Reference 360 > Getting started with Reference 360 > SAML single sign-on

SAML single sign-on

You can enable single sign-on (SSO) capability so that users can access their organization without the need to enter login information. You can use SSO for user authentication or for both authentication and authorization in an organization. You configure SSO capability for an organization on the SAML Setup page.

Single sign-on to Informatica Intelligent Cloud Services is based on the Security Assertion Markup Language (SAML) 2.0 web browser single sign-on profile. The SAML web browser single sign-on profile consists of the following entities:

Identity provider: An entity that manages authentication information and provides authentication services through the use of security tokens.
Service provider: An entity that provides web services to principals, for example, an entity that hosts web applications. Informatica Intelligent Cloud Services is a service provider.
Principal: An end user who interacts through an HTTP user agent.

SAML 2.0 is an XML-based protocol that uses security tokens that contain assertions to pass information about a principal between an identity provider and a service provider. An assertion is a package of information that supplies statements made by a SAML authority. You can find more information about SAML on the Oasis web site: https://www.oasis-open.org

The process that occurs when a user enters the Informatica Intelligent Cloud Services URL in a browser or launches Informatica Intelligent Cloud Services through a chicklet differs based on whether the organization uses SAML SSO for authentication only or for both authentication and authorization.

SAML single sign-on for authentication only

When a user signs on to Informatica Intelligent Cloud Services and the organization uses SAML SSO for user authentication only, the following process occurs:

1Informatica Intelligent Cloud Services sends a SAML authentication request to the organization's identity provider.
2The identity provider confirms the user's identity and sends a SAML authentication response to Informatica Intelligent Cloud Services. The authentication response includes a SAML token.
3When Informatica Intelligent Cloud Services receives the SAML authentication response from the identity provider, it completes the following tasks:

- If the user exists, Informatica Intelligent Cloud Services establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is enabled, Informatica Intelligent Cloud Services gets the user attributes from the SAML token, creates the user, and assigns the user the default role and the default group, if it is configured. Informatica Intelligent Cloud Services establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is disabled, Informatica Intelligent Cloud Services fails the login.

4When a user logs out of Informatica Intelligent Cloud Services or the session times out, Informatica Intelligent Cloud Services sends a SAML logout request to the identity provider.
5The identity provider terminates the user session on the identity provider side.

SAML single sign-on for authentication and authorization

When a user signs on to Informatica Intelligent Cloud Services and the organization uses SAML SSO for authentication and authorization, the following process occurs:

1Informatica Intelligent Cloud Services sends a SAML authentication request to the organization's identity provider.
2The identity provider confirms the user's identity and sends a SAML authentication response to Informatica Intelligent Cloud Services. The authentication response includes a SAML token.
3When Informatica Intelligent Cloud Services receives the SAML authentication response from the identity provider, it completes the following tasks:

- If the user exists, Informatica Intelligent Cloud Services gets the user roles, groups, and attributes from the SAML token. It finds the corresponding Informatica Intelligent Cloud Services user roles and groups, and updates the user roles, if necessary. Informatica Intelligent Cloud Services establishes the user session and logs the user in.
- If the user does not exist and auto-provisioning of users is enabled, Informatica Intelligent Cloud Services gets the user roles, groups, and attributes from the SAML token and creates the user. Informatica Intelligent Cloud Services establishes the user session and logs the user in. If the token contains no SAML role or group information, Informatica Intelligent Cloud Services fails the login.
- If the user does not exist and auto-provisioning of users is disabled, Informatica Intelligent Cloud Services fails the login.

4When a user logs out of Informatica Intelligent Cloud Services or the session times out, Informatica Intelligent Cloud Services sends a SAML logout request to the identity provider.
5The identity provider terminates the user session on the identity provider side.

SAML single sign-on requirements

To set up SAML single sign-on for an Informatica Intelligent Cloud Services organization, the system must use an appropriate identity provider.

To set up SAML single sign-on for an organization, ensure that the following requirements are met:

•The system must use a SAML 2.0-based identity provider.

