Getting Started with SAML
Table of Contents
Prerequisites
- You must have an Enterprise plan.
- You must have a SAML 2.0-compliant IdP in use within your organization. RightScale has partners that can provide this functionality if you do not yet have an IdP set up.
- If you are using OpenID, you will not be able to use SAML. Disable OpenID before following the steps to set up SAML.
- If you wish to configure SAML settings for your RightScale accounts, you must have the 'enterprise_manager' permission.
- If you wish to use the provisioning API to create users and manage their permissions, you must have the 'admin' permission in the account.
Overview
Security Assertion Markup Language (SAML) is a suite of protocols used to authenticate users from an Identity Provider (IdP) to a Service Provider (SP) across the Internet. SAML allows a user to log on once to a site (an IdP) and have access granted to affiliated Web sites (SPs). With SAML and SSO, an organization can require two-factor authentication, enforce geo-location restrictions, and send authentication logs to an IDS (Intrusion Detection System).
RightScale has SAML 2.0-based Single Sign-On (SSO) functionality for all Enterprise Plan customers. With this feature enabled, you can synchronize a RightScale account with an existing identity provider (such as OneLogin, Okta, PingIdentity, etc.) to create, update, and provision users to access RightScale.
Perform One-Time SAML Setup
Create Identity Provider Trust Relationship
Note: You must already have a SAML identity provider -- such as OneLogin, Okta, PingFederate, or ADFS -- currently set up. If you are using a hosted solution, you may wish to search for the RightScale app by name to see if your provider offers a guided setup process.
Use the following information to set up a trust relationship with RightScale's SAML Service Provider:
| Entity ID | PingConnect |
| saasid (if prompted) | ccf4ffe6-7005-4c84-946b-898d182f9338 |
| Assertion Consumer Service URL | https://sso.connect.pingidentity.com/sso/sp/ACS.saml2 |
Depending on your identity provider, you may need to enter either all three or just two of the above items.
Note: We provide XML metadata that you can download or point your IdP to. Its URI is: https://us-3.rightscale.com/saml/sp-...rightscale.xml
Decide on a Discovery Hint
The discovery hint is what your users would type into the "SSO Identifier" field if they arrived at the RightScale login page without having performed IdP-initiated login, or if they wanted to link their existing RightScale user to your IdP.
Your organization's domain name (e.g. exampledomain.com) is a good choice for a discovery hint. The hint must be a well-formed (but not necessarily valid) DNS name, and must be unique within the RightScale platform. If you are concerned about revealing to third parties that you use RightScale, then you should specify a non-obvious discovery hint.
Administrators can choose not to provide a discovery hint by unchecking the "Allow RightScale-initiated SSO" checkbox. By disallowing RS-initiated SSO, only IdP-initiated SSO will be supported. In addition, existing RightScale users who are currently using a password will not be able to link themselves to the IdP from Settings > User > Authentication.
Note: The Discovery Hint/SSO Identifier must be in the form of a domain name and not just a single word.
Create Service Provider Trust Relationship
Before you can roll out SAML SSO to your organization you must configure RightScale with some information about your Identity Provider. You must have 'enterprise_manager' permissions.
- Log in to the RightScale dashboard using your user profile with 'enterprise_manager' permissions.
- Navigate to Settings > Enterprise > Single Sign-On. Click New. The following dialog displays.
- Enter appropriate values for Display Name, Login Method, SAML SSO Endpoint and SAML EntityID as described on the dialog.
- Use the SAML Signing Certificate Browse button to select the digital certificate that your identity provider will use to sign assertions.
- Click Save to complete SAML Provider configuration.
Enable Single Sign-On for Users
Once SAML has been enabled for your RightScale Enterprise, there are two main use cases to consider:
- People who already have access to one or more of your accounts and want to enable SAML SSO instead of password-based login.
- People who have not yet joined RightScale.
Existing RightScale Users
People who currently log in to RightScale with a password can enable SAML SSO for a user by logging in, then navigating to Settings > User Settings > Authentication.
Note: This step is recommended for Enterprise Managers who are setting up SAML and want to test it with their own user profile before rolling out SAML to the enterprise.
- Switch Current method from "Use my email address and password" to "Use single sign-on"
- Enter your current password
- Under SSO Identifier, enter the discovery hint chosen by your security administrator.
- Click "Save." You will be redirected to your Identity Provider to authenticate, then back to the RightScale dashboard.
