SAML Integration
There are 3 steps to complete SAML integration:
Step 1: Configuring Identity Providers
Step 2: Configuring SAML settings in Deep Freeze Cloud
Step 3: Assigning Access to Deep Freeze Cloud Through the Identity Providers (IdP-initiated login)
Supported Identity Providers include:
• Okta
OneLogin
Step 1: Configuring OneLogin
After logging in to OneLogin, set up Deep Freeze under Applications.
1. In the search field, type in SAML Test Connector.
2. Select SAML Test Connector (IdP w/ attr w/ sign response).
3. Assign a Display Name and click Save.
4. On the left pane, click SSO.
5. At the top right, click More Actions > SAML Metadata to download the IdP Metadata.
7. After you have configured Deep Freeze and generated the Service Provider Configuration, click Configuration on the left pane.
8. Fill in the Audience field using the Deep Freeze Cloud Audience URI.
9. Fill in the Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL fields using the Deep Freeze Cloud Assertion Consumer URL, then click Save.
10. On the left pane, click SSO.
11. Under SAML Signature Algorithm, select SHA-256 or SHA-512.
| Currently, only SHA-256 and SHA-512 SAML signature algorithms are supported. |
12. Click Save.
OneLogin setup is now completed.
Step 2: SAML Settings in Deep Freeze Cloud
Complete the following steps to configure Deep Freeze Cloud SAML settings for SAML integration:
1. Go to User Management.
2. Click SAML Integration.
3. Configure the parameters for the Identity Provider, Other Settings and Service Provider.
> Service Provider Configuration
Click the refresh button to update the Service Provider Configuration tab and display the assigned Login Domain, Audience URI and Assertion Consumer URL.
> Identity Provider Setup
Upload the IdP metadata or perform manual setup.
Upload IdP metadata
i. To upload the IdP metadata, click Browse and select the IdP Metadata (.xml) file that you have downloaded. All other fields will be automatically populated.
ii. Click Next.
Manual setup
To manually set up the Identity Provider:
i. Enter the information for the IdP Login URL and Entity ID.
ii. Click Browse and select the IdP Certificate file.
iii. Click Next.
> Settings
i. Select the permission rights for Just in Time Provisioned users.
* Allow access to all sites – Select this option to allow new users access to all sites. By default, new users do not have permission to access any site.
Attribute Mapping
The Attribute Mapping tab contains information mapped from the IdP metadata. You can choose to use the generated information as is or edit the fields by clicking the edit icon.
When editing the email, first name, and last name fields, fill in the details using the format user.email, user.firstName, user.lastName.
You can assign a specific identifier by selecting the Use Custom Attribute Instead of NameID For Uniquely Identifying A User checkbox and editing the information on the Custom Attribute field.
Click Next after you have finished editing.
| You will need the Audience URI and Assertion Consumer URL to complete the setup in the Identity Provider portals. |
To edit SAML settings, click Edit at the top right.
To reset SAML settings, click Reset at the top right. Note that resetting SAML settings will unlink the IdP and delete all the SAML settings.
Step 3: Assigning Access to Deep Freeze Cloud Through OneLogin (IdP-initiated login)
OneLogin Users must be assigned access to Deep Freeze before being able to access Deep Freeze through OneLogin.
To assign access to a user:
1. Go to Users and select a user.
2. On the Users page, click Applications on the left pane.
3. Click the + icon on the top right of the Applications tab.
4. Select the app from the drop-down list and click Continue.
5. Edit the app login details for the selected user and click Save.
The user can now access Deep Freeze through OneLogin.
To perform IdP-initiated access, log in to your OneLogin company portal. Click on the Deep Freeze app. You will be redirected to Deep Freeze Cloud.
Add SAML User
SAML users have the ability to perform the following actions:
• Edit
• Disable
• Delete
• Tag
Azure
Step 1: Configuring Azure
After logging in to the Azure Portal, click Azure Active Directory.
1. On the left pane, click Enterprise Applications, then click New Application.
2. Click Create your own application.
3. Specify a name for the app and select Integrate any other application you don't find in the gallery.
4. Click Create.
5. On the Application Overview page, under Getting Started, click on Set up single sign on.
6. Click SAML.
7. Edit the Basic SAML Configuration:
> Fill in the Identifier (Entity ID) using the Deep Freeze Cloud Audience URI.
> Fill in the Reply URL (Assertion Consumer Service URL) using the Deep Freeze Cloud Assertion Consumer URL.
> Fill in the Sign on URL using the Deep Freeze Cloud Assertion SAML Login URL.
8. Click Save.
9. Under User Attributes & Claims, replace existing Claims with the following details:
> user.lastname – user.surname
> user.firstname – user.givenname
> user.email – user.localuserprincipalname
> name – user.userprincipalname
> Unique User Identifier – user.userprincipalname
10. Under SAML Signing Certificate, click Add a Certificate.
| If you are resetting your SAML, you will need to create a new cetificate for the new SAML. Old certificates need to be deleted. |
11. Click New Certificate.
12. Select your preferred Signing Option and Signing Algorithm.
13. Specify the Notification Email Address and click Save.
14. Click on the Thumbprint field to display options for the certificate and select Make certificate active.
15. Close the SAML Signing Certificate screen to return to the SAML-based Sign-on screen.
16. Click Download to download the Federation Metadata XML.
Step 3: Assigning Access to Deep Freeze Cloud Through Azure (IdP-initiated login)
1. On the left pane, click Users and Groups.
2. Click Add User.
3. On the Add Assignment page, click Users to display the list of all users. Select the desired users from the list and click Select.
4. Click Assign.
Google Workplace
Step 1: Configuring Google Workplace
After logging in to Google Admin, navigate to Apps.
1. Click Add App > Add Custom SAML App.
2. Assign the App Name and click Continue.
3. Click Download Metadata to download the IdP Metadata.
5. On the Google Admin console, edit the Service Provider Details:
> Fill in the ACS URL using the Deep Freeze Cloud Assertion Consumer URL.
> Fill in the Entity ID using the Deep Freeze Cloud Audience URI.
6. Click Continue.
7. Click Add Mapping. Fill in the 3 required App Attributes in the following format:
> Primary email – user.email
> First name – user.firstName
> Last name – user.lastName
8. Click Finish.
Step 3: Assigning Access to Deep Freeze Cloud Through Google Workplace (IdP-initiated login)
1. From the Google Admin console Home page, go to Apps > Web And Mobile Apps.
2. Select your SAML app.
3. Click User Access.
4. On the left pane, select the Organizational Unit from the left and select On For Everyone.
5. Click Save.
Logging in to Deep Freeze Cloud Using SAML (SP-initiated login)
1. On Deep Freeze Cloud sign-in page, click on More Sign-in Options and select Login with SAML.
2. Enter your Login Domain name in the Domain Identifier field.
3. Click Sign In.