Reference 360 > Getting started with Reference 360 > SAML single sign-on
  

SAML single sign-on

You can enable single sign-on (SSO) capability so that users can access their organization without the need to enter login information. You can use SSO for user authentication or for both authentication and authorization in an organization. You configure SSO capability for an organization on the SAML Setup page.
Single sign-on to IDMC is based on the Security Assertion Markup Language (SAML) 2.0 web browser single sign-on profile. The SAML web browser single sign-on profile consists of the following entities:
Identity provider
An entity that manages authentication information and provides authentication services by using security tokens.
Service provider
An entity that provides web services to principals, for example, an entity that hosts web applications. IDMC is a service provider.
Principal
An end user who interacts through an HTTP user agent.
SAML 2.0 is an XML-based protocol that uses security tokens that contain assertions to pass information about a principal between an identity provider and a service provider. An assertion is a package of information that supplies statements made by a SAML authority. You can find more information about SAML on the Oasis web site: https://www.oasis-open.org
The process that occurs when a user enters the IDMC URL in a browser or launches IDMC through a chiclet differs based on whether the organization uses SAML SSO for authentication only or for both authentication and authorization.

SAML single sign-on for authentication only

When a user signs on to IDMC and the organization uses SAML SSO for user authentication only, the following process occurs:
  1. 1IDMC sends a SAML authentication request to the organization's identity provider.
  2. 2The identity provider confirms the user's identity and sends a SAML authentication response to IDMC. The authentication response includes a SAML token.
  3. 3When IDMC receives the SAML authentication response from the identity provider, it completes the following tasks:
  4. 4When a user logs out of IDMC or the session times out, IDMC sends a SAML logout request to the identity provider.
  5. 5The identity provider terminates the user session on the identity provider side.

SAML single sign-on for authentication and authorization

When a user signs on to IDMC and the organization uses SAML SSO for authentication and authorization, the following process occurs:
  1. 1IDMC sends a SAML authentication request to the organization's identity provider.
  2. 2The identity provider confirms the user's identity and sends a SAML authentication response to IDMC. The authentication response includes a SAML token.
  3. 3When IDMC receives the SAML authentication response from the identity provider, it completes the following tasks:
  4. 4When a user logs out of IDMC or the session times out, IDMC sends a SAML logout request to the identity provider.
  5. 5The identity provider terminates the user session on the identity provider side.

SAML single sign-on requirements

SAML single sign-on for an IDMC organization requires an appropriate identity provider.
To set up SAML single sign-on for an organization, ensure that the following requirements are met:

Single sign-on restrictions

There are some restrictions for SAML single sign-on access to IDMC.
The following restrictions apply to SAML single sign-on access:

User management with SAML single sign-on

The following rules apply to users and user accounts when you enable SAML single-sign on for IDMC:

Configuring SAML single sign-on for IDMC

Configure SAML single sign-on (SSO) in IDMC to exchange authentication and authorization information with your identity provider.
Tip:
To watch a video that describes the SAML configuration procedure, see https://youtu.be/4DewSNbvJBc?si=VAeGj5-5Oq0HbXtF.
SAML single sign-on requires an identity provider and service provider. Examples of identity providers include: Okta, Microsoft Azure AD, and PingFederate. In this scenario, the service provider is IDMC.
Before you can configure SAML SSO in IDMC, it must already be set up in your identity provider. For information about configuring two common identity providers, see the following articles on the Informatica network:
To configure SAML single sign-on for IDMC:
  1. 1Contact your identity provider team for the following information:
  2. 2Enter the information into the corresponding fields in Identity Provider Configuration section of the SAML Setup page:
  3. The following images shows these fields on the SAML Setup page:
    The following fields in the Identity Provider Configuration section of the SAML Setup page are highlighted: Issuer, Single Sign-On Service URL, and Signing Certificate.
  4. 3Enter the Name Identifier Format if possible, otherwise this can be added later. The following image shows the Name Identifier Format field:
  5. The Name Identifier Format field under the Identity Provider Configuration section.
  6. 4Click Save.
  7. IDMC generates the service provider metadata file and a unique token for your organization.
  8. 5Click Download Service Provider Metadata. This downloads the file iics_saml_sp_metadata.xml to your machine. It contains information that your service provider needs to complete the configuration.
  9. 6In the Information dialog box, note the URL for single sign-on access to your IDMC organization. For example:
  10. https://dm-us.informaticacloud.com/ma/sso/<organization token>
  11. 7Send the iics_saml_sp_metadata.xml file to the identity provider administrator, along with the URL for single sign-on access.
  12. 8Complete the SAML Attribute Mapping section. For more information, see SAML attribute mapping properties.
  13. 9If you want to map SAML roles to specific roles in IDMC, perform the following steps:
    1. aEnable Map SAML Groups and Roles. The following image shows the SAML Setup page with this option enabled:
    2. The Map SAML Groups and Roles check box under SSO Configuration on the SAML Setup page is enabled.
    3. bIn the User Roles field, enter the SAML attribute used to pass the assigned user roles. The following image shows the User Roles field:
    4. Mapping the SAML attribute for user roles.
      For example, if "idp_roles" is the name of the attribute from the identity provider used to pass user role information, then enter idp_roles.
    5. cMap the corresponding IDMC roles in the SAML Role Mapping tab. For more information, see SAML role and group mapping properties.
  14. 10If you don't want to map specific roles and instead just use a default role, perform the following steps:
    1. aEnsure that Map SAML Groups and Roles is not selected.
    2. bIn the SAML Role Mapping tab, scroll to the bottom of the list and select a Default Role. The following image shows the Default Role field:
    3. Defining a default IDMC role if not mapping specific roles.
      The Administrator can change the roles later.
  15. 11If you want to map SAML groups to specific groups in IDMC, perform the following steps:
    1. aSelect Map SAML Groups and Roles.
    2. bIn the User Groups field, enter the SAML attribute used to pass the assigned user groups. The following image shows the Default Groups field:
    3. Mapping the SAML attribute for user groups.
      For example, if "idp_groups" is the name of the attribute from the identity provider used to pass user group information, then enter idp_groups.
    4. cMap the corresponding IDMC groups in the SAML Group Mapping tab. For more information, see SAML role and group mapping properties.
    5. If there isn't a matching IDMC group, enter a new group name and IDMC will create this group and map it to the SAML group. Groups created this way are read-only in IDMC.
  16. 12If you don't want to map specific groups and instead just use a default group, perform the following steps:
    1. aEnsure that Map SAML Groups and Roles is not selected.
    2. bIn the SAML Group Mapping tab, scroll to the bottom of the list and select a Default Group.
    3. The Administrator can change the groups later.
  17. 13Complete the remaining fields on the SAML Setup page as necessary.

