SAML Integration

Overview

The Morpheus SAML identity source integration allows customers to add user SSO to Morpheus , authenticated by external login SAML providers.

../../_images/saml-2f9c4.png

Adding a SAML Integration

To add a SAML integration:

  1. Navigate to Administration -> Tenants

  2. Select a tenant.

  3. Select IDENTITY SOURCES in the Tenant detail page

  4. Select + ADD IDENTITY SOURCE.

  5. Select SAML (external login) from the TYPE field

  6. Add a Name and optional Description for the SAML integration

../../_images/SAML.png

There are 3 sections with fields that need to be populated depending on the desired configuration:

  • SAML Configuration

  • Role Mappings

  • User Attribute Names

SAML Configuration

LOGIN REDIRECT URL

This is the SAML endpoint Morpheus will redirect to when a user signs into Morpheus via SAML.

LOGOUT POST URL

The url morpheus will post to when a SAML user log out of Morpheus to log out of the SAML provider as well.

SIGNING PUBLIC KEY

Add the X.509 Certificate public key from the SAML provider.

Role Mappings

DEFAULT ROLE

Role a saml user will be assigned by default when no role is mapped

ROLE ATTRIBUTE NAME

The name of the attribute filed that will map to morpheus roles, such a MemberOf

REQUIRED ROLE ATTRIBUTE VALUE

Role attribute value that a user must be assigned/a member of to be authorized, such as group or role in the SAML SP.

ENABLE ROLE MAPPING PERMISSION

When selected, Tenant users with appropriate rights to view and edit Roles will have the ability to set role mapping for the Identity Source integration. This allows the Tenant user to edit only the role mappings without viewing or potentially editing the Identity Source configuration.

MANUAL ROLE ASSIGNMENT

When selected, administrators can manually edit Roles for users created through this identity source integration from the user detail page (Administration > Users > Selected user).

Note

For more on Identity Source role mapping permissions, see the associated guide in our KnowledgeBase.

The rest of the Role Mapping Fields will be the existing Roles in morpheus with a Role Attribute Value field.

User Attribute Names

GIVEN NAME ATTRIBUTE NAME

SAML SP field value to map to Morpheus user First Name

SURNAME ATTRIBUTE NAME

SAML SP field value to map to Morpheus user Last Name

EMAIL ATTRIBUTE NAME

SAML SP field value to map to Morpheus user email address

../../_images/saml-c4576.png

Once populated, select SAVE CHANGES and the SAML identity source integration will be added.

In the Identity Sources section, important information for configuration of the SAML integration is provided. Use the SP ENTITY ID and SP ACS URL for configuration on the external login SAML provider side.

  • SP ENTITY ID

  • SP ACS URL*

  • IDP LOGIN REDIRECT URL

  • IDP LOGOUT POST URL

  • SP METADATA

../../_images/saml-1ef5f.png

Sample Metadata code output:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><EntityDescriptor entityID="https://someip.com/saml/CDWPjmZt" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat><AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://someip.com/externalLogin/callback/CDWPjmZt"/></SPSSODescriptor></EntityDescriptor>

Note

Different SAML providers will have different field names and requirements. A onelogin SAML Test Connector (IdP w/attr) was used for the example integration this article.

Onelogin SAML SSO

For Onelogin SAML integration, the following fields are mapped:

  • LOGIN REDIRECT URL : SAML 2.0 Endpoint (HTTP)

  • LOGOUT POST URL : SLO Endpoint (HTTP)

  • SIGNING PUBLIC KEY : X.509 Certificate

  • SP ENTITY ID: ACS (Consumer) URL Validator

  • SP ACS URL: ACS (Consumer) URL