Symantec App Center supports using the Security Assertion Markup Language (SAML) protocol to act as an external identity provider (IDP). App Center can use the SAML server to authenticate users to access the Admin Console, the End-User Portal, the App Center App, and any wrapped apps that require authentication.
SAML provides Web-based authentication and authorization and single sign-on (SSO) capabilities.
See“Creating app policies that allow for single sign-on”on page 80.
When you configure App Center to use SAML, App Center acts as a service provider.
The user connects to App Center. App Center causes the user’s browser or native app to redirect to the SAML server. Once the SAML server has authenticated the user, the server forwards the user back to App Center. This whole process is transparent to the user.
If you want to use Symantec O₃ for authentication and SSO, the integration and configuration process varies from this generic SAML configuration. See the Symantec App Center and Symantec O₃ Integration Guide for detailed instructions.
Note:The password reset feature is only available if you use the local identity provider. However, if you use SAML as the external identity provider, the password reset option appears on the Admin Console logon page so that administrators can change or reset their passwords.
This workflow assumes you have met the following prerequisites:
■ Roles and groups are set up.
You should set up your roles and groups in App Center before you configure your IDP so that after users enroll, you can assign them to the appropriate App Center groups.
Note:App Center does not support group mapping for SAML.
See“Creating roles and groups”on page 27.
■ Your organization already has the SAML server configured.
The workflow to configure SAML as an external identity provider is as follows:
■ Set up the server configuration.
The way you set up your server configuration depends on whether or not your SAML server requires specific information from App Center for the integration.
If it does, you download an XML file from App Center that contains this information and provide it to your SAML server provider. Your SAML server provider in turn provides you with the required IDP metadata file that you upload into App Center.
See“To set up the server configuration if your SAML server does not require specific information from App Center ”on page 60.
See“To set up the server configuration if your SAML server requires additional information from App Center”on page 60.
■ Configure the authentication options.
Your SAML Server's User Store and App Center have slightly different naming conventions to identify the same attributes. For example, App Center has an attribute EMailAddress, which contains the user's full email address. In a User Store, the same value might use the attribute mail. Your SAML
implementation may vary slightly. However, these are the same attributes — they just use a different moniker. App Center requires four attributes:
Username, FirstName, LastName, and EMailAddress.
You can map any attribute from your User Store to the App Center 's Username attribute, but the data for that attribute must be unique. For example, you would not want to map the sn attribute in a User Store to the App Center Username attribute, because you are likely to have more than one person with the same last name.
Depending on your corporate policy, your employees may be assigned user names that they use to log onto your corporate network. So your User Store configuration would already have a user name attribute. So you can map this attribute to the App Center's Username attribute. Otherwise, you might want to use the email address attribute since this attribute typically contains unique values.
See“To configure authentication options for SAML”on page 61.
■ Enable the external IDP.
After you enable SAML as the IDP, all URL requests to
https://[mytenant].appcenterhq.com are redirected to the SAML provider for authentication. To log in using the local IDP, you must use the following URL:
https://[mytenant].appcenterhq.com/admin See“To enable the identity provider”on page 61.
To complete this workflow, you need the following:
■ A SAML metadata file
Each SAML server distributes its information through a single file typically referred to as the metadata file. This file is in XML format and contains all the information needed to connect to it as well as any information needed to authenticate and parse the SAML replies. Obtain this metadata file from the SAML server.
■ SP Partner ID
Some SAML servers need extra information in the SAML request forwarded to them. If your SAML server requires this additional information, obtain the SP Partner ID before you begin this workflow.
■ SP Entity ID
Some SAML servers require extra information be included in the URL used to forward the request. Know the SP Entity ID before you begin this workflow.
The service provider entity ID must be written exactly the same as it is in the metadata file.
■ Know the names of the attributes in your SAML User Store that you want to map to the corresponding App Center attributes:
Username; FirstName, LastName, and EMailAddress
To set up the server configuration if your SAML server does not require specific information from App Center
1 In the Admin Console, click Settings > Server Configuration.
2 On the Server Configuration page, click the Type drop-down list and select SAML.
3 In the Name box, type a name for the configuration.
4 Beside IDP Metadata, click Browse.
5 Browse to and select the SAML metadata file.
6 Leave the SP Partner ID field blank.
7 In the SP Entity ID, provide the service provider entity ID.
Your SAML provider will provide you with this ID. It must be typed exactly as given to you by the provider.
8 Click Save.
To set up the server configuration if your SAML server requires additional information from App Center
1 In the Admin Console, click Settings > Server Configuration.
2 On the Server Configuration page, click the Type drop-down list and select SAML.
3 In the Name box, type a name for the configuration.
4 In the SP Partner ID field, type a partner ID.
Some SAML servers need extra information in the SAML request forwarded to them. Type this information here.
5 In the SP Entity ID, provide the service provider entity ID.
Your SAML provider will provide you with this ID. It must be typed exactly as given to you by the provider.
6 Click Download SP Metadata File.
Provide this file to your SAML provider.
7 If you need to leave this page before you are able to complete this procedure, click Save to save your changes.
8 When you have an IDP metadata file from your SAML provider, save it to a location that you can access from the App Center Admin Console.
9 Beside IDP Metadata, click Browse.
10 Browse to and select the SAML metadata file.
11 Click Save.
To configure authentication options for SAML
1 On the center pane, click Authentication Options.
2 Click the Username Attribute drop-down list and select the corresponding attribute.
You can map any attribute from your User Store to the Username attribute, but the data for that attribute must be unique. For example, you would not want to map the sn attribute in a User Store to the App Center's Username attribute, because you are likely to have more than one person with the same last name.
3 Click the First Name Attribute drop-down list and select the corresponding attribute.
4 Click the Last Name Attribute drop-down list and select the corresponding attribute.
5 Click the Email Attribute drop-down list and select the corresponding attribute.
6 Click Save.
To enable the identity provider
◆ On the Settings > External Identity Provider page, click Enable IDP.
Now you are ready to enroll your users in App Center.
See“Enrolling users using your external identity provider”on page 69.