Skip to content

SAML Integration#

Privacera supports SAML that allows you to authenticate users using single-sign on (SSO) technology. It is way to provide access to use Privacera services.

Using the Azure AD SAML Toolkit or Okta, you can set up single sign-on (SSO) in Privacera Manager for active directory users. After setting up the SSO, you will be provided with an SSO button on the login page of Privacera Portal.

Prerequisites#

To configure SSO with Okta or Azure Active Directory, you need to configure and enable SSL for the Privacera Portal. See Enable CA Signed Certificates or Enable Self Signed Certificates.

Confiuring SAML in Okta/Azure AD

  1. Login to your Okta account.

  2. Click the Add Applications under the Shortcuts in right panel.

    The Add Application page displays.

  3. On the Add Application page, click the Create New App from left panel.

    The Create a New Application Integration page displays.

  4. Select Web as platform and SAML 2.0 as Sign on method.

  5. Click Create.

    The Create SAML Integration page displays.

  6. Under General Settings tab, enter the App name as ‘Privacera Portal SAML’.

  7. Click Next.

    This takes you to the Configure SAML tab.

  8. Under Configure SAML, enter the following values:

    1. GENERAL

      • Single sign on URL: http://portal_hostname:6868/saml/SSO

      • Audience URI (SP Entity ID): privacera_portal

    2. ATTRIBUTE STATEMENTS

      • Name: UserID (This attribute will be used as the Username)

      • Name format: Unspecified

      • Value: user.login

    If the user’s login id is username then there should be no issues.

    If the user login ID is email. This attribute will be considered as username in the portal. The value is email but the domain name is stripped off to get the username. For example: john.joe@company.com. The username will be considered as john.joe. If there is another attribute which can be used as the username then this value will hold that attribute.

  9. Scroll to the bottom of the page and click Next.

    This takes you to the Feedback tab.

    • Under Feedback tab, select I’m an Okta customer adding an internal app.

    • Select the App type (Optional field).

  10. Click Finish.

    This takes you to the application’s Sign On tab which has a section with a link to your application’s metadata in yellow box.

    Under Sign On tab, perform the following steps:

    • Copy the Identity Provider metadata link.

    • Open the link in the browser’s new tab.

    • Save the content in a file.

    • Right Click Save as identity_provider_metadata.xml.

  1. Log in to Azure portal.

  2. On the left navigation pane, select the Azure Active Directory service.

  3. Navigate to Enterprise Applications and then select All Applications.

  4. Do the following:

    To add a new application, select New application.

    Or

    If you have an existing Azure AD SAML Toolkit application, select it, and then go to step 8 to continue with the rest of the configuration.

  5. In the Add from the gallery section, type Azure AD SAML Toolkit in the search box.

  6. Select Azure AD SAML Toolkit from the results panel and then add the app.

  7. On the Azure AD SAML Toolkit application integration page, in the Manage section and select single sign-on.

  8. On the Select a single sign-on method page, select SAML.

  9. Click the pen icon for Basic SAML Configuration to edit the settings.

  10. On the Basic SAML Configuration page, enter the values for the following fields, and then click Save. You can assign a unique name for the Entity ID.

    • Entity ID = privacera-portal
    • Reply URL = https://${APP_HOSTNAME}:6868/saml/SSO
    • Sign-on URL = https://${APP_HOSTNAME}:6868/login.html
  11. In the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your virtual machine.

  12. In the Manage section and select Users and groups.

  13. In the Users and groups dialog, select the user or user group who should be allowed to log in with SSO, then click the Select.

CLI Configuration#

  1. SSH to the instance where Privacera is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/
    
  3. Edit the vars.portal.saml.aad.yml file.

    vi config/custom-vars/vars.portal.saml.aad.yml
    

    Modify the SAML_ENTITY_ID. You need to assign the value of the entity ID the same as in step 10 of the above section. For property details and description, refer to the Configuration Properties below.

    SAML_ENTITY_ID: "privacera-portal"
    SAML_BASE_URL: "https://{{app_hostname}}:6868"
    PORTAL_UI_SSO_ENABLE: "true"
    PORTAL_UI_SSO_URL: "saml/login"
    PORTAL_UI_SSO_BUTTON_LABEL: "Azure AD Login"
    AAD_SSO_ENABLE: "true"
    
  4. Rename the downloaded Federation Metadata XML file as privacera-portal-aad-saml.xml. Copy this file to the ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/custom folder.

  5. Run the following command.

    cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update
    
  6. If you are configuring the SSL in an Azure Kubernetes environment, then run the following command.

     ./privacera-manager.sh restart portal
    

Configuration Properties#

Property Description Example
AAD_SSO_ENABLE Enabled by default.  
SAML_ENTITY_ID Get the value from the Prerequisites section. privacera-portal
SAML_BASE_URL   https://{{app_hostname}}:6868
PORTAL_UI_SSO_BUTTON_LABEL   Azure AD Login
PORTAL_UI_SSO_URL   saml/login
SAML_GLOBAL_LOGOUT
Enabled by default. The global logout for SAML is enabled. Once a logout is initiated, all the sessions you've accessed from the browser would be terminated from the Identity Provider (IDP).
 
META_DATA_XML Browse and select the Federation Metadata XML, which you downloaded in the Prerequisites section.   

Validation#

Go to the login page of the Privacera Portal. You will see the Azure AD Login button.

Configure SAML Assertion Attributes#

By default, the following assertion attributes are configured with pre-defined values:

  • Email
  • Username
  • Firstname
  • Lastname

You can customize the values for the assertion attributes. To do that, do the following:

  1. Run the following commands.

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.yml config/custom-vars/
    vi config/custom-vars/vars.portal.yml
    
  2. Add the following properties and assign your values. For more information on custom properties and its values, click here.

    SAML_EMAIL_ATTRIBUTE: ""
    SAML_USERNAME_ATTRIBUTE: ""
    SAML_LASTNAME_ATTRIBUTE: ""
    SAML_FIRSTNAME_ATTRIBUTE: ""
    
  3. Add the properties in the YAML file configured in the Configuration above.

     cd ~/privacera/privacera-manager/
    ./privacera-manager.sh update