Common identity providers include Microsoft Active Directory Federation Services (AD FS), Okta, SSOCircle, OpenLDAP, and Shibboleth. The identity provider must be configured to use either the DSA-SHA256 or RSA-SHA256 algorithm to generate the signature.

•The Informatica Intelligent Cloud Services organization must have the SAML based Single Sign-On license.
•You must have access to the organization as an organization administrator to set up single sign-on.

Single sign-on restrictions

There are some restrictions for SAML single sign-on access to Informatica Intelligent Cloud Services.

The following restrictions apply to SAML single sign-on access:

•If your license with the identity provider expires, you cannot access Informatica Intelligent Cloud Services through single sign-on.
•If the identity provider is down or Informatica Intelligent Cloud Services servers cannot reach it, users cannot log in to Informatica Intelligent Cloud Services through single sign-on.
•If the identity provider certificate used for SAML single sign-on to Informatica Intelligent Cloud Services expires, users cannot access Informatica Intelligent Cloud Services through single sign-on.
•If your organization uses trusted IP address ranges, users cannot log in to Informatica Intelligent Cloud Services from an IP address that is not within the trusted IP address ranges.

User management with SAML single sign-on

The following rules apply to users and user accounts when you enable SAML single-sign on for Informatica Intelligent Cloud Services:

•Informatica Intelligent Cloud Services stores user information that passes from the identity provider such as first name and email address in the Informatica Intelligent Cloud Services repository.
•You can create a regular user account with credentials in Informatica Intelligent Cloud Services after you enable an organization for single sign-on, and the user credentials are saved in the Informatica Intelligent Cloud Services repository. However, the user must log in to Informatica Intelligent Cloud Services directly instead of using single sign-on.
•If you delete a user from Informatica Intelligent Cloud Services, the user is deleted from the Informatica Intelligent Cloud Services repository. The user is not deleted from the identity provider.

SAML single sign-on configuration for Informatica Intelligent Cloud Services

Informatica Intelligent Cloud Services and your identity provider exchange configuration information when you set up single sign-on.

Informatica Intelligent Cloud Services requires identity provider metadata to send authentication and authorization requests to the identity provider. The identity provider requires service provider metadata from Informatica Intelligent Cloud Services to send responses to Informatica Intelligent Cloud Services.

SAML and Informatica Intelligent Cloud Services attributes need to be mapped so that Informatica Intelligent Cloud Services can consume the data passed in authentication responses. After you configure single sign-on settings in Informatica Intelligent Cloud Services, pass the Informatica Intelligent Cloud Services service provider metadata to your identity provider.

To configure single sign-on for Informatica Intelligent Cloud Services, complete the following tasks:

1Configure the SAML identity provider and service provider settings, and map SAML attributes to Informatica Intelligent Cloud Services attributes in Informatica Intelligent Cloud Services.
2Download the Informatica Intelligent Cloud Services service provider metadata from Informatica Intelligent Cloud Services, and deliver the metadata and the Informatica Intelligent Cloud Services single sign-on URL for your organization to your SAML identity provider administrator.

Configuring provider settings and mapping attributes

Configure SAML single sign-on settings and map SAML attributes on the SAML Setup page.

1Log in to Informatica Intelligent Cloud Services as an organization administrator.

2In Administrator, select SAML Setup.

3On the SAML Setup page, configure the following properties:

- SSO configuration properties
- Identity provider configuration properties
- Service provider settings
- SAML attribute mapping properties
- SAML role and group mapping properties (if you use SAML SSO for authentication and authorization)

4Click Save.

Informatica Intelligent Cloud Services generates the service provider metadata file. Informatica Intelligent Cloud Services also generates a unique token for your organization and saves the token to the Informatica Intelligent Cloud Services repository. The single sign-on URL for your organization includes the token. For example:

https://dm-us.informaticacloud.com/ma/sso/<organization token>

After you save your changes on the SAML Setup page, download the service provider metadata, and send it to your identity provider along with the Informatica Intelligent Cloud Services single sign-on URL.

Identity provider configuration properties

Define identity provider configuration properties on the SAML Setup page.

