*SAML Integration is only available in the Enterprise Plus edition of Secret Server*
Secret Server allows the use of SAML Identity Provider “IdP” authentication instead of the normal authentication process for single sign on “SSO” needs. Secret Server acts as a SAML Service Provider “SP” that can communicate with any configured SAML IdP. Follow the instructions below, or view the whitepaper. You will need two public key files: one from Secret Server and one from your IdP.
To configure SAML for your instance of Secret Server, follow the steps below:
- Login to an account with Administer Configuration permissions.
- Go to Administration menu, choose Configuration, and select the Login tab.
- You need to setup Secret Server with your SAML information by going into edit mode:
- Enable SAML Integration.
- Configure the optional SAML User Name attribute.
- Enable the Saml configuration file (saml.config).
- Copy the saml.config.template to saml.config. This, along with setting Enable SAML Integration in the Secret Server login configuration page turns on SAML in your Secret Server installation.
- Modify the Secret Server SAML configuration file to your Idp settings.
- Fill out the ServiceProvider section.
Choose an EntityId for your Secret Server instance. By default, the EntityId in the file is “'urn:componentspace:SecretServerServiceProvider”.
- The AssertionConsumerServiceUrl should be “~/SAML/AssertionConsumerService.aspx”
- Specify the Certificate to use - this is usually the cert associated with https - use thumbprint as reference or save as file
- Fill out the PartnerIdentityProvider section. Secret Server currently supports only one Identity Provider.
- Specify the Name of the Identity Provider (It’s EntityId).
- Specify the SingleSignOnServiceUrl (the URL on the IdP where users go to sign in)
- Specify the SingleLogoutServiceUrl (the URL on the IDP where users go to sign out)
- Specify the Certificate to use - this is the public key from your idp, it should be saved as file with a password.
- Modify the Idp’s metadata for Secret Server integration.
a. Following the instructions provided by your IdP, add the appropriate entries for Secret Server as a service provider.
b. Secret Server’s assertion consumer service is located at: 'https://<PATH TO YOUR SECRET SERVER>/SAML/AssertionConsumerService.aspx'.
c. Secret Server’s SingleLogoutService is located at 'https:// <PATH TO YOUR SECRETSERVER>//SAML/sloservice.aspx'.
d. Secret Server’s EntityId (or URN or other similar reference – as configured above)
NOTE: After changing the saml.config file, you must recycle Secret Server's application pool; use iisreset or right-click the application pool in the UI and Recycle it.