SSO and federation

Applies to NAM 2018

Authentication > SSO and federation

For more about SSO, see Single sign-on (SSO) in NAM.

Use the HTTPS and HTTP switches to:

  • Set the URL and type of connection (HTTPS or HTTP) that NAM will use for communication with the external IdP.
  • Enable or disable SSO via an external IdP.

If you need to switch off SSO through an external IdP, this is where to do it.

  • HTTPS
    Recommended. HTTPS is the more secure method. To use HTTPS to communicate with an IdP, enter the URL and set the HTTPS switch to On.
  • HTTP
    Not recommended. HTTP is the less secure method. To use HTTP to communicate with an IdP, enter the URL and set the HTTP switch to On.

External Identity Provider

The External Identity Provider section has two edit boxes:

XML metadata of Service Provider
This metadata describes your NAM deployment in SAML 2.0 format. During configuration, you need to take a copy of it from here (Copy to clipboard or Download metadata as a file) and deliver it to your IdP.

XML metadata of Identity Provider
This metadata describes your IdP in SAML 2.0 format. During configuration, you will need to take a copy of the data from your IdP and paste it here or Upload file.

User attribute mappings

Settings for mapping user attributes:

  • Email address
  • Last name
  • First name

Group association required for SSO user auto-import
When this is turned on, an SSO user is automatically imported during a login attempt only if that user belongs to an existing group. If the user does not belong to an existing group, login is denied and the user is not automatically imported.

User group attribute mappings

Settings for mapping user group attributes:

  • User group name
  • User group name regex

Disabling an external IdP

If you are using an external IdP and it goes down, or if you have other problems with SSO, you may want to temporarily access NAM using the default internal SSO.

To switch back to internal SSO:

  1. Get the address of your NAM Console machine.
  2. On your browser address line, open the following:
    https://<console address>:<port>/console/login.xhtml?local
    where <console address>:<port> is the IP address and port of the console machine.
    Example:
    https://console.company.com:4183/console/login.xhtml?local

If you want to continue using internal SSO, you can turn off your external IdP configuration:

  1. Open Authentication > SSO and federation.
  2. Set the Active switch to Off.