New RightScale Users
New users can come to use SAML in a number of ways:
- Users who happen upon RightScale and perform SSO without being invited
- Users who receive an invitation to join a RightScale account and perform SSO while accepting the invitation
- Users who are added to RightScale by their account administrator via REST API request
The user experience for each of these additional login scenarios differs slightly and is described in the following sections.
Joining RightScale with No Invitation
It is possible to perform SAML login without having received an invitation to join a RightScale Account, for instance by performing IdP-initiated login, or by performing SP-initiated login without having clicked an invitation URL. This is a less-than-optimal case for usability, but still supported as follows:
-
Open the RightScale dashboard and choose the Use Single Sign-On option on the Login page.
-
Enter a valid discovery hint in the "SSO Indentifier" field.
-
Click the Log In button.
A warning dialog displays indicating that “You have logged in successfully but you do not have access to any RightScale accounts”.
The warning dialog directs you to contact your organization's RightScale administrator so that he/she can invite you to join some accounts.
Joining RightScale with an Invitation
Most users will join RightScale after receiving an email invitation sent by an enterprise_manager or account admin. They can perform SP-initiated login and join RightScale as follows:
- Click the link provided the invitation email. You are taken to the RightScale invitation dialog.
- Choose the Single Sign-on option. You are redirected to the the RightScale Login page.
- On the RightScale Login page, choose the Use Single Sign-On option.
- Enter a discovery in the SSO Identifier
- Click Log In. You are re-directed to your Identity Provider, prompted to log in, and taken back to the RightScale invitation page.
- Click Accept Invitation.
Joining RightScale with a SAML-Linked Invitation
If your RightScale Account Manager has configured your SAML provider to be the canonical authority for an email domain, then all invitations sent to emails in that domain can only be accepted through SAML, and only when the SAML response contains suitable attributes. From the user's perspective, this works as follows:
- Click the link provided in the invitation email. You are taken directly to the RightScale Login page. The "Single Sign-On" option is prselected and the SSO Identifier field is pre-filled with the correct discovery hint.
- Click Log In. You are re-directed to your Identity Provider, prompted to log in, and taken back to the RightScale invitation page.
- Click Accept Invitation.
Note:
This login scenario is the most streamlined as the user does not need to know or remember a SAML discovery hint; however, before you can send SAML-linked invitations, a RightScale support representative must verify your ownership of the email domain you specify and perform additional setup steps. Furthermore, in order for this scenario to function, your Identity Provider must be configured to send the "email," "surname" and "givenname" attributes in every SAML assertion. For more information, contact RightScale Support.
Joining RightScale Via Provisioning API
You can also create users that are pre-configured with SAML through our provisioning API. This enables third parties like Okta and PingIdentity to automatically create users from Active Directory or other identity sources. Similarly, you can create your own synchronization scripts to connect to any proprietary identity stores, grant and revoke roles, and perform other advanced functionality.
Note:
- Identity providers are exposed as a read-only API resource so you can enumerate the providers available to an enterprise account.
- It is possible to modify an existing user's information through the provisioning API, but if a user becomes unlinked from the enterprise's Identity Provider, you will no longer be able to update their user record.
Log in with SAML
To log in with SAML SSO, choose "Use Single Sign-On" on the RightScale login page. Enter the Discovery Hint identifier provided by your company's security administrator.
After logging in, you are authenticated against your IdP and automatically directed to the RightScale Dashboard.
Note: RightScale creates an informational cookie on your machine with the Identifier you provide. This way, you will not need to enter your Identifier every time you login using Single Sign-On. However, you should remember your Identifier in order to login from different machines.
Additional Single Sign-On Considerations
There are two additional use cases in the context of SAML single sign-on that need to be considered when setting up or maintaining your RightScale enterprise for SSO. These use cases are described below.
- Existing user that has both password-based authentication and SSO because he originally started with password-based authentication then switched to using single sign-on during the SSO beta period. Under this case...
- RightScale has not disabled the original user password that still exists.
- A link is provided for the user to disable password-based authentication on the Settings>Authentication page.
- Single sign-on user has forgotten attempts to use the Forgot Password? link on the RightScale login page to reset his password. Under this case...
- The user is taken to the Reset Password dialog. The user enters the email address and clicks Email link to set up new password button. The system displays the following warning message.
The user clicks the single sign-on provider link which takes him back to the main RightScale login page with the Use Single Sign-On option selected and the SSO Identifier field pre-filled.
- © Copyright 2015 RightScale Technical Support