences and click next
+Set your application preferences and click **Next**.
 
 ![Okta Admin Link](/assets/images/saml-006.png)
 
-On the next page setup ACS url and field mapping. The Single Sign On URL & Audience URI should be `https://yourdevice42address/saml2_auth/acs/`. The Attribute value should be the same AD or LDAP attribute that your users will log into Device42 with. Note the "Name" given to it as this will be needed in the Device42 Appliance Manager configurations.
+On the next page, set up the ACS URL and field mapping. Enter `https://yourdevice42address/saml2_auth/acs/` for both the **Single sign on URL** and the **Audience URI (SP Entity ID)** fields. In the **Attribute Statements** section, the **Value** should be the same AD or LDAP attribute that your users will use to log in to Device42. Note the attribute statement **Name**, as it is needed in the Device42 Appliance Manager configurations.
 
 ![Okta Admin Link](/assets/images/saml-007.png)
 
-Click “Next” and finish setup. Open your application settings, go to the “Sign On” tab and copy url from “Identity provider metadata” link. This will be used as the "Metadata URL" in Device42's Appliance Manager.
+Click **Next** and finish the setup. Open your application settings, go to the **Sign On** tab, and copy the URL of the **Identity Provider metadata** link. You will use this URL as the **Metadata auto conf url** in Device42's Appliance Manager.
 
 ![Okta Admin Link](/assets/images/saml-008.png)
 
-### OneLogin Configuration
-
-To configure SAML2 integration between OneLogin and Device42, you have to create a `SAML2 connector app` in OneLogin. Then, you will need to add users to the `SAML2 connector app` so they can login via a OneLogin account.
+## OneLogin Configuration
 
-**Creating SAML2 Connector App**
+To configure SAML 2.0 integration between OneLogin and Device42, you have to create a `SAML2 connector app` in OneLogin. Then, you need to add users to the `SAML2 connector app` so they can log in via a OneLogin account.
 
-1\. Create and login into your OneLogin account.
+### Creating the SAML2 Connector App
 
-2\. Create an app connector in OneLogin.
+1. Create and log in to your OneLogin account.
 
-- Go to Applications > Applications.
+2. Create an app connector in OneLogin:
 
-![](/assets/images/D42-26961_saml_config_1.jpg)
+    - Go to **Applications > Applications**.
 
-- Click Add App.
+    ![](/assets/images/D42-26961_saml_config_1.jpg)
 
-![](/assets/images/D42-26961_saml_config_2.jpg)
+    - Click **Add App**.
 
-3\. Search for `SAML custom connector` and select `SAML Custom Connector (Advanced)`
+    ![](/assets/images/D42-26961_saml_config_2.jpg)
 
-![](/assets/images/D42-26961_saml_config_3.jpg)
+3. Search for **SAML custom connector** and select **SAML Custom Connector (Advanced)**.
 
-4\. Type a display name and Save.
+    ![](/assets/images/D42-26961_saml_config_3.jpg)
 
-5\. Go to the `Configuration` tab
+4. Type a display name and **Save**.
 
-- Put the value `https://<<fqdn>>/saml2_auth/acs/` in `Audience (EntityID)`, `Recipient` and `ACS (Consumer)URL`
-- Put `.*` in `ACS(Consumer) URL Validator`
-- Save
+5. Go to the **Configuration** tab:
 
-![](/assets/images/D42-26961_saml_config_4.jpg)
+    - Put the value, `https://<<fqdn>>/saml2_auth/acs/`, in the **Audience (EntityID)**, **Recipient** and **ACS (Consumer) URL** fields.
+    - Put `.*` in the **ACS(Consumer) URL Validator** field.
+    - Save.
 
-6\. Go to the `Parameters` tab and add a new field (by clicking on the `+` icon)
+    ![](/assets/images/D42-26961_saml_config_4.jpg)
 
-![](/assets/images/D42-26961_saml_config_5.jpg)
+6. Go to the **Parameters** tab and add a new field by clicking on the **plus icon**.
 
-- Type the `username` as `Field name`.
-- Check `Include in SAML assertion`.
+    ![](/assets/images/D42-26961_saml_config_5.jpg)
 
-![](/assets/images/D42-26961_saml_config_6.jpg)
+    - Type `username` as the **Field name**.
+    - Select the **Include in SAML assertion** checkbox.
 
