Logging in to SDMC via an identity provider
With the SAML protocol, SDMC can rely on an identity provider (IdP) to authenticate administrators.
To set up this connection mode:
-
Provide SDMC with a well-known location indicating the IdP to contact,
-
Configure the IdP of your choice so that it provides SDMC with the information required for authentication. The IdP must be accessible over the Internet and you must have a certificate for it.
The well-known location is a configuration folder containing the sdmc-configuration configuration file. Provided by a server, it must be accessible via HTTPS from all networks. The well-known host server must approve the SDMC certificate before communication between the two is possible.
The sdmc-configuration file is in JSON format. It must contain the following information on the IdP to contact:
-
idpCertificate: URL of the certificate assigned to the IdP,
-
idpUrl: URL of the IdP to contact.
The file must be accessible at the following URL so that SDMC can reach it:
https://sdmc.[domain-company]/.well-known/sdmc-configuration
Where:
-
https is mandatory,
-
sdmc. is a sub-domain needed by the client to expose the well-known file,
-
[domain-company] is replaced by the domain of the corporate account present in the e-mail address of the administrator attempting to connect,
-
.well-known is the folder containing all the well-known files,
-
sdmc-configuration is the file for SDMC. It allows retrieving SAML connection information such as the IdP URL.
For performance reasons, idpUrl and idpCertificate information is cached for 24 hours from the first connection. Changes to the sdmc-configuration file may therefore not be immediately sent to SDMC. This may take up to 24 hours.
EXAMPLE
For the domain name example.com, the well-known location must be accessible at the URL https://sdmc.example.com/.well-known/sdmc-configuration and must be in the following form:
{
"idpCertificate":"https://example.com/assets/certificate.pem",
"idpUrl":"https://example.com/saml/login"
}
The following parameters must be configured on the IdP so that it sends the expected information format to SDMC when an administrator attempts to log in:
Parameter | Type | Value | Status |
---|---|---|---|
"email" | String | Email address, in the form: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ emailaddress |
Mandatory |
"firstName" | String |
First name, in the form: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ |
Optional |
"lastName" | String |
Surname, in the form: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ |
Optional |
Some IdPs offer SAML 2.0 communication encryption. To implement it, add the following public key, extracted from the SDMC certificate, to the IdP configuration associated with communication encryption:
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu5nGaYFmaHGk6fu6+H5b qo/JBUvbuZQlhWE7Ybocns4YIEKVSi6B9QtxasLN4BhZuh6autZmhLqQtZtxV8S4 4BkU44KXNeKPGGhD1izp2mJ8iE6Z3lhUCYRxrRebZQ2Fmu8Z/rKpUDMxwhjOskkQ LVHWflUIT8heRQuUNqN3nqF7049Fe3rQQvI07NOokmPnwO5EpptopOCRj0b2FSGx KdTk/RNm/QKBuirF/7w8JremeG6W+HIC6810cN/Lf88aHoL9NKm0A9eknJyzcKy3 wH0TTBF3N4n521psttg22hOZjQXMqSjkXUPHEMBq6br9Tixg53Q8rJhthS+Ahosb qsxRkAOUiaEPmOR8Kx6AlJ6gdGJe0PAqiZTOiYKEFx1yU6kEbpnU7KkKJwsmOZVg VQMFIVOQiv/1wRLx49ybviZqyNgFuZx4+4pGQt3ETkDQhK10s0xO7/UUMYEKu59C YSAyJNVYVjujC2QqaP8YXcJNndEbSPH58PxFDZ8SmBa9uSzxcO2o+Zg2972dxUXW fIZpWifdkDw6ktor9LhaqDYUw6KLmHh8phRzg49Kt7JaJUtBc9x0YgaXJ23ZfaP9 ndOaWK4loycCS4yyA6Uqupqp5oJV/pyPEAIzrYAVHHBtyxcv2uCXWFlmBZeN6RDZ Y6tY9gfqqoatDT32PfH4Xs0CAwEAAQ== -----END PUBLIC KEY-----
The authentication of an SDMC administrator failed and an error code appears. Ask the administrator for a code. The error may be one of the following:
4001 | The well-known location is not available. |
4002 | The identity provider is not sending the right information. Check the configuration. |
4003 | The certificate’s URL address cannot be accessed. Internal error. Forward the error code to Stormshield. |
4004 | The well-known location was not correctly configured. Check the configuration. |
4006 | Internal error. Contact Stormshield and forward the error code. |