The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Security Assertion Markup Language (SAML) is an XML based open standard data format for exchanging authentication and authorization information data between parties. SAML is implemented for Prime Service Catalog so that any other application integrating with Prime Service Catalog can use SAML as a means to provide Authentication and import person profile information from IDP.
There are three key elements in SAML:
Note The Prime Service Catalog supports only one IDP connection to authenticate a user at login.
Implementing single sign-on via SAML means that the sign in process and user authentication are handled entirely outside of Prime Service Catalog. Prime Service Catalog uses SAML as means of securely authenticating against an IDP; authorization is provided by Prime Service catalog. With SAML configured in a system, the user must first authenticate with the IDP. On successful authentication the user is imported into Prime Service Catalog, if the user does not exist and is redirected to PSC, they will be granted access only if they have a valid permission and the IDP is correctly configured. On the same browser the user sessions are maintained.
Log out behaviors are different based on the saml.enable.globalLogout property settings made in newscale.properties file, see section Properties for SAML Configuration.
By default global logout is enabled. In this case, when the user logs out of one instance of Prime Service Catalog the user is also logged out of other instance on the same browser.
With global logout disabled, when the user logs out of Prime Service Catalog or other applications integrated with Prime Service Catalog, SAML logs the user out only from that particular application. This is called local logout.
The below table describes the various logout behavior when the global logout is set on two SPs on the same browser. Here SP1 and SP2 are two instances of Prime Service Catalog.
After you have enabled SAML all the user management and authentication is handled outside of Prime Service Catalog. However, changes made outside of Prime Service Catalog are immediately synced back to Prime Service Catalog. User information is imported on first attempt at authentication against an IDP and every time user logs in to Prime Service Catalog, SAML refreshes the user data and syncs from IDP to Prime Service Catalog. If you delete a user in the system, the user will no longer be able to sign in to Prime Service Catalog (though their account will still exist in Prime Service Catalog).
Unlike LDAP, SAML does not support person search. However, if the IDP uses LDAP for user management, any changes to the user will be synced to Prime Service Catalog database. The admin must have the credentials for that LDAP connection so as to configure it for Person lookup OOB, Authorization delegate, Person Lookup Service form, and the Import person event.
Below table describes the configuration settings in newscale.properties that allows you to configure SAML for your system.
|
|
---|---|
Set to the exposed RC endpoint Ensure it is not loop back address (127.0.0.1 or localhost). If LB or Reverse proxy is used this will be the exposed endpoint’s IP or domain name. |
|
If set to true the port will be used for validating request/response during SAML exchanges between SP and IDP. |
|
Sets whether the user must authenticate even if the session is valid. |
|
Sets whether global logout is enabled or disabled. By default, it is set to true. |
|
Sets the certificate validation configurations. For more information, see SAML Certificate Validation Settings. |
This section provides information on the validation settings provided in Prime Service Catalog for SAML Certificates while configuring the SAML certificate validation.
Under SAML specifications, when you receive messages, the messages must be digitally signed. Signing is always required for SAML. You can validate the SAML certificate by setting the following properties:
For detailed information on configuring the SAML settings and Mapping the IDP with Prime Service Catalog, see the SAML Configuration section in Cisco Prime Service Catalog Administration and Operation Guide.
The SAML nsAPIs can be accessed only by the Site Administrator and users having SAML Configuration capability. The nsAPI authentication for SAML Configurations and IDP Mappings uses RC DB even when SAML is enabled. So the user needs to use their RC DB credentials.
The response messages for a successfully submitted order is 200.
For information on the error response messages, see REST/Web Services Error Messages table and Error Messages.