Configuring provider settings and mapping attributes

Configure SAML single sign-on settings and map SAML attributes on the SAML Setup page.
    1Log in to IDMC as an organization administrator.
    2In Administrator, select SAML Setup.
    3On the SAML Setup page, configure the following properties:
    4Click Save.
    IDMC generates the service provider metadata file. IDMC also generates a unique token for your organization and saves the token to the IDMC repository. The single sign-on URL for your organization includes the token. For example:
    https://dm-us.informaticacloud.com/ma/sso/<organization token>
After you save your changes on the SAML Setup page, download the service provider metadata, and send it to your identity provider along with the IDMC single sign-on URL.

Identity provider configuration properties

Define identity provider configuration properties on the SAML Setup page.
The following table describes the identity provider configuration properties:
Property
Description
Issuer
The entity ID of the identity provider, which is the unique identifier of the identity provider.
The Issuer value in all messages from the identity provider to IDMC must match this value. For example:
<saml:Issuer>http://idp.example.com</saml:Issuer>
Single Sign-On Service URL
The identity provider's HTTP-POST SAML binding URL for the SingleSignOnService, which is the SingleSignOnService element's location attribute. IDMC sends login requests to this URL.
Single Logout Service URL
The identity provider's HTTP-POST SAML binding URL for the SingleLogoutService, which is the SingleLogoutService element's location attribute. IDMC sends logout requests to this URL.
Signing Certificate
Base64-encoded PEM format identity provider certificate that IDMC uses to validate signed SAML messages from the identity provider.
Note:
The identity provider signing algorithm must be either DSA-SHA256 or RSA-SHA256.
Use signing certificate for encryption
Uses the public key in your signing certificate to encrypt logout requests sent to your identity provider when a user logs out from IDMC.
Encryption Certificate
Base64-encoded PEM format identity provider certificate that IDMC uses to encrypt SAML messages sent to the identity provider.
Applicable if you do not enable use of the signing certificate for encryption.
Name Identifier Format
The format of the name identifier in the authentication request that the identity provider returns to IDMC. IDMC uses the name identifier value as the IDMC user name.
The name identifier cannot be a transient value that can be different for each login. For a particular user, each single sign-on login to IDMC must contain the same name identifier value.
To specify that the name identifier is an email address, the Name Identifier Format is as follows:
urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress
Logout Service URL (SOAP Binding)
The identity provider's SAML SOAP binding URL for the single logout service. IDMC sends logout requests to this URL.
Logout Page URL
The landing page to which a user is redirected after the user logs out of IDMC.
IDMC redirects the logged out user to the landing page in the following ways:
  • - If you specify a logout page URL, IDMC redirects the user to this URL after logout.
  • - If you do not specify a logout page URL, IDMC redirects the user to a default logout page.

