Provides an overview to SAML authentication, a CloudControl feature available to Private Cloud clients that allows users to authenticate to the Updated UI using their corporate credentials.
Content / Solution:
SAML Authentication provides a feature available only to Private Cloud and Hosted Private Cloud clients. It allows users to authenticate to the Updated UI using their corporate credentials rather than native CloudControl credentials. When activated, it applies to all organizations associated with the Private Cloud/Hosted Private Cloud. The solution maps corporate credentials using either WS-Federation (Web Services Federation) using SAML 2.0 tokens or the competing SAML Protocol (“samlp”) protocol.
Set-Up and Configuration
The SAML Authentication feature cannot be turned on via self-service through the CloudControl UI/API. The offline process involves:
- Clients will need to register the CloudContrl SP Entity ID in their Identity Provider and identify whether they will use ws-authentication or SAML-P protocols
- Our team will need to map the Client's Identity Provider and in CloudControl
- Clients will Identify the appropriate Corporate Credentials Identifier (UPN) for each Primary Administrator user associated with each Organization. All Sub-Administrator accounts associated with each Organization will need to be deleted and re-created once the SAML Authentication is in place
- Our team will need to map the Primary Administrator User to the Corporate Credentials Identifier in CloudControl
Once these are in place, we will configure the system to accept logins to the Updated UI only via SAML transfer from the Client's Identity Provider, meaning the login page will exist on the Client's side only.
Once SAML is in place, Primary Administrators create Sub-Administrators using a slightly different process described in How to Create a Sub-Administrator for SAML-Enabled Organizations. For each Sub-Administrator, the Primary Administrator must provide a unique associated Corporate Credentials Identifier (UPN). All UPNs can only be used once. This means that one set of corporate credentials can only map to one Administrator or one Sub-Administrator in a single Organization.
Primary Administrators can also manage Sub-Administrator accounts as described in How to Manage Sub-Administrators for a SAML-Enabled Organization.
SAML Support Limited to the Updated UI Only
SAML login is limited to the Updated UI only, meaning native CloudControl credentials are required for use of:
- CloudControl API
- Client-to-Site VPN functionality
- Cloud Monitoring portal
Clients can choose whether or not to expose native credentials - i.e. if they are not planning to use these features, the availability of the credentials can be suppressed. Otherwise, users will need to have the mapped native username and password available in order to use these functions.
- Deleting or deactivating a user from the corporate authentication system will not result in the associated Administrator or Sub-Administrator user being automatically deleted from CloudControl. Native CloudControl credentials will continue to operate until the Primary Administrator removes the Sub-Administrator as described in How to Delete an Existing Sub-Administrator.
- Native CloudControl username and associated metadata fields (specifically “Department”, “Customer Defined 1”, and “Customer Defined 2”) will be displayed in the Administration Logs available at How to View an Administrator Logs Report. The “Customer Defined 1” field will be automatically populated with the user’s UPN and will therefore not be editable by the Primary Administrator.
- Any Two Factor Authentication (2FA) functionality must be handled by the corporate authentication solution - the 2FA functionality provided by CloudControl (described in How to Enable or Disable SMS Two Factor Authentication to the Cloud UI for your Organization) cannot be used in conjunction with this functionality.
- Each time a new organization is created by the client, a support ticket will have to be created to map the Primary Administrator with the requested UPN using the same steps previously discussed.