Configure SAML integration on MSR¶
SAML configuration requires that you know the metadata URL for your chosen identity provider, as well as the URL for the MSR host that contains the IP address or domain of your MSR installation.
To configure SAML integration on MSR:
Log in to the MSR web UI.
In the left-side navigation panel, navigate to System to display the General tab.
Scroll down the page to the Auth Settings section and select Click here to configure auth settings. The right pane will display Authentication & Authorization in the details pane.
In the Identity Provider Integration section, move the slider next to SAML to enable the SAML settings.
In the SAML idP Server subsection, enter values for the following fields: SAML Proxy URL, SAML Proxy User, SAML Proxy Password , and IdP Metadata URL.
- SAML Proxy URL
Optional. URL of the user proxy server used by MSR to fetch the metadata specified in the IdP Metadata URL field.
- SAML Proxy User
Optional. The user name for proxyvcauthentication.
- SAML Proxy Password
Optional. The password for proxy authentication.
- IdP Metadata URL
URL for the identity provider metadata
If the metadata URL is publicly certified, you can continue with the default settings:
Skip TLS Verification unchecked
Root Certificates Bundle blank
Mirantis recommends the use of TLS verification in production environments. If the metadata URL cannot be certified by the default certificate authority store, you must provide the certificates from the identity provider in the Root Certificates Bundle field.
Click Test Proxy Settings to verify that the proxy server has access to the URL entered into the IdP Metadata URL field.
In the SAML Service Provider subsection, in the MSR Host field, enter the URL that includes the IP address or domain of your MSR installation.
The port number is optional. The current IP address or domain displays by default.
Optional. Customize the text of the sign-in button by entering the text for the button in the Customize Sign In Button Text field. By default, the button text is Sign in with SAML.
Copy the SERVICE PROVIDER METADATA URL, the ASSERTION CONSUMER SERVICE (ACS) URL, and the SINGLE LOGOUT (SLO) URL, to paste later into the identity provider workflow.
To configure a service provider, enter the Service provider metadata URL to obtain its metadata. To access the URL, you may need to provide the CA certificate that can verify the remote server.
To link group membership with users, use the Edit or Create team dialog to associate SAML group assertion with the MSR team to synchronize user team membership when the user log in.