Configure SAML integration on MSR¶
SAML configuration requires that you know the metadata URL for your chosen identity provider, as well as the URL for the MSR host that contains the IP address or domain of your MSR installation.
To configure SAML integration on MSR:
Log in to the MSR web UI.
In the left-side navigation panel, navigate to System to display the General tab.
Scroll down the page to the Auth Settings section and select Click here to configure auth settings. The right pane will display Authentication & Authorization in the details pane.
In the Identity Provider Integration section, move the slider next to SAML to enable the SAML settings.
In the SAML idP Server subsection, enter the URL for the identity provider metadata in the IdP Metadata URL field.
If the metadata URL is publicly certified, you can continue with the default settings:
Skip TLS Verification unchecked
Root Certificates Bundle blank
Mirantis recommends the use of TLS verification in production environments. If the metadata URL cannot be certified by the default certificate authority store, you must provide the certificates from the identity provider in the Root Certificates Bundle field.
In the SAML Service Provider subsection, in the MSR Host field, enter the URL that includes the IP address or domain of your MSR installation.
The port number is optional. The current IP address or domain displays by default.
Optional. Customize the text of the sign-in button by entering the text for the button in the Customize Sign In Button Text field. By default, the button text is Sign in with SAML.
Copy the SERVICE PROVIDER METADATA URL, the ASSERTION CONSUMER SERVICE (ACS) URL, and the SINGLE LOGOUT (SLO) URL, to paste later into the identity provider workflow.
To configure a service provider, enter the Service provider metadata URL to obtain its metadata. To access the URL, you may need to provide the CA certificate that can verify the remote server.
To link group membership with users, use the Edit or Create team dialog to associate SAML group assertion with the MSR team to synchronize user team membership when the user log in.