Table of Contents
Security Assertion Markup Language (SAML) is a suite of protocols used to authenticate users from an Identity Provider (IdP) to a Service Provider (SP) across the Internet. SAML allows a user to log on once to a site (an IdP) and have access granted to affiliated Web sites (SPs). With SAML and SSO, an organization can require two-factor authentication, enforce geo-location restrictions, and send authentication logs to an IDS (Intrusion Detection System).
RightScale has SAML 2.0-based Single Sign-On (SSO) functionality for all Enterprise Plan customers. With this feature enabled, you can synchronize a RightScale account with an existing identity provider (such as OneLogin, Okta, PingIdentity, etc.) to create, update, and provision users to access RightScale.
Note: You must already have a SAML identity provider -- such as OneLogin, Okta, PingFederate, or ADFS -- currently set up. If you are using a hosted solution, you may wish to search for the RightScale app by name to see if your provider offers a guided setup process.
Use the following information to set up a trust relationship with RightScale's SAML Service Provider:
|Entity ID|| |
|saasid (if prompted)|| |
|Assertion Consumer Service URL|| |
Depending on your identity provider, you may need to enter either all three or just two of the above items.
Note: We provide XML metadata that you can download or point your IdP to. Its URI is: https://us-3.rightscale.com/saml/sp-...rightscale.xml
The discovery hint is what your users would type into the "SSO Identifier" field if they arrived at the RightScale login page without having performed IdP-initiated login, or if they wanted to link their existing RightScale user to your IdP.
Your organization's domain name (e.g. exampledomain.com) is a good choice for a discovery hint. The hint must be a well-formed (but not necessarily valid) DNS name, and must be unique within the RightScale platform. If you are concerned about revealing to third parties that you use RightScale, then you should specify a non-obvious discovery hint.
Administrators can choose not to provide a discovery hint by unchecking the "Allow RightScale-initiated SSO" checkbox. By disallowing RS-initiated SSO, only IdP-initiated SSO will be supported. In addition, existing RightScale users who are currently using a password will not be able to link themselves to the IdP from Settings > User > Authentication.
Note: The Discovery Hint/SSO Identifier must be in the form of a domain name and not just a single word.
Before you can roll out SAML SSO to your organization you must configure RightScale with some information about your Identity Provider. You must have 'enterprise_manager' permissions.
Once SAML has been enabled for your RightScale Enterprise, there are two main use cases to consider:
People who currently log in to RightScale with a password can enable SAML SSO for a user by logging in, then navigating to Settings > User Settings > Authentication.
Note: This step is recommended for Enterprise Managers who are setting up SAML and want to test it with their own user profile before rolling out SAML to the enterprise.
New users can come to use SAML in a number of ways:
The user experience for each of these additional login scenarios differs slightly and is described in the following sections.
It is possible to perform SAML login without having received an invitation to join a RightScale Account, for instance by performing IdP-initiated login, or by performing SP-initiated login without having clicked an invitation URL. This is a less-than-optimal case for usability, but still supported as follows:
Open the RightScale dashboard and choose the Use Single Sign-On option on the Login page.
Enter a valid discovery hint in the "SSO Indentifier" field.
Click the Log In button.
A warning dialog displays indicating that “You have logged in successfully but you do not have access to any RightScale accounts”.
The warning dialog directs you to contact your organization's RightScale administrator so that he/she can invite you to join some accounts.
Most users will join RightScale after receiving an email invitation sent by an enterprise_manager or account admin. They can perform SP-initiated login and join RightScale as follows:
If your RightScale Account Manager has configured your SAML provider to be the canonical authority for an email domain, then all invitations sent to emails in that domain can only be accepted through SAML, and only when the SAML response contains suitable attributes. From the user's perspective, this works as follows:
This login scenario is the most streamlined as the user does not need to know or remember a SAML discovery hint; however, before you can send SAML-linked invitations, a RightScale support representative must verify your ownership of the email domain you specify and perform additional setup steps. Furthermore, in order for this scenario to function, your Identity Provider must be configured to send the "email," "surname" and "givenname" attributes in every SAML assertion. For more information, contact RightScale Support.
You can also create users that are pre-configured with SAML through our provisioning API. This enables third parties like Okta and PingIdentity to automatically create users from Active Directory or other identity sources. Similarly, you can create your own synchronization scripts to connect to any proprietary identity stores, grant and revoke roles, and perform other advanced functionality.
To log in with SAML SSO, choose "Use Single Sign-On" on the RightScale login page. Enter the Discovery Hint identifier provided by your company's security administrator.
After logging in, you are authenticated against your IdP and automatically directed to the RightScale Dashboard.
Note: RightScale creates an informational cookie on your machine with the Identifier you provide. This way, you will not need to enter your Identifier every time you login using Single Sign-On. However, you should remember your Identifier in order to login from different machines.
There are two additional use cases in the context of SAML single sign-on that need to be considered when setting up or maintaining your RightScale enterprise for SSO. These use cases are described below.
The user clicks the single sign-on provider link which takes him back to the main RightScale login page with the Use Single Sign-On option selected and the SSO Identifier field pre-filled.
© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.