Home > Guides > Dashboard Users Guide > Settings > User > Actions > Getting Started with SAML

Getting Started with SAML

Table of Contents

Prerequisites

  • You must have an Enterprise plan.
  • You must have a SAML 2.0-compliant IdP in use within your organization. RightScale has partners that can provide this functionality if you do not yet have an IdP set up.
  • If you are using OpenID, you will not be able to use SAML. Disable OpenID before following the steps to set up SAML.
  • If you wish to use the provisioning API to create users and manage their permissions, you must have the 'admin' permission in the account.

Overview

Security Assertion Markup Language (SAML) is an XML standard used to authenticate users from an Identity Provider (IdP) to a software provider. SAML allows a user to log on once to a site (an IdP) and have access granted to affiliated Web sites. With SAML and SSO, an organization can require two-factor authentication, enforce geo-location restrictions, and send authentication logs to an IDS (Intrusion Detection System).

RightScale has SAML 2.0-based Single Sign-On (SSO) functionality for Enterprise Plan customers who request this feature. With this feature enabled, you can synchronize a RightScale account with an existing identity provider (such as OneLogin, Okta, PingIdentity, etc.) to create, update, and provision users to access RightScale.

Perform One-Time SAML Setup

Set up an Identity Provider Trust Relationship

Note: You must already have a SAML identity provider -- such as OneLogin, Okta, PingFederate, or ADFS -- currently set up. If you are using a hosted solution, you may wish to search for the RightScale app by name to see if your provider offers a guided setup process.

Use the following information to set up a trust relationship with RightScale's SAML Service Provider:

Entity ID
 PingConnect
saasid (if prompted)

ccf4ffe6-7005-4c84-946b-898d182f9338

Assertion Consumer Service URL

 https://sso.connect.pingidentity.com/sso/sp/ACS.saml2


Depending on your identity provider, you may need to enter either all three or just two of the above items.  

Note: We do not provide an XML metadata URI at this time. You will need to manually configure the trust relationship.

Decide on a SAML "Discovery Hint"

The discovery hint is what your users would type into the "SSO Identifier" field if they arrived at the RightScale login page without having performed IdP-initiated login, or if they wanted to link their existing RightScale user to your IdP.

Your organization's domain name (e.g. exampledomain.com) is a good choice for a discovery hint. The hint must be a well-formed (but not necessarily valid) DNS name, and must be unique within the RightScale platform.

If you are concerned about revealing to third parties that you use RightScale, then you should specify a non-obvious discovery hint.

 

Note: The Discovery Hint/SSO Identifier must be in the form of a domain name and not just a single word. 

Provide Information to RightScale

Please provide the following information to your RightScale account manager:

  • Technical Contact (email address of the system administrator responsible for the IdP)
  • SAML EntityID of IdP (this can be referred to as either the IdP metadata URL or Issuer URL, e.g. https://example.com/simplesaml/saml2/idp/metadata.php)
  • SSO Endpoint URL (e.g. https://example.com/simplesaml/saml2/idp/SSOService.php)
  • Signing Certificate (a Base64-encoded certificate such as .pem, .cer, or .crt)
  • Discovery Hint/SSO Identifier 

Authentication and Confirmation

RightScale will call the provided Business Contact after verifying the information with our CRM database to grant access to this feature. RightScale will then provide you with the final information you need, such as the "Relay State Value," to set up your IdP.

Enable and Use SAML

Once access to SAML SSO has been set up for a RightScale account, there are two main use cases to consider:

  • People who have already joined  RightScale and have access to one or more of your accounts and want to enable SAML SSO instead of password-based login. For instructions on how to enable SAML for an account, see Enable SAML-based Single Sign-On
  • Enterprise account admins looking to create RightScale users and add them to an account with SAML pre-configured for every user. For instructions on how to create users and add them to an account, see Create SAML Users through the RightScale API.


Note: As a safety measure, the "Mandatory Single Sign-On" setting, which compels anyone who interacts with your enterprise accounts to authenticate through your IdP, must be enabled or disabled by a RightScale Technical Account Manger (TAM). Contact your TAM to enable this feature.

Enable SAML-based Single Sign-On

You can enable SAML SSO for a user by logging in, then navigating to Settings > User Settings > Authentication.

 

screen-Authentication_SSO.png
 
  1. Switch Current method from "Use my email address and password" to "Use single sign-on"
  2. Verify the current password
  3. Enter the discovery hint chosen by your security administrator. You will need to enter this if you have not previously performed an IdP-initiated login or if you are attempting to link an existing RightScale account to an IdP.
  1. Click "Save" 

Log in with SAML Single Sign-On

To log in with SAML SSO, choose "Use Single Sign-On" on the RightScale login page. Enter the Discovery Hint identifier provided by your company's security administrator.

After logging in, you are authenticated against your IdP and automatically directed to the RightScale Dashboard.

Note: RightScale creates an informational cookie on your machine with the Identifier you provide. This way, you will not need to enter your Identifier every time you login using Single Sign-On. However, you should remember your Identifier in order to login from different machines.

 
screen-SSO_DashboardLogin.png
 

Create SAML Users through the RightScale API

You can also create user accounts that are pre-configured with SAML through our provisioning API. This enables third parties like Okta and PingIdentity to automatically create users from Active Directory or other identity sources. Similarly, you can create your own synchronization scripts to connect to any proprietary identity stores. 

For more information about creating SAML users through the RightScale API, see the SAML Provisioning API End-to-End tutorial.
 

Note:

  • Identity providers are exposed as a read-only API resource so you can enumerate the providers available to an enterprise account.
  • It is possible to modify an existing user's SAML information through the provisioning API, but if a user becomes unlinked from the enterprise's identity provider, you will no longer be able to update the user information through the provisioning API.
You must to post a comment.
Last Modified
09:57, 7 Aug 2014

Page Rating

Was this article helpful?

Tags


Announcements

None

Glossary | 用語용어 Site Map | Site Help Community Corporate Site Get Support Dashboard Login
Doc Feedback Product Feedback Resources MultiCloud Marketplace Forums

Dashboard Status


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.