Product Selector

Fusion 5.12
    Fusion 5.12

    Configure Managed Fusion for SAML

    SAML 2.0 is a standard for exchanging authentication and authorization data between security domains.

    The SAML protocol allows web-browser single sign-on (SSO) through a sequence of messages sent to and from the browser, which is the intermediary between Managed Fusion and the SAML authority acting as the Identity Provider (IdP).

    To configure Managed Fusion to use SAML 2.0 for user authentication and authorization you must create a SAML security realm. In addition to configuring the Managed Fusion security realm, you must configure the SAML identity provider to recognize the Managed Fusion application.

    Once Managed Fusion is configured for a SAML realm, this realm is added to the list of available realms on the initial Managed Fusion sign-on panel. When the SAML realm is chosen from the list of available realms, the browser then redirects to the IdP which handles user authentication. Upon successful authentication, the IdP sends a response back to the browser which contains authentication and authorization information as well as the URL of the Managed Fusion application. The browser redirects back to the Managed Fusion URL, passing along the SAML message with the user authentication and authorization information. Managed Fusion then issues as session cookie which is used for subsequent user access.

    Add a Security Realm

    1. Sign in to Managed Fusion and click your application.

    2. Click System > Access Control > Security Realms > Add Security Realm.

    3. In the Name field, enter a unique name for the security realm.

    4. Click Type and select saml.

    5. In the additional configuration options, review the default values and determine if you want to change them:

      • The default value for Enabled is true. This setting controls whether or not Managed Fusion allows user logins for this security realm.

      • The default value for Ephemeral Users is false. When disabled, this setting prevents ephemeral users from being created in ZooKeeper during login. If enabled, this property negates Auto Create Users.

      • The default value for Auto Create Users is true. If enabled, a user account is created automatically upon initial authentication. If disabled, a Managed Fusion user with admin permissions must create Managed Fusion users.

    6. In the SAML Realm section, complete the following fields:

      • In the Identity Provider URL field, enter the URL used by the SAML authority for single sign-on. For example: https://www.my-idp.com/<my-app-path>/sso/saml.

        The URL format may differ depending on the SAML identity provider.
      • In the IdP Issuer field, enter the URL for the SAML identity provider. The IdP Issuer must match the <saml:Issuer> in the SAML payload. For example: http://www.my-idp.com/exk686w2xi5KTuSXz0h7.

      • In the App Issuer field, enter the URL for the application source. This field is only required if there is an audienceRestriction in the SAML assertion, in which case, the field must match <saml:Audience> in the SAML payload.

      • In the Certificate Fingerprint field, paste the contents of the SAML authority certificate without the certificate header and footer.

      • In the User ID Attribute field, enter the username or identifier. By default, the Managed Fusion username is the same as the login name known to the Identity Provider. When another field or attribute in the user record stored by the IdP should be used as the Managed Fusion username, that attribute name is the value of the User ID Attribute.

      • In the Post Login Redirect URL field, enter a URL to display after the user signs in. If not set, the Managed Fusion URL is used.

      • In the Logout URL field, enter a URL that displays when the user signs out. This field is optional.

      • In the Groups Mapping section, enter a value in Group Name Attribute and add group mappings.

    7. Click Save.

    Configure SAML identity provider

    To finish setup, register Managed Fusion with your SAML identity provider. The amount of information required to register varies depending on the SAML authority.

    Required information

    Managed Fusion URL. This displays when the user successfully signs in. The information includes the:

    • Protocol

    • Server

    • Managed Fusion application port

    • Path format of api/saml.

    For example, https://EXAMPLE_COMPANY.b.lucidworks.cloud:6764/api/saml.

    If the Managed Fusion application is running behind a load-balancer, this URL is the load-balancer URL plus path api/saml. The load-balancer must be session-sticky so the sequence of messages that comprise the SAML protocol successfully run to completion.

    Additional information

    Some authorities may require additional information. In particular, the SAML 2.0 AudienceRestriction tag may be part of the SAML message. This tag specifies the domain where the SAML trust conditions are valid. This domain is usually where the Managed Fusion app is running. For example, https://EXAMPLE_COMPANY.b.lucidworks.cloud.

    Example SAML Realm configuration

    The Managed Fusion endpoint api/realm-configs returns a JSON list of all the configuration objects for all realms. After configuring a SAML realm named "saml-test" using the okta.com developer preview tool, the configuration object for this realm is:

    {
     "name":"saml-test",
     "realmType":"saml",
     "enabled":true,
     "config":{
         "autoCreateUsers":true,
         "idpUrl":"https://dev-417804.oktapreview.com/app/dev417804_1/exk686w2xi5KTuSXz0h7/sso/saml",
         "issuer":"http://www.okta.com/exk686w2xi5KTuSXz0h7",
         "certificateFingerprint":"MIIDpDCCAoygAwIBAgIGAVQr4A4NMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU\nMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00MTc4MDQxHDAaBgkqhkiG9w0BCQEW\nDWluZm9Ab2t0YS5jb20wHhcNMTYwNDE5MDAxNTI0WhcNMjYwNDE5MDAxNjI0WjCBkjELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV\nBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDE3ODA0MRwwGgYJ\nKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nuNz0trRFPw2d4xXoUvX2oWeZolTVeFtaTnB9SWUyjK4og0WdT7rNdBg10eTvB2ezBwXCf24UGGui\nr1kjkZjiHDqDxKtzQYWpGuzLCjh/4PxKFGDaiUNKcE1Ig5myiEBTvMvv99XtrcI75QdUGDhbMiBr\n2PR5FukWOYepzlBzqY0JSDzX9NYJBKPkz+syK4mj0I6dqtYOU+bcTvjF9sR7jiHtQ+d0Zl8rz1Ca\nyuE3mNUtFJ1IJrY/RArhH1AB6mXbV/de1CXmGhKQbqQAbx9SiKtki9n84gKEwuWdV0jIqcBLGxUQ\ngjbsaIVqed2oX+7F2fh6t0g/I8NPnOWXOTvA+wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCPt+DR\nliIsHO/iVnmLFPGfqrCO/gMv++xnq2wOB19YX7HhT1GIY2YZoVphrQpXH3OO0/8AZJ8ApCmq0E9x\nxUTQwQPBanVqlyLtu1Hr0c6dbAqcd5PtaEe6Ci33nayWPydhOmitvIyb/WtWtbel9HcdUkoGvkAl\ng305jnxkhwGLJm4jkzYe+eaYhd6oG3/JcHqKDGYGf7i2Z+ny0D7vxTeBQ+8PbZfsUKg0PlKyTocb\nydSmDPISsA1xOH5zlw+hzFIdKgD5vW7QZLvpIclNc2hqki/nWl/CHut0TnUuP/V3boREmhDu395n\n/u72pgNANfP7+2DTBb+CBTjGUsAxpKRF",
         "userIdAttribute":""
     },
     "roleNames":["search"],
     "id":"52e1c0d2-5e00-4c76-a3d4-57f1381bdb4f",
     "createdAt":"2016-04-19T19:49:04Z",
     "updatedAt":"2016-04-19T20:06:56Z"
    }