The following table describes the identity provider configuration properties:

Property	Description
Issuer	The entity ID of the identity provider, which is the unique identifier of the identity provider. The Issuer value in all messages from the identity provider to Informatica Intelligent Cloud Services must match this value. For example: <saml:Issuer>http://idp.example.com</saml:Issuer>
Single Sign-On Service URL	The identity provider's HTTP-POST SAML binding URL for the SingleSignOnService, which is the SingleSignOnService element's location attribute. Informatica Intelligent Cloud Services sends login requests to this URL.
Single Logout Service URL	The identity provider's HTTP-POST SAML binding URL for the SingleLogoutService, which is the SingleLogoutService element's location attribute. Informatica Intelligent Cloud Services sends logout requests to this URL.
Signing Certificate	Base64-encoded PEM format identity provider certificate that Informatica Intelligent Cloud Services uses to validate signed SAML messages from the identity provider. Note: The identity provider signing algorithm must be either DSA-SHA1 or RSA-SHA1.
Use signing certificate for encryption	Uses the public key in your signing certificate to encrypt logout requests sent to your identity provider when a user logs out from Informatica Intelligent Cloud Services.
Encryption Certificate	Base64-encoded PEM format identity provider certificate that Informatica Intelligent Cloud Services uses to encrypt SAML messages sent to the identity provider. Applicable if you do not enable use of the signing certificate for encryption.
Name Identifier Format	The format of the name identifier in the authentication request that the identity provider returns to Informatica Intelligent Cloud Services. Informatica Intelligent Cloud Services uses the name identifier value as the Informatica Intelligent Cloud Services user name. The name identifier cannot be a transient value that can be different for each login. For a particular user, each single sign-on login to Informatica Intelligent Cloud Services must contain the same name identifier value. To specify that the name identifier is an email address, the Name Identifier Format is as follows: urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress
Logout Service URL (SOAP Binding)	The identity provider's SAML SOAP binding URL for the single logout service. Informatica Intelligent Cloud Services sends logout requests to this URL.
Logout Page URL	The landing page to which a user is redirected after the user logs out of Informatica Intelligent Cloud Services. Informatica Intelligent Cloud Services redirects the logged out user to the landing page in the following ways: - If you specify a logout page URL, Informatica Intelligent Cloud Services redirects the user to this URL after logout. - If you do not specify a logout page URL, Informatica Intelligent Cloud Services redirects the user to a default logout page.

Service provider settings

Define the Informatica Intelligent Cloud Services service provider settings on the SAML Setup page.

The following table describes service provider settings:

Property	Description
Informatica Cloud Platform SSO	Displays the single sign-on URL for your organization. This URL is automatically generated by Informatica Intelligent Cloud Services.
Clock Skew	Specifies the maximum permitted time, in seconds, between the time stamps in the SAML response from the identity provider and the Informatica Intelligent Cloud Services clock. Default is 180 seconds (3 minutes).
Name Identifier value represents user's email address	If enabled, Informatica Intelligent Cloud Services uses the name identifier as the email address. Default is enabled.
Sign authentication requests	If enabled, Informatica Intelligent Cloud Services signs authentication requests to the identity provider. Default is enabled.
Sign logout requests sent using SOAP binding	If enabled, Informatica Intelligent Cloud Services signs logout requests sent to the identity provider. Default is enabled.
Encrypt name identifier in logout requests	If enabled, Informatica Intelligent Cloud Services encrypts the name identifier in logout requests. Note: Verify that the identity provider supports decryption of name identifiers before you enable this option. Default is disabled.

SAML attribute mapping properties

User login attributes such as name, email address, and user role are included in the authentication response from the identity provider to Informatica Intelligent Cloud Services. If the identity provider passes user and group information using SCIM 2.0, the authentication response includes additional SCIM attributes such as Display Name, Employee Number, and Organization.

Map the Informatica Intelligent Cloud Services user fields to corresponding SAML attributes on the SAML Setup page.

Note: The attribute format differs based on your identity provider. Refer to the provider documentation for more information.

