Configuring SAML in Secret Server

Root > Secret Server
*SAML Integration is only available in the Enterprise Plus edition of Secret Server*
Secret Server allows the use of SAML Identity Provider “IdP” authentication instead of the normal authentication process for single sign on “SSO” needs. Secret Server acts as a SAML Service Provider “SP” that can communicate with any configured SAML IdP.  Follow the instructions below, or view the whitepaper. You will need two public key files: one from Secret Server and one from your IdP.

To configure SAML for your instance of Secret Server, follow the steps below:

  1. Login to an account with Administer Configuration permissions.
  2. Go to Administration menu, choose Configuration, and select the Login tab.
  3. You need to setup Secret Server with your SAML information by going into edit mode:
    1. Enable SAML Integration.
    2. Configure the optional SAML User Name attribute.
  4. Enable the Saml configuration file (saml.config).
    1. Copy the saml.config.template to saml.config. This, along with setting Enable SAML Integration in the Secret Server login configuration page turns on SAML in your Secret Server installation.
  5. Modify the Secret Server SAML configuration file to your Idp settings.
    1. Fill out the ServiceProvider section.
    2. Choose an EntityId for your Secret Server instance.  By default, the EntityId in the file is “'urn:componentspace:SecretServerServiceProvider”.
    3. The AssertionConsumerServiceUrl should be “~/SAML/AssertionConsumerService.aspx”
    4. Specify the Certificate to use - this is usually the cert associated with https - use thumbprint as reference or save as file
    5.  Fill out the PartnerIdentityProvider section.  Secret Server currently supports only one Identity Provider.
    6. Specify the Name of the Identity Provider (It’s EntityId).
    7. Specify the SingleSignOnServiceUrl (the URL on the IdP where users go to sign in)
    8. Specify the SingleLogoutServiceUrl (the URL on the IDP where users go to sign out)
    9. Specify the Certificate to use - this is the public key from your idp, it should be saved as file with a password.
  6. Modify the Idp’s metadata for Secret Server integration.‚Äč
                   a. Following the instructions provided by your IdP, add the appropriate entries for Secret Server as a service provider.
                    b. Secret Server’s assertion consumer service is located at: 'https://<PATH TO YOUR SECRET SERVER>/SAML/AssertionConsumerService.aspx'.
c. Secret Server’s SingleLogoutService is located at 'https:// <PATH TO YOUR SECRETSERVER>//SAML/sloservice.aspx'.
d. Secret Server’s EntityId (or URN or other similar reference – as configured above)

NOTE: After changing the saml.config file, you must recycle Secret Server's application pool; use iisreset or right-click the application pool in the UI and Recycle it.

Add Feedback