Returning Customers — Login
Call 1.866.720.0208 or contact us
Getting Started with SAML
Table of Contents
Prerequisites
- You must have an Enterprise plan.
- You must have 'admin' permissions enabled for the account you wish to set up with SAML.
- You must have a SAML 2.0-compliant IdP in use within your organization. RightScale has partners that can provide this functionality if you do not yet have an IdP set up.
Overview
Security Assertion Markup Language (SAML) is an XML standard used to authenticate users from an Identity Provider (IdP) to a software provider. SAML allows a user to log on once to a site (an IdP) and have access granted to affiliated Web sites. With SAML and SSO, an organization can require two-factor authentication, enforce geo-location restrictions, and send authentication logs to an IDS (Intrusion Detection System).
RightScale has SAML 2.0-based Single Sign-On (SSO) functionality for Enterprise Plan customers who request this feature (contact your account manager or sales@rightscale.com for access). With this feature enabled, you can synchronize a RightScale account with an existing identity provider (such as OneLogin, Okta, PingIdentity, etc.) to create, update, and provision users to access RightScale.
Get Access to SAML SSO
Set up an Identity Provider
Note: You must have a SAML identity provider -- such as OneLogin, Okta, PingIdentity, or some other provider -- currently set up. Depending on the provider you are using, you may need to search for the RightScale app to add to your identity provider.
Use the following information to setup a trust relationship with RightScale'sSAML service provider:
| Entity ID or SAAS ID | PingConnect |
| Assertion Consumer Service URL | https://sso.connect.pingidentity.com/sso/sp/ACS.saml2 |
Depending on your identity provider, you may need to enter either both or just one of the above items.
Note: We do not provide an XML metadata URI at this time. You will need to manually configure the trust relationship.
Decide on a SAML "Discovery Hint"
The discovery hint is what your users would type into the "SSO Identifier" field if they arrived at the RightScale login page without having performed IdP-initiated login, or if they wanted to link their existing RightScale user to your IdP.
Your organization's domain name (e.g. exampledomain.com) is a good choice for a discovery hint. The hint must be a well-formed (but not necessarily valid) DNS name, and must be unique within the RightScale platform.
If you are concerned about revealing to third parties that you use RightScale, then you should specify a non-obvious discovery hint.
Provide Information to RightScale
Please provide the following information to to your RightScale account manager:
- Technical Contact (email address of the system administrator responsible for the IdP)
- SAML EntityID of IdP (this can be referred to as either the IdP metadata URL or Issuer URL, e.g. https://example.com/simplesaml/saml2/idp/metadata.php)
- SSO Endpoint URL (e.g. https://example.com/simplesaml/saml2/idp/SSOService.php)
- Signing Certificate (a Base64-encoded certificate such as .pem, .cer, or .crt)
- Discovery Hint
Authentication and Confirmation
RightScale will call the provided Business Contact after verifying the information with our CRM database to grant access to this feature. RightScale will then provide you with the final information you need, such as the "Relay State Value," to set up your IdP.
Enable and Use SAML
Once access to SAML SSO has been set up for a RightScale account, there are two main use cases that can be performed:
- Account holders that have had access to one or more RightScale enterprise accounts. Since these account holders have already been provisioned to access an account, the account's settings need to be adjusted to allow for SAML access. For instructions on how to enable SAML for an account, see Enable SAML-based Single Sign-On.
- Enterprise account admins looking to add users to an account with SAML pre-configured for an account. For instructions on how to add users to an account, see Create SAML Users through the RightScale API.
Note: Mandating Single Sign-On for an enterprise account has to be enabled by your RightScale Technical Account Manger. Contact your TAM to enable this feature.
Enable SAML-based Single Sign-On
You can set up an account with SAML-based SSO login by navigating to Settings > User Settings > Authentication.
- Switch Current method from "Use my email address and password" to "Use single sign-on"
- Verify the current password
- Enter the discovery hint chosen by your security administrator. You will need to enter this if you have not previously performed an IdP-initiated login or if you are attempting to link an existing RightScale account to an IdP.
- Click "Save"
Log in with SAML Single Sign-On
To log in with SAML SSO, choose "Use Single Sign-On" on the RightScale login page. Enter the Discovery Hint identifier provided by your company's security administrator.
After logging in, you are authenticated against your IdP and automatically directed to the RightScale Dashboard.
Note: RightScale creates an informational cookie on your machine with the Identifier you provide. This way, you will not need to enter your Identifier every time you login using Single Sign-On. However, you should remember your Identifier in order to login from different machines.
Create SAML Users through the RightScale API
You can also create user accounts that are pre-configured with SAML through our provisioning API. This enables third parties like Okta and PingIdentity to automatically create users from Active Directory or other identity sources. Similarly, you can create your own synchronization scripts to connect to any proprietary identity stores.
Note:
- Identity providers are exposed as a read-only API resource so you can enumerate the providers available to an enterprise account.
- It is possible to modify an existing user's SAML information through the provisioning API, but if a user becomes unlinked from the enterprise's identity provider, you will no longer be able to update the user information through the provisioning API.