The following table describes the SAML attribute mapping properties:

Property	Description
Use friendly SAML attribute names	If selected, uses the human-readable form of the SAML attribute name which might be useful in cases in which the attribute name is complex or opaque, such as an OID or a UUID.
First Name	SAML attribute used to pass the user first name.
Last Name	SAML attribute used to pass the user last name.
Job Title	SAML attribute used to pass the user job title.
Email Addresses	SAML attribute used to pass the user email addresses. This property must be mapped.
Emails Delimiter	Delimiter to separate the email addresses if multiple email addresses are passed.
Phone Number	SAML attribute used to pass the user phone number.
Time Zone	SAML attribute used to pass the user time zone.
User Roles	SAML attribute used to pass the assigned user roles. This field is enabled when the Map SAML Groups and Roles option is enabled.
Roles Delimiter	Delimiter to separate the roles if multiple roles are passed. This field is enabled when the Map SAML Groups and Roles option is enabled.
User Groups	SAML attribute used to pass the assigned user groups. This field is enabled when the Map SAML Groups and Roles option is enabled.
Groups Delimiter	Delimiter to separate the groups if multiple groups are passed. This field is enabled when the Map SAML Groups and Roles option is enabled.

The following table describes the additional attributes. These attributes are visible when the Enable IdP to push users/groups using SCIM 2.0 option is enabled:

Property	Description
Display Name	SCIM attribute used to pass the user displayName.
Employee Number	SCIM attribute used to pass the enterprise user employeeNumber.
Organization	SCIM attribute used to pass the enterprise user organization.
Department	SCIM attribute used to pass the enterprise user department.
Street Address	SCIM attribute used to pass the user streetAddress.
Locality	SCIM attribute used to pass the user locality.
Region	SCIM attribute used to pass the user region.
Post Code	SCIM attribute used to pass the user postalCode.
Country	SCIM attribute used to pass the user country.
Locale	SCIM attribute used to pass the user locale.
Preferred Language	SCIM attribute used to pass the user preferredLanguage.
ID	SCIM attribute used to pass the user id.
External ID	SCIM attribute used to pass the user externalId. For Azure Active Directory, this is the objectID. For Okta, it is the id.

SAML role and group mapping properties

When you use SAML for authentication only, define a default role and optional default user group for new users. When you use SAML for authentication and authorization, map SAML role and group names to Informatica Intelligent Cloud Services role names. You can map multiple SAML roles and groups to a single Informatica Intelligent Cloud Services role.

Note: For instruction on how to create a SAML group mapping with Azure Active Directory, see this KB article.

Define the SAML role and group mapping properties on the SAML Setup page.

The following table describes SAML role mapping properties:

Property	Description
Informatica Intelligent Cloud Services role	The SAML role equivalent for the Informatica Intelligent Cloud Services role. If you need to enter more than one role, use a comma to separate the roles. The role mapping fields are enabled when the Map SAML Groups and Roles option is enabled.
Default Role	Default user role for single sign-on users. When auto-provisioning is enabled, new users are assigned this role the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled.
Default User Group	Optional, default user group for single sign-on users. When auto-provisioning is enabled, new users are assigned to this user group the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled.

The following table describes SAML group mapping properties:

Property	Description
Informatica Intelligent Cloud Services role	The SAML group equivalent for the Informatica Intelligent Cloud Services role. If you need to enter more than one group, use a comma to separate the groups. You can enter up to 4000 characters. The role mapping fields are enabled when the Map SAML Groups and Roles option is enabled.
Default Role	Default user role for single sign-on users. When auto-provisioning is enabled, new users are assigned this role the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled.
Default User Group	Optional, default user group for single sign-on users. When auto-provisioning is enabled, new users are assigned to this user group the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled.

Downloading the service provider metadata

The identity provider requires the SAML service provider metadata and Informatica Intelligent Cloud Services URL to complete the SAML single sign-on setup process. After Informatica Intelligent Cloud Services generates the service provider metadata file, deliver the file and the Informatica Intelligent Cloud Services URL to the identity provider.

1On the SAML Setup page, click Download Service Provider Metadata.

The service provider metadata file is downloaded to your machine.

2In the Information dialog box, note the URL for single sign-on access to your Informatica Intelligent Cloud Services organization.

3Click OK to close the Information dialog box.

4Send the metadata file and the Informatica Intelligent Cloud Services single sign-on URL to your identity provider administrator.