-- Save
-- Choose the `Username` from the drop down as the value.
+    ![](/assets/images/D42-26961_saml_config_6.jpg)
 
-![](/assets/images/D42-26961_saml_config_7.jpg)
+    - Click **Save**.
+    - Choose the **Username** from the dropdown as the **Value**.
 
-- Save
+    ![](/assets/images/D42-26961_saml_config_7.jpg)
 
-7\. In the `SSO` tab:
+    - Click **Save**.
 
-- Copy the “Issuer URL”. This will be entered in the “Metadata URL” field in Device42.
+7. In the **SSO** tab:
 
-![](/assets/images/D42-26961_saml_config_8.jpg)
+    - Copy the **Issuer URL**. You will enter this in the **Metadata auto conf url** field in Device42.
 
-- After this, the SAML2 app is created and ready to be integrated with Device42.
+    ![](/assets/images/D42-26961_saml_config_8.jpg)
 
-**In Device42 Appliance Manager Configuration**
+After this, the SAML2 app is created and ready to be integrated with Device42.
 
-Login to Device42 Appliance Manager, `https://yourdevice42address:4343`, and go to the SAML 2.0 settings on the left, then set the Metadata url you obtained above.
+### Configuring the Device42 Appliance Manager
 
-![](/assets/images/D42-26961_saml_config_10.jpg)
+- Log in to the Device42 Appliance Manager, `https://yourdevice42address:4343`, go to **SAML/SSO settings** on the left, and set the **Metadata auto conf url** you obtained above.
 
-After this has been saved, SAML integration should be complete.
+    ![](/assets/images/onelogin-enable-saml.png)
 
-_Now that SAML integration is complete you need to add users to the_ `SAML Connector App` _so they can login into Device42 via OneLogin account._
+After this has been saved, the SAML integration should be complete. You now need to add users to the `SAML Connector App` so they can log in to Device42 via their OneLogin accounts.
 
-**Create a User in OneLogin**
+### Creating a User in OneLogin
 
-- Go to Users > Users.
-- Click New User.
+- Go to **Users > Users**.
+- Click **New User**.
 
-![](/assets/images/D42-26961_onelogin_user_1.jpg)
+    ![](/assets/images/D42-26961_onelogin_user_1.jpg)
 
-- Fill the form. **Username should match the username in device42 app**.
+- Fill in the form. **The username should match the username in the Device42 app**.
 
-![](/assets/images/D42-26961_onelogin_user_2.jpg)
+    ![](/assets/images/D42-26961_onelogin_user_2.jpg)
 
-- Save.
+- Click **Save**.
 
-**Add User to Application**
+### Adding a User to the Application
 
-1. Click on the user name.
+1. Click on the username.
 
-2. Go to the `Applications` tab and add `Application` by clicking on the `+` icon.
+2. Go to the **Applications** tab and add an **Application** by clicking on the **plus icon**.
 
+    ![](/assets/images/D42-26961_user_configuration_1.jpg)
 
-![](/assets/images/D42-26961_user_configuration_1.jpg)
-
-- Select the SAML Custom Application created above.
+    - Select the SAML Custom Application created above.
 
-![](/assets/images/D42-26961_user_configuration_2.jpg)
+    ![](/assets/images/D42-26961_user_configuration_2.jpg)
 
-- Continue
-- Make sure `Allow the user to sign in` is checked
+    - Click **Continue**.
+    - Make sure the **Allow the user to sign in** checkbox is selected.
 
-![](/assets/images/D42-26961_user_configuration_3.jpg)
+    ![](/assets/images/D42-26961_user_configuration_3.jpg)
 
-- Save.
+    - Click **Save**.
 
-Now you can log into Device42 using the OneLogin account.
+Now you can log in to Device42 using the OneLogin account.
 
-### Device42 Appliance Manager Configuration
+## Device42 Appliance Manager Configuration
 
-Login to Device42 Appliance Manager, `https://yourdevice42address:4343`, and go to the SAML 2.0 settings on the left, then set the Metadata url you obtained above. Set the "username" field to match the value you saved in the SAML configuration.
+Log in to Device42 Appliance Manager, `https://yourdevice42address:4343`, go to the **SAML 2.0 Settings** on the left, and set the **Metadata auto conf url** you obtained above. Set the **Username field** to match the value you saved in the SAML configuration.
 
-![](/assets/images/D42-26961_saml_config_10.jpg)
+![](/assets/images/onelogin-enable-saml.png)
 
 After this has been saved, SAML integration should be complete!