Service provider settings

Define the IDMC service provider settings on the SAML Setup page.
The following table describes service provider settings:
Property
Description
Informatica Cloud Platform SSO
Displays the single sign-on URL for your organization. IDMC generates this URL.
Clock Skew
Specifies the maximum permitted time, in seconds, between the time stamps in the SAML response from the identity provider and the IDMC clock.
Default is 180 seconds (3 minutes).
Name Identifier value represents user's email address
If enabled, IDMC uses the name identifier as the email address.
Default is enabled.
Sign authentication requests
If enabled, IDMC signs authentication requests to the identity provider.
Default is enabled.
Sign logout requests sent using SOAP binding
If enabled, IDMC signs logout requests sent to the identity provider.
Default is enabled.
Encrypt name identifier in logout requests
If enabled, IDMC encrypts the name identifier in logout requests.
Note:
Verify that the identity provider supports decryption of name identifiers before you enable this option.
Default is disabled.

SAML attribute mapping properties

The authentication response from the identity provider to IDMC includes user login attributes such as name, email address, and user role. If the identity provider passes user and group information using SCIM 2.0, the authentication response includes additional SCIM attributes such as Display Name, Employee Number, and Organization.
Map the IDMC user fields to corresponding SAML attributes on the SAML Setup page.
Note:
The attribute format differs based on your identity provider. Refer to the provider documentation for more information.
The following table describes the SAML attribute mapping properties:
includes user login attributes such as name, email address, and user role
includes user login attributes such as name, email address, and user role
The authentication response from the identity provider to
Property
Description
Use friendly SAML attribute names
If selected, uses the human-readable form of the SAML attribute name which might be useful in cases in which the attribute name is complex or opaque, such as an OID or a UUID.
First Name
SAML attribute used to pass the user first name.
Last Name
SAML attribute used to pass the user last name.
Job Title
SAML attribute used to pass the user job title.
Email Addresses
SAML attribute used to pass the user email addresses. This property is required.
Emails Delimiter
Delimiter to separate the email addresses if multiple email addresses are passed.
Phone Number
SAML attribute used to pass the user phone number.
Time Zone
SAML attribute used to pass the user time zone.
These four properties are enabled when the Map SAML Groups and Roles option is enabled:
User Roles
SAML attribute used to pass the assigned user roles.
Roles Delimiter
Delimiter to separate the roles if multiple roles are passed.
User Groups
SAML attribute used to pass the assigned user groups.
Groups Delimiter
Delimiter to separate the groups if multiple groups are passed.
The following table describes the additional attributes. These attributes are visible when the Enable IdP to push users/groups using SCIM 2.0 option is enabled:
Property
Description
Display Name
SCIM attribute used to pass the user displayName.
Employee Number
SCIM attribute used to pass the enterprise user employeeNumber.
Organization
SCIM attribute used to pass the enterprise user organization.
Department
SCIM attribute used to pass the enterprise user department.
Street Address
SCIM attribute used to pass the user streetAddress.
Locality
SCIM attribute used to pass the user locality.
Region
SCIM attribute used to pass the user region.
Post Code
SCIM attribute used to pass the user postalCode.
Country
SCIM attribute used to pass the user country.
Locale
SCIM attribute used to pass the user locale.
Preferred Language
SCIM attribute used to pass the user preferredLanguage.
ID
SCIM attribute used to pass the user id.
External ID
SCIM attribute used to pass the user externalId.
For Azure Active Directory, this is the objectID. For Okta, it is the id.

SAML role and group mapping properties

When you use SAML for authentication only, define a default role and optionally a default user group for new users. When you use SAML for both authentication and authorization, you can map specific SAML role and group names to IDMC role names. You can map multiple SAML roles and groups to a single IDMC role.
Note:
For instructions on how to map groups with Azure Active Directory, see the HOW TO: Create a SAML Group Mapping with Azure AD Knowledge article.
When the Map SAML Groups and Roles option on the SAML Setup page is enabled, you can map specific IDMC roles and groups in the SAML Role Mapping and SAML Group Mapping tabs, as shown in the following image:
The SAML Role Mapping and SAML Group Mapping tabs on the SAML Setup page.
You can map multiple IDMC roles and groups, separated by commas.
When the Map SAML Groups and Roles option is disabled, all SAML roles and groups become non-editable, except for the following fields at the end of the list:
Property
Description
Default Role
Default user role for single sign-on users. When auto-provisioning is enabled, new users are assigned this role the first time they sign in to IDMC.
Default User Group
Optional, default user group for single sign-on users. When auto-provisioning is enabled, new users are assigned to this user group the first time they sign in to IDMC.

Downloading the service provider metadata

The identity provider requires the SAML service provider metadata and IDMC URL to complete the SAML single sign-on setup process. After IDMC generates the service provider metadata file, deliver the file and the IDMC URL to the identity provider.
    1On the SAML Setup page, click Download Service Provider Metadata.
    The service provider metadata file is downloaded to your machine.
    2In the Information dialog box, note the URL for single sign-on access to your IDMC organization.
    3Click OK to close the Information dialog box.
    4Send the metadata file and the IDMC single sign-on URL to your identity provider administrator.