Authentication with SAML2
For examples of SAML2 configuration, click here.
| General tab parameter | Description |
|---|---|
|
Activate |
The toggle button defines whether the SAML2 provider should be available for the users to log in from the Login page. When this option is enabled, a new button is displayed under External Accounts on the Login page. |
|
Description |
This is the text that will be displayed for the button that will be shown for the created provider on the Login page. By default, it is set as New Provider and it is recommended that the text be changed to a label that is meaningful for the users when they go on the Login page. |
|
Discovery Endpoint |
This endpoint is optional in the configuration screen. The intention of the endpoint is to automatically populate the other required endpoints by retrieving the information from the available metadata. Click the Discover button to populate the values for Provider Entity ID, Provider Login Endpoint and Provider Logout Endpoint. |
|
Entity ID |
This field is automatically populated based the server to which you are currently logged in. If needed, enter another unique identifier that will be used as Nectari ID. It must be the same as the Identifier (Entity ID) parameter set up in the Azure account or the Audience URI (SP Entity ID) set up in the Okta account. |
|
Provider Entity ID |
Application ID provided by the SAML2 provider. Since a user (Entity ID) could use multiple applications, this parameter specifies which one is used to connect to Nectari. It must be the same as the Azure ID Identifier parameter set up in the Azure account or the ID Provider Issuer set up in the Okta account. This field is automatically populated if you clicked the Discover button. |
|
Provider Login Endpoint |
This is the URL where you will enter your email address and password. It must be the same as the Login URL parameter set up in the Azure or Okta account. This field is automatically populated if you clicked the Discover button. |
|
Provider Logout Endpoint |
(Optional) If you provide a URL, users will be logged out from both Nectari and the Microsoft or Okta provider when they click Logout in the Web Server. This field is automatically populated if you clicked the Discover button. |
|
Saml2 ACS URL |
This is the reply URL that will redirect you to the Web Server after entering your email address and password. It must be the same as the Reply URL (Assertion Consumer URL) parameter set up in the Azure or Okta account.
|
|
Logout URL |
(Optional) This is the reply URL that will redirect users to the login page when they click Logout in the Web Server. As opposed to the Provider Logout Endpoint parameter, they will still be logged in with their Microsoft or Okta account. This field is automatically populated based the server to which you are currently logged in. |
|
Certificate |
The certificate is required as part of the authentication process. Drag and drop the certificate you downloaded for Azure or Okta. The certificate should use SHA-256 signature algorithm. |
|
User Identifier |
This parameter specifies the claim that will be used to retrieve the mapped value in the Web Server user information. For example, if the User Identifier is set to email, this parameter will search for the value of email based on mailnickname in Azure or nameidentifier in Okta and use it to compare and map the Web Server user. |
|
Force re-Authentication |
Select this option if you wish users to always re-enter their credentials. This setting will force the user to re-authenticate every time. |
|
Allow Remember Me |
Select this option to enable the browser to keep the authentication settings. For example, if the Web Server session is set to last 30 minutes, users will not be logged out of their session; they will stay logged in automatically. |