SSO Configuration

Privilege Secure is designed to redirect authentication to the preferred IDP (Identity Provider) so that authentication can be validated by other entities such as DUO, Okta, Ping, etc. This article details the four primary terms which facilitate this exchange.

Inside of the Privilege Secure Configure > Server > SAML Configuration pane there are the following default values, and general explanations to facilitate understanding which values apply to the specific IDP configuration:

Screen_Shot_2020-10-05_at_3.29.16_PM.webp

Entrypoint – Entrypoint designates the URL to which Privilege Secure will redirect all identity authentication activity. This nomenclature differs with each IdP, but is ultimately is the application-specific URL generated by the IdP/Issuer upon the creation a new application within the IDP interface. The simplest way to think of the 'Entrypoint' value is: where must Privilege Secure redirect its logon to once SSO is set to enabled?
Issuer – Issuer refers to the URL of the IdP Issuer. Generally when a new application is created within the IdP, it is assigned its own unique URL, such as:
- https://sso.connect.<identity_provider_base_url>/sso/sp/init?app/PrivilegeSecure/
  - NOTE: This is a very generic example, and the confusing thing is that not all IdP configurations create or require this value.
Issuer Cert – This field is where the certificate provided by the IdP after the creation of the Privilege Secure application will be placed. This is unique to the SSO application or entity, and must be correct in order for the SAML assertion to be accepted. The most common mistake in this field is including too many characters, which will invalidate the key as it passes through the encryption/decryption processess.
SSO Enabled – Enabled or disabled flag. Enabling this will force SSO authentication, and the local login view of Privilege Secure will subsequently be disabled. In this mode, local login is still available for services management but not for Domain User